[act-ma] 6/26 (In)Security in Home Embedded Devices

Charlie Welch cwelch at tecschange.org
Tue Jun 24 05:59:15 PDT 2014

IEEE Computer Society and GBC/ACM

7:00 PM, Thursday, 26 June 2014

MIT Room E51-325

(In)Security in Home Embedded Devices

Jim Gettys

We now wander in Best Buy, Lowes and on Amazon and buy all sorts of 
devices from thermostats, hi-fi gear, tablets, phones, and laptops or 
desktops as well as home routers to build our home networks. Most of 
these we plug in and forget about. But should we?

"Familiarity Breeds Contempt: The Honeymoon Effect and the Role of 
Legacy Code in Zero-Day Vulnerabilities", by Clark, Fry, Blaze and Smith 
makes clear that ignoring these devices is foolhardy; unmaintained 
systems become more vulnerable, with time.

Structural issues in the market make the situation yet worse, as pointed 
out in Bruce Schneier's Wired editorial in January: "The Internet of 
Things Is Wildly Insecure And Often Unpatchable", which I instigated and 
fed Bruce the ammunition. "Binary blobs" used in these systems have the 
net effect of "freezing" software versions, often on many year old 
versions of system software. Even if update streams are available (which 
they seldom are), blobs may make it impossible to update to versions 
free of a vulnerability.

There are immediate actions you can personally take, e.g. by running 
open source router firmware in your network, but fixing this problem 
generically will take many years, as it involves fundamental changes and 
an attitude change in how we develop and maintain embedded systems, and 
hardest, changes in business models to enable long term support of 
popular hardware.

About Jim

Jim Gettys is an American computer programmer. He coined the term 
"bufferbloat" and has organized efforts to combat it in the Internet 
(see gettys.wordpress.com), and has been working on home routers. He was 
the Vice President of Software at the One Laptop per Child project, 
working on the software for the OLPC XO-1. He is one of the original 
developers of the X Window System at MIT and worked on it again with 
X.Org, where he served on the board of directors. He previously served 
on the GNOME foundation board of directors. He worked at the World Wide 
Web Consortium (W3C) and was the editor of the HTTP/1.1 specification in 
the Internet Engineering Task Force through draft standard. Gettys 
helped establish the handhelds.org community, from which the development 
of Linux on handheld devices can be traced.

If you are interested in these issues you should be aware of Hope 
(hackers on Planet Earth) conference, this July in NYC.


More information about the Act-MA mailing list