Ask Slashdot: How Do You Handle Hardware That Never Gets Software Updates?

New submitter pgralla writes from a report via HPE: Many devices, designed for both long-term and short-term use, were shortsighted when it came to flexibility. How do you handle the hardware that never gets software updates, such as embedded systems and task-dedicated equipment? The article that pgralla shared provides the example of medical devices running Windows 7. "Many of the current generation, when they were first released, used Windows 7, and the devices still work well enough that they remain in service today," reports HPE. "But Microsoft ended mainstream support for Windows 7 back in January 2015, so the operating system gets updated only with an occasional security patch as part of Microsoft's extended support. In January 2020, that extended support will end as well." Many IoT devices are in a similar boat as they're powered by embedded Linux and are not designed to be updated after they enter service."

Of course, these outdated devices create all sorts of security concerns. "Hackers and their access to knowledge and computing power only go up as the years pass, which means that long-lived, fixed-firmware devices become ever more insecure over time," says Michael Barr, founder of the Barr Group, which provides engineering and consulting services for the embedded systems industry. The WannaCry ransomware hack in 2017 affected not just PCs but also medical devices, and ended up costing businesses $4 billion.

Easy....

[GerryGilmore]

....don't buy it.

I've seen SO many people whining about MS' forced reboots, etc. STOP!
If there is not a sensible option available, demand that your vendor make a version that can be sensibly updated. Too many purchasing decisions just don't have any sensible criteria. ("Oh, it's built on Win XP and you aren't updating it? OK - scratch!")

Re:Easy....

[Shikaku]

Linux is free. Updates only when told to. Doesn't have telemetrics by default. Never looked back except in VMs.

Re: Easy....

[fred6666]

How often do you update your router? If your up time is over 60 days you are missing updates and are insecure.

I don't know any home/small business router company (TP-Link, Linksys, Netgear, ...) updating routers every 60 days. More like 1-2 times per year, for 1-2 years. And then nothing.

Re:Easy....

[ShanghaiBill]

....don't buy it.

Not an option with a patented medical device.

demand that your vendor make a version that can be sensibly updated.

Right. Sure. Because companies with millions of customers always do a complete system redesign to satisfy "demands" from one whiner.

Re:Easy....

[Desler]

Not really. Many more people died without them and had less than half the life expectancy. I'm pretty sure a person who, for example, needs a patented medical device like a pacemaker just to stay alive won't be very impressed by your statement.

Re:Easy....

[ShanghaiBill]

Society got along just fine for thousands of years prior to the invention of said patented medical device.

1000 years ago people had half the life expectancy they do today, so I would not say everything was "just fine".

Do you really think it is okay to let people die so your network can be marginally more secure? This is why people roll their eyes at pedantic nerds.

Re:Easy....

[viperidaenz]

A pacemaker corrects irregular heart rhythms, that if left uncorrected may result in a heart attack, resulting in death. Hence a pacemaker can keep someone alive.

People who have pacemakers usually don't have them implanted for fun. They usually have them implanted as their other option is to die from heart failure.

Re: Easy....

[YukariHirai]

The issue isn't updates but people who don't apply updates at all.

This is exactly the idea behind Microsoft's forced updates: most people are never applying updates, which causes problems, so if the updates get applied without user intervention, problem solved. I don't think they're entirely wrong, but they went about implementing mandatory updates in a kind of brain dead way.

The forced updates of iOS have proven to be !ore secure than the fragmented updates of Android.

iOS doesn't have forced updates; it is always up to the user to decide to install updates or not, though Apple do a bit to encourage it. The difference between iOS and Android in terms of updates is that Apple as a matter of course rolls out security updates to every device currently supported (and they are supported for quite some time, contrary to the largely inaccurate stereotype of Apple devices getting thrown out and replaced annually) and new versions of iOS to basically all devices capable of running the new version. With android, it's left up to each hardware manufacturer to provide security updates and new versions for their devices. Many don't bother at all, many others do a couple of security updates and maybe a new version while the device in question is "current" before basically abandoning it. Even if a device is technically capable of running a new version, it's not usually an option to "go over the manufacturer's head" for updates; a build has to be tailored to the model in question, and while the wider open source community does offer some for some devices, it's very much a mixed bag of what's supported, how up-to-date it is, and even how trustworthy the third party is.

