The Coming IT Nightmare of Unpatchable Systems 240
snydeq (1272828) writes "Insecure by design and trusted by default, embedded systems present security concerns that could prove crippling if not addressed by fabricators, vendors, and customers alike, InfoWorld reports. Routers, smart refrigerators, in-pavement traffic-monitoring systems, or crop-monitoring drones — 'the trend toward systems and devices that, once deployed, stubbornly "keep on ticking" regardless of the wishes of those who deploy them is fast becoming an IT security nightmare made real, affecting everything from mom-and-pop shops to power stations. This unpatchable hell is a problem with many fathers, from recalcitrant vendors to customers wary of — or hostile to — change. But with the number and diversity of connected endpoints expected to skyrocket in the next decade, radical measures are fast becoming necessary to ensure that today's "smart" devices and embedded systems don't haunt us for years down the line.'"
The poster is showing his prejudice. (Score:5, Interesting)
"Poorly designed", or "incorrectly designed" - perhaps. I'm fairly sure that even the ATM designers who went with an embedded MicroSoft operating system felt that they had mediated security risks adequately to deploy their systems. Incidentally, I had a chance to peek inside a local casino's slot machines - all of them, regardless of external appearance were based on an identical piece of hardware. Watching them boot showed me a MicroSoft OS underlying those slots. Not a problem, as I'm fairly certain that none of the slot machines on the floor have any conceivable way of ever connecting directly to any network except for the dark wire casinos use for exactly this purpose.
My takeaway point is that the summary is (IMHO) slightly biased. The original article appears to be well written. Just to ask - how many embedded systems should be permitted to ever connect to the internet? ATM's, for example, should demonstrably be either confined to a darknet or (as I've seen in some places) required to use dialup access. It's not perfect, but it adds a significant obstacle for crackers to overcome. The casino I mentioned earlier seems to get this point.
I don't mind smart appliances - but again, I don't see why they need internet access. The exceptions to this (smart TV's, for example) should be viewed with suspicion specifically because they are likely to be connected to the internet in some way, but my smart refrigerator probably shouldn't be - and ATM's, slot machines, SCADA systems, etc. almost certainly should never be.
wait (Score:3, Interesting)
"Unpatchable" does not mean "Unsecured" in fact, I'd say it adds to security in many senses. A system that can't be patched, can also not be altered to do the attackers bidding. At the very least, any privileges the attacker may have access to can not be elevated to create some even worse situation. Worst case scenario you just disconnect power to the device in question. Submit it for warranty repair. If you're using a closed source software product out of warranty/support it's your own stupid fault.
Re:This "nightmare" rigns a bell (Score:5, Interesting)
Repetitive (broken) OS abandonment (Score:5, Interesting)
<RANT>
One thing that's causing problems is the habit of Apple and Microsoft to abandon operating systems for new, often incompatible ones, instead of fixing the bugs in them. OSX 10.6.8 is full of problems; the only way to fix them is to move up to OSX 10.7 or further, which in turn can break a lot of things, because the later release isn't just fixed (if, in fact, it is fixed), it's a different animal altogether. Just one example. OS vendors take the view that you can either move forward with them, or die in a fire. Windows, Ubuntu, XP, etc... same deal.
I'm not saying these old OS's should get new features. But bugs? They should be fixed as long as humanly possible. The product was sold as having feature set X, and working. If it doesn't work as advertised, or is unreliable, it shouldn't be abandoned, it should be fixed. Except in the very rare case where it is not possible (I can't even think of one of those, actually.)
The problem is multifaceted. It isn't just that users are left with a choice of being left behind and becoming steadily more vulnerable to exploits; it is also that as the OS vendors keep jumping away from their buggy versions, the OS landscape, as it were, is left lettered with broken junk, and the new stuff is going to also be broken in new ways (plus, often, the old ways too), because:
None of these OS vendors ever intends to work any product into shape such that it becomes stable, reliable, and actually what it was advertised to be when it was sold. Instead, hey, look over here, New! Shiny!
Then we have application vendors that, for no particular good reason, make their apps not just use, but depend upon new OS features. Generally speaking, you don't have to do that. You can tie a feature to an OS, and there are very good reasons to do so (the feature may not even be possible under a previous one), but then there are things that have no sane reason to be tied to an OS, such as the ability to load a new image format (Apple, I'm thinking of Aperture here.) New interface to load images through? Sure, great idea. Abandoning the old interface? Not generally a sensible thing to do. No doubt there are applications out there that use the old interface, and there will be users with (shock!) new cameras.
I find the entire cycle of abandonment to be reprehensible and ethically bankrupt. I think applications should be maintained until they aren't broken under the OS's they were designed to run under, and OS's should be maintained until they work in every way they were supposed to in the first place, and are kept as secure as possible without actually breaking things. But that's just me.
</RANT>
Re:The poster is showing his prejudice. (Score:4, Interesting)
A lot of those examples are solved problems, and at worst are minor inconveniences. Many IoT proposals can easily be replaced with three existing categories of solution: "other people", "paying attention", and "non-networked computing". To address your specific examples:
Thermostat: Schedule the turn-on in advance. Alternate, come home, move your luggage inside, turn on the AC, and go out to dinner.
Laundry machines: Check a clock every so often.
Broken fridge: Show failure status on an LCD. Or have a USB port that you can plug a laptop or a smart phone into.
Freezing weather: Ask a neighbor or a friend to check on your house once every day or two. You may already be doing this if you have pets.
Door opening: See above re: neighbor or friend, or hide a key somewhere.
Out-of-reach window shades: Close them before you leave for work.
Dishwasher: Assuming that scheduling is really that much of a money-save, start it manually before you go to bed. Or use a time delay. Or load the data into the washer via USB.
The more serious problems are much more rare, and that must be weighed against the constant vulnerability from having internet-connected appliances and the upkeep required to secure them.
Perhaps a better option would be to get away from the idea that networking should imply both internet access and full remote control. Is there any reason an embedded device can't limit communications to its own subnet? Stick an upgradable, patchable PC on the network to act as a master, and have it talk to the outside world. Meanwhile, the appliance should be designed at the hardware level so that remote access only gets you status information and the ability to trigger a few well-defined fail-safe modes. Using a stove as an example, you would be able to tell if the burners are on, or force them off, but you wouldn't be able to turn them on or change the heat setting.