September 26th, 2016

Hard Stare

(no subject)

In a response to a comment on:

It’s time to ban ‘stupid’ IoT devices. They’re as dangerous as post-Soviet era nuclear weapons.

One of the elements of security is currentness. It is more or less axiomatic that all software contains errors. Over time, these are discovered, and then they can be exploited to gain remote control over the thing running the software.

This is why people talk about "software rot" or "rust". It get old, goes off, and is not desirable, or safe, to use any more.

Today, embedded devices are becoming so powerful & capable that it's possible to run ordinary desktop/server operating systems on them. This is much, much easier than purpose-writing tiny, very simple, embedded code. The smaller the software, the less there is to go wrong, so the less there is to debug.

Current embedded systems are getting pretty big. The £5 Raspberry pi zero can run a full Linux OS, GUI and all. This makes it easy and cheap to use.

For instance, the possibly forthcoming ZX Spectrum Next and Ben Versteeg's ZX HD Spectrum HDMI adaptor both work by just sticking a RasPi Zero in there and having it run software that converts the video signal. Even if the device is 1000x more powerful and capable than the computer it's interfaced to, it doesn't matter if it only costs a fiver.

The problem is that once such a device is out there in lots of Internet-connected hardware, it never gets updated. So even in the vanishingly-unlikely even that it was entirely free of known bugs, issues and vulnerabilities when it was shipped, it won't stay that way. They *will* be discovered and then they *will* be exploited and the device *will* become vulnerable to exploitation.

And this is true of everything from smartphone-controlled light switches to doorbells to Internet-aware fridges. To a first approximation, all of them.

You can't have them automatically update themselves, because general-purpose OSes more or less inevitably grow over time. At some point they won't fit and your device bricks itself.

Or you give it lots of storage, increasing its price, but then the OS gets a new major version, which can't be automatically upgraded.

Or the volunteers updating the software stop updating that release, edition, family, or whatever, or it stops supporting the now-elderly chip your device uses...

Whichever way, you're toast. You are inevitably going to end up screwed.

What is making IoT possible is that computer power is cheap enough to embed general-purpose computers running general-purpose OSes into cheap devices, making them "smart". But that makes them inherently vulnerable.

This is a more general case of the argument that I tried (& judging by the comments, failed) to make in one of my relatively recent The Register pieces.

Cheap general-purpose hardware is a great thing and enables non-experts to do amazing and very cool things. However, so long as it's running open, general-purpose software designed for radically different types of computer, we have a big problem, and one that is going to get a whole lot worse.