Don't connect it to the internet

[MpVpRb]

Many old tools are computer based

Some old CNC machines run on MS-DOS and a 286 processor

As long as the hardware stays alive, they continue to do the job

If they must be networked, restrict their access to the local net

Re:Don't connect it to the internet

[kwalker]

Not just the local net. Restrict their access to only trusted control devices on the local net. It may require putting insecure devices on a network segment that has strict access controls, but when the only other alternative is to discontinue a working device (In situations where that's possible), making a sandbox network isn't all THAT much work.

Re:Don't connect it to the internet

[MightyMartian]

This... so much this. Segregate these devices, limit access via VLANs and firewalls. Yes, it may mean only a handful of other devices and workstations can touch these older devices, but you need to reduce the attack surface as much as possible.

The manufacturer wants you to buy a new one

[Bruce+Perens]

I have a number of Rohde and Schwarz FSEB and FSEA spectrum analyzers. These cost at least $80,000 new (I bought them used for a few thousand at most). They come with an old version of windows. I similarly have other electronic test equipment with old Windows or even old Linux which the manufacturer doesn't update any longer. For the Linux-based ones I could hack in a new Linux and make it use the old ABI, forget about Windows.

But what really clued me in was that the Rohde and Schwarz equipment had a battery soldered on the CPU board, and it was an hour-and-a-half service to get to it. A lot of stuff had to be removed.

Similarly, my Tektronix 500-series oscilloscopes had two 40-pin DIP Dallas Semiconductor battery-backed memory and clock chips. The batteries in these die and they aren't socketed. When the batteries die, the 'scopes lose their calibration. The company won't give you the program to recalibrate them.

The manufacturers just want you to buy new ones.

So, obviously I back SDR-based test equipment that's Open Source. Who needs a company that wants to screw you?

Re:The manufacturer wants you to buy a new one

[gordguide]

I'd never buy test equipment that requires a computer connected to be usable. Never, ever.
That's as bad as my flex radio that I never use for the same reason, garbage. Every time I sit down, I just turn on my old kenwood ts-430 instead.
If it's a self contained device that requires no network connection, maybe. If there are software updates, they need to be installable offline. Mostly analog is ideal though.

Sometimes "never" is not an option. One electronic test equipment that revolutionized the industry is the Audio Precision line of Distortion Analyzers. Virtually everyone involved in electronic design, testing or repair owns one, and they are almost hobbyist-priced (a new basic unit can be had for less than $US 10,000). The revolutionary part of AP analyzers is they connect to a PC to do the math.

Now, somewhat on topic, AP is very good at updating their SW interfaces and older machines can use modern versions of the WinOS. They also are not themselves normally required to be connected to outside networks, provided you use a dedicated PC on the bench and not one used for general computing. So much of the problems are solved using good management practices.

If you want to be anywhere near current, you need an AP. I don't own one; I send my stuff to another engineer who does to test, but he charges $200/Hr. He has the most advanced unit, somewhere near or north of $US 20K. Plus a Windows PC and a printer if you want output charts, of course. My Distortion Analyzer is adequate (Keithley, a unit of Tektronix, $US 6,000) but only measures to the fifth harmonic.

It is a standalone device, but unless you want to dig around for an old 70's~80's era machine from HP, Tek, Boonton, a Sound Technology 1700B, etc that pre-date the inexpensive computing power era, the norm these days is software / PC / Appropriate Sound Card for low cost measurement. So now you need, again, a dedicated PC and most hobbyists use the same machine for general computing. But the cost is *way* lower than a standalone machine or an AP.

