(In)Security in Home Embedded Devices
June 24th, 2014 at 12:30pm ET
Berkman Center for Internet & Society, 23 Everett St, 2nd Floor
We now wander in Best Buy, Lowes and on Amazon and buy all sorts of
devices from thermostats, hi-fi gear, tablets, phones, and laptops or
desktops as well as home routers to build our home networks. Most of
these we plug in and forget about. But should we?
"Familiarity Breeds Contempt: The Honeymoon Effect and the Role of Legacy Code in Zero-Day Vulnerabilities", by Clark, Fry, Blaze and Smith makes clear that ignoring these devices is foolhardy; unmaintained systems become more vulnerable, with time.
Structural issues in the market make the situation yet worse, as pointed out in Bruce Schneier's Wired editorial in January: "The Internet of Things Is Wildly Insecure — And Often Unpatchable", which I instigated and fed Bruce the ammunition. "Binary blobs" used in these systems have the net effect of "freezing" software versions, often on many year old versions of system software. Even if update streams are available (which they seldom are), blobs may make it impossible to update to versions free of a vulnerability.
There are immediate actions you can personally take, e.g. by running
open source router firmware in your network, but fixing this problem
generically will take many years, as it involves fundamental changes and
an attitude change in how we develop and maintain embedded systems, and
hardest, changes in business models to enable long term support of
Jim Gettys is an American computer programmer. He coined the term "bufferbloat" and has organized efforts to combat it in the Internet (see gettys.wordpress.com), and has been working on home routers. He was the Vice President of Software at the One Laptop per Child project, working on the software for the OLPC XO-1. He is one of the original developers of the X Window System at MIT and worked on it again with X.Org, where he served on the board of directors. He previously served on the GNOME foundation board of directors. He worked at the World Wide Web Consortium (W3C) and was the editor of the HTTP/1.1 specification in the Internet Engineering Task Force through draft standard. Gettys helped establish the handhelds.org community, from which the development of Linux on handheld devices can be traced.
- Updated slides from this talk
- The Internet of Things Is Wildly Insecure—And Often Unpatchable, Bruce Schneier, Wired January 6, 2014
- Overtaken, Dan Geer