
Urgent/11 – Zero Day Vulnerabilities Impacting VxWorks - phantom_oracle
https://armis.com/urgent11/
======
java-man
Wow, I was going to comment "IoT, the 'S' stands for 'security'", but this is
about VxWorks, a battle proven (literally) RTOS.

This illustrates a point that now, in 2019, there is literally no OS designed
for security. I mean, security was never a _real_ goal. Even software
specifically written to address security requirements could easily have gaping
holes (re Heartbleed)...

~~~
java-man
I wonder if there is a company that's really interested in developing a secure
(by design) operating system. Apart from you-know-who?

~~~
jnwatson
Take a look at seL4 [1].

That it has never taken off is more evidence that there's no money in securing
software, just cleaning up the mess insecure software leaves behind.

1\. [https://sel4.systems/](https://sel4.systems/)

~~~
javert
Is it true that seL4 has never "taken off"? And might it be too early to tell?

I am under the impression that the people behind seL4 have managed to
successfully commercialize earlier other versions of L4 before seL4 was
created.

Anyway, even if we grant the premise that seL4 has not taken off, that does
not seem to justify saying that there is no money in securing software.

~~~
irundebian
seL4 just celebrated its 10th anniversary. seL4 isn't widespread in COTS
systems but rather in high assurance government systems as explained in this
blog post: [https://microkerneldude.wordpress.com/2019/08/06/10-years-
se...](https://microkerneldude.wordpress.com/2019/08/06/10-years-sel4-still-
the-best-still-getting-better/)

------
xvilka
Seems WindRiver also adding[1] VxWorks support in the Rust language. There
should be more efforts into bringing safer and secure languages, toolchains,
even OS themselves into IoT, IIoT, and even RTOS worlds.

[1] [https://github.com/rust-lang/rust/pull/61946](https://github.com/rust-
lang/rust/pull/61946)

~~~
pjmlp
Savvy safety oriented developers already have a few options, it is not only
about Rust, although it is nice to see it doing progress there.

[https://www.mikroe.com/](https://www.mikroe.com/), Pascal and Basic

[https://www.astrobe.com/default.htm](https://www.astrobe.com/default.htm),
Oberon

[https://www.aicas.com/cms/](https://www.aicas.com/cms/), RealTime Java

[https://www.ptc.com](https://www.ptc.com), RealTime Java and Ada

[https://www.ghs.com](https://www.ghs.com), Ada and INTEGRITY RTOS

------
Arrezz
The scale of this is baffling! And from what I've seen in the industrial side
of things I doubt that everything will be patched anytime soon sadly.

~~~
mc32
On the industrial side all these devices are in completely segregated
airgapped networks. Obviously someone could strike havoc via USB, etc., but
it’s not as bad as it could be.

~~~
koolba
A buck shot approach of mailing malicious USB devices would likely be
devastating.

~~~
dreamcompiler
Depends on the org. For some companies, you could drop a few USB devices in
the parking lot and they'd be toast. Others fill the USB ports on their
computers with epoxy.

~~~
koolba
> Others fill the USB ports on their computers with epoxy.

How do you plug in a mouse or keyboard?

~~~
dreamcompiler
You plug those in and epoxy them so they can never be removed.

------
cesarb
Everything old is new again: "WinNuke is an example of a Nuke remote denial-
of-service attack (DoS) that affected the Microsoft Windows 95, Microsoft
Windows NT and Microsoft Windows 3.1x computer operating systems. The exploit
sent a string of out-of-band data (OOB data) to the target computer on TCP
port 139 (NetBIOS), [...]"
[https://en.wikipedia.org/wiki/WinNuke](https://en.wikipedia.org/wiki/WinNuke)

~~~
dundercoder
We used to win nuke the computer labs in high school after playing the first
15 seconds of blur song2. It got to the point where just playing the song
would cause Ethernet dongles across the room to get ripped right out of
laptops. Ahh the old days.

------
plopz
Completely random aside, but the site's scrolling is horrible. Clicking near
the edge randomly starts scrolling when the bar isn't visible and I can't
middle click and drag to scroll the page at all.

------
Havoc
Not at all surprised.

Busy kitting out my place with (consumer - jikes) IoT...and basically just
connecting the stuff long enough to get it online via Home Assistant.

...next step...firewall all the IOT IPs. Once they're connected to Home
Assistant they don't need internet access.

~~~
throwanem
Just don't use a NetApp or Sonicwall firewall...

------
gruez
Off topic:

Why are web developers constantly reimplementing native browser functionality?
This site for instance has their own scroll implementation that's laggy, adds
unwanted smoothing, and of course has _less_ functionality (middle-click
scrolling doesn't work, nor does autoscrolling). Fortunately I can get the
native implementation by disabling scripts, but I've seen sites that are
`overflow: hidden` so you're forced to use their scrolling logic.

~~~
dpedu
Project managers/product designers that don't understand their problem domain
paired with developers that won't say no.

There's a couple extensions that are supposed to target and disable this
behavior, but I've found them flakey at best.

~~~
cat199
aren't you forgetting the 'developers' who want to be 'cool' in this equation?

------
fastflo
vxworks ... have you ever tried to implement something with that ugly hack? --
and seen how nice it can be with other, proper operating systems?

as many already said: not at all surprised.

~~~
AnimalMuppet
Yes, I have. And why do you call it an ugly hack? For what it does, it does it
quite well. If that's what you need, then it's a very nice system. If you need
something else, use something else.

------
Causality1
There's a reason it's often referred to as "Internet of Shit". I highly doubt
anything is going to change until someone figures out how to use an internet-
connected power outlet to burn down a house. It's going to be a decade-removed
version of the wireless router issue: huge botnets will go on for years and
years and maybe eventually manufacturers will slowly close security holes and
institute better practices. Even that I doubt, since routers are made by a
handful of major companies and IoT devices are made by hundreds of fly-by-
night outfits who're likely to be out of business in five years.

~~~
closeparen
VxWorks is a serious, long term player in the embedded space. This is the
operating system you’ll find on the moon. Not really related to the fly-by-
night internet of shit.

~~~
Causality1
Indeed they are, but I refer to the legions of no-name products that make up
much of the consumer industry. Smart lightbulbs, power outlets, rain meters,
etc. The original headline was much less specific before it was edited.