If you fudge the numbers, it comes down to a classic standalone machine (they still sell for almost four figures and sometimes a couple of thousand) or software like ARTA and a good sound card, maybe $400 worth of stuff total in addition to a basic working PC of some kind. You can fight with your wallet or just give up and go PC-enabled.

Easy, just leave them be.

[CptLoRes]

Most dedicated systems like this does not belong on the internet, period. So unless there is some flaw or feature need, don't update and it will still work exactly as it did yesterday. And the day before, and the day before that.

Exactly. Least privilege. Wireshark if needed

[raymorris]

A basic principle of security is least privilege. If a piece of outdated equipment needs to send udp packets on port 411 to a monitoring station, you set the firewall to allow it to send udp on port 411 to that particular station, and nothing else. If it doesn't need to take to web servers, you don't let it talk to web servers. You allow it to do only exactly what it needs to do.

Not sure what your equipment needs to do? You could check the manual, and otherwise open up Wireshark and set the filter to the IP of the equipment. Have a look at what it is sending and receiving. Then set the firewall to allow only exactly what is needed.

This is also an area where vlans come in very handy. Vlans act like completely separate networks, but they are configured within your switch, so a single 48-port switch can handle a dozen different, totally separate vlans.

Perhaps different parts of your network should be mostly separate, but you need to allow a little bit of specific communication between two vlans. That's when you plug a router or firewall into both vlans and set it to route only specifically allowed traffic between them. This doesn't even require two network ports - the same port can be in multiple vlans and the router can control traffic between vlans issuing a single cat6 cable. This is called "router on a stick".

If some of this went over your head, here's the simple version'
Call someone who has a CCNA Security certification or better (CCNP Security or CCIE Security). Tell them you're thinking about segregating different vlans and using an internal firewall to strictly control internal traffic. They'll get you set up.

I love the FOSS community's cluelessness.

I use Slackware, along BSD, financially support projects that I use, and have followed the Linux community since Linus was still in college. It always amazes me how clueless the FOSS community is regarding issues such as this.

Just use Linux...
That's your fault for using M$..
etc.

For regulated systems, especially in pharma manufacturing, you are told what to use, how to use it, when to upgrade it, how to upgrade it, etc. Basically, once the system is certified by the FDA - you don't touch it - PERIOD. You purchase enough compute/control systems when you install it to last you through your production, which could be - 10, 15, 20+ years.

There is no, well, just upgrade to x - it's not allowed.

Before some equally clueless libertarian pinhead starts spouting off about 'over regulation' - stop and think for just one second what this system does. It controls the valves, temperatures, mixing, fermenting, refining, etc. of a chemical that people are to ingest. Where the difference between good and bad is measured in ppm, ppb, or even ppt depending on what's being made. Some endocrine chemicals are measured in 1/10ths or 1/100th of a ug!

Do you really want to apply patches to a system such as this? Doesn't matter that they are 'network', or 'mouse driver', or 'display' - the risk is WAY TOO GREAT to jack around with them.

Keep in mind that 'upgrades' require a new certification of that system, or depending on what it does, the entire production chain - which could run you a couple 10's of millions dollars.

So, before starting the typical FOSS rant, please have a clue of what you are talking about, first.

They buy it because it's

[raymorris]

They buy it because it's better. It's better than Windows Phone (the first, second, theirs, and fourth attempts), it's better than Symbian, it's better than everything else people have tried. Why is it better? Linux is or reason it's better. Even Microsoft is using more and more Linux now. Is that because Microsoft has a religious zealotry for Linux? No, it's because Linux is better. Better than eating their own dog food.

>> Legacy software forcing people into Windows nowadays.
> Yeah, more than a billion people.

Yeah, legacy software has a LOT of people (companies, really) still stuck on Windows. Your point is?