Slashdot Mirror
Ask Slashdot: How Do You Handle Hardware That Never Gets Software Updates? (hpe.com)
New submitter pgralla writes from a report via HPE: Many devices, designed for both long-term and short-term use, were shortsighted when it came to flexibility. How do you handle the hardware that never gets software updates, such as embedded systems and task-dedicated equipment? The article that pgralla shared provides the example of medical devices running Windows 7. "Many of the current generation, when they were first released, used Windows 7, and the devices still work well enough that they remain in service today," reports HPE. "But Microsoft ended mainstream support for Windows 7 back in January 2015, so the operating system gets updated only with an occasional security patch as part of Microsoft's extended support. In January 2020, that extended support will end as well." Many IoT devices are in a similar boat as they're powered by embedded Linux and are not designed to be updated after they enter service."
Of course, these outdated devices create all sorts of security concerns. "Hackers and their access to knowledge and computing power only go up as the years pass, which means that long-lived, fixed-firmware devices become ever more insecure over time," says Michael Barr, founder of the Barr Group, which provides engineering and consulting services for the embedded systems industry. The WannaCry ransomware hack in 2017 affected not just PCs but also medical devices, and ended up costing businesses $4 billion.
Of course, these outdated devices create all sorts of security concerns. "Hackers and their access to knowledge and computing power only go up as the years pass, which means that long-lived, fixed-firmware devices become ever more insecure over time," says Michael Barr, founder of the Barr Group, which provides engineering and consulting services for the embedded systems industry. The WannaCry ransomware hack in 2017 affected not just PCs but also medical devices, and ended up costing businesses $4 billion.
....don't buy it.
I've seen SO many people whining about MS' forced reboots, etc. STOP!
If there is not a sensible option available, demand that your vendor make a version that can be sensibly updated. Too many purchasing decisions just don't have any sensible criteria. ("Oh, it's built on Win XP and you aren't updating it? OK - scratch!")
Not just the local net. Restrict their access to only trusted control devices on the local net. It may require putting insecure devices on a network segment that has strict access controls, but when the only other alternative is to discontinue a working device (In situations where that's possible), making a sandbox network isn't all THAT much work.
Improvise, adapt, and overcome.
I use Slackware, along BSD, financially support projects that I use, and have followed the Linux community since Linus was still in college. It always amazes me how clueless the FOSS community is regarding issues such as this.
Just use Linux...
That's your fault for using M$..
etc.
For regulated systems, especially in pharma manufacturing, you are told what to use, how to use it, when to upgrade it, how to upgrade it, etc. Basically, once the system is certified by the FDA - you don't touch it - PERIOD. You purchase enough compute/control systems when you install it to last you through your production, which could be - 10, 15, 20+ years.
There is no, well, just upgrade to x - it's not allowed.
Before some equally clueless libertarian pinhead starts spouting off about 'over regulation' - stop and think for just one second what this system does. It controls the valves, temperatures, mixing, fermenting, refining, etc. of a chemical that people are to ingest. Where the difference between good and bad is measured in ppm, ppb, or even ppt depending on what's being made. Some endocrine chemicals are measured in 1/10ths or 1/100th of a ug!
Do you really want to apply patches to a system such as this? Doesn't matter that they are 'network', or 'mouse driver', or 'display' - the risk is WAY TOO GREAT to jack around with them.
Keep in mind that 'upgrades' require a new certification of that system, or depending on what it does, the entire production chain - which could run you a couple 10's of millions dollars.
So, before starting the typical FOSS rant, please have a clue of what you are talking about, first.
I'd never buy test equipment that requires a computer connected to be usable. Never, ever.
That's as bad as my flex radio that I never use for the same reason, garbage. Every time I sit down, I just turn on my old kenwood ts-430 instead.
If it's a self contained device that requires no network connection, maybe. If there are software updates, they need to be installable offline. Mostly analog is ideal though.
Sometimes "never" is not an option. One electronic test equipment that revolutionized the industry is the Audio Precision line of Distortion Analyzers. Virtually everyone involved in electronic design, testing or repair owns one, and they are almost hobbyist-priced (a new basic unit can be had for less than $US 10,000). The revolutionary part of AP analyzers is they connect to a PC to do the math.
Now, somewhat on topic, AP is very good at updating their SW interfaces and older machines can use modern versions of the WinOS. They also are not themselves normally required to be connected to outside networks, provided you use a dedicated PC on the bench and not one used for general computing. So much of the problems are solved using good management practices.
If you want to be anywhere near current, you need an AP. I don't own one; I send my stuff to another engineer who does to test, but he charges $200/Hr. He has the most advanced unit, somewhere near or north of $US 20K. Plus a Windows PC and a printer if you want output charts, of course. My Distortion Analyzer is adequate (Keithley, a unit of Tektronix, $US 6,000) but only measures to the fifth harmonic.
It is a standalone device, but unless you want to dig around for an old 70's~80's era machine from HP, Tek, Boonton, a Sound Technology 1700B, etc that pre-date the inexpensive computing power era, the norm these days is software / PC / Appropriate Sound Card for low cost measurement. So now you need, again, a dedicated PC and most hobbyists use the same machine for general computing. But the cost is *way* lower than a standalone machine or an AP.
If you fudge the numbers, it comes down to a classic standalone machine (they still sell for almost four figures and sometimes a couple of thousand) or software like ARTA and a good sound card, maybe $400 worth of stuff total in addition to a basic working PC of some kind. You can fight with your wallet or just give up and go PC-enabled.