Frankly Speaking, 8/1/19 - Embedded Systems Security
A weekly(-ish) newsletter on random thoughts in tech and research. I am an investor at Dell Technologies Capital and a recovering academic. I am interested in security, blockchain, and devops.
If you were forwarded this newsletter, you can subscribe here, and view old newsletters here.
Man, it's been a crazy summer with lots of deals. Keep an eye out for the announcements :).
Anyway, I will unfortunately be at Blackhat, so come find me and say hi or send me an email at frank.y.wang@dell.com if you want to meet up.
LET'S BE FRANK
There's been a lot of buzz around IoT security recently, and honestly, it's nothing new. There's been talk about embedded systems security for numerous years. I think there's just more "IoT" devices nowadays, but honestly, I don't get the hype of IoT. IoT is just an end device that is connected to the internet... Technically a laptop or a mobile phone is the "original (or OG as some like to say it)" of IoT. However, the difference now is that these devices are "thinner" with less software and hardware and also connected to the internet. There is also the issue of scale. It's much easier to produce these devices, and more industries are using them to help reduce costs and increase automation. Anyway, this talk about IoT security has reminded me a lot of a talk that Jim Gettys gave at MIT about 4 years ago, where he gave his initial thoughts on embedded systems security. There is now all this hype around IoT with companies like Zingbox*, Armis, and CloudPost focused on just IoT security. Anyway, the summary of the talk is below.
Jim starts by talking about the following article. In summary, Jim instigated this article and helped Bruce write it, but he believes there are many parts that are understated. In other words, the problem with security for embedded devices is worse than Bruce describes.
Jim refers to the following conference paper called “Familiarity Breeds Contempt: The Honeymoon Effect and the Role of Legacy Code in Zero-day Vulnerabilities.” I read this article, and the real world implications are immense. There are two main takeaways. First, the length of time between the release of the product and the discovery of the first vulnerability is a function of the familiarity with the product. Second, legacy code re-use contributes to the discovery rate of vulnerabilities and the number of vulnerabilities. For more details, I refer you to the actual paper.
The idea is that you cannot leave software and devices unmaintained. Products must have secure update streams for the life of the product. We are getting better at doing this with automatic updates for operating systems, applications, and software, but how about home routers and modems?
Home routers and modems are usually unmaintained and unpatched. They also start with four year old code, and the firmware is usually not updated after one year. Embedded devices like Nest thermostats are no different from routers except they don’t route you from place to place on the Internet. There are major problems because research results show single vulnerabilities affect more than half tested routers. DNSchanger attacked home routers as well as hosts. There is TheMoon worm, and the problems go on and on.
One of the biggest problems we have is the binary blob disaster. Silicon vendors design board support packages for their silicon to original device manufacturers (ODMs) for possible “design wins.” They have a static version of Linux and its applications, and they write a device driver, usually a binary blob. The code for these blogs is poor. ODMs have no incentive for updates until the next-generation silicon is shopped. ODMs cannot update to current software to fix vulnerabilities.
There is a major disconnect of incentives. The silicon vendor has an incentive for design wins, but software is an after-thought. ODMs have little software expertise and they are happy as long as the device doesn’t crash or get bad reviews.
What these devices really need is a secure boot loader. Users must be able to unlock them, and the cost for this loader is minimal. OpenFirmware does all the required crypto, etc. The solution is to apply existing technologies to a real code base.
Some interesting open source router projects are OpenWrt/CeroWrt. If you’re interested, I encourage you to check them out.
TWEET OF THE WEEK
Another tweet from this golden account! Oh yeah, I changed my Twitter background to black so that I can be on my way to be a 10x VC. I think that's how it works according to numerous other tweets I have seen online.
CURRENTLY READING
Olive Kitteridge by Elizabeth Strout
It's a series of 13 mini-stories about Olive and various characters in her life set in Crosby, Maine, and it won the Pulitzer Prize for Fiction. I'm slowly going through the last few Pulitizer Prize winners, which I generally find to be very well-written and well-researched.
HBO actually made a mini-series on it. I've only read the first few, which is an interesting look so far into the life of people who live in small towns in America. It's interesting as a contrast to the life of many who live in larger cities like SF, NYC, and Boston.