
You Can't Secure What You Cannot Update: Hardware Edition - alexandros
http://resin.io/blog/you-cant-secure-what-you-cannot-update/
======
zdw
Don't buy hardware you can't run your own software on. Even embedded software.

There are tons of great routers, both consumer and business class that have
Atheros CPU and WiFi chipsets that lack binary blob firmware, and support both
Linux and BSD:

[http://wiki.openwrt.org/toh/start](http://wiki.openwrt.org/toh/start)
[https://wiki.freebsd.org/FreeBSD/mips](https://wiki.freebsd.org/FreeBSD/mips)

Pick software first, then hardware that supports it. It's how we do everything
else, and routers are no different.

~~~
derefr
Are you imagining people developing an open-source vehicle-motor
microcontroller firmware, and then users choosing what _car_ to buy based on
whether they can use that firmware? Because that's the kind of "hardware"
we're talking about here.

~~~
aray
Even cars that run on open source software (Tesla Model S runs Linux) don't
release source for their GPL'd code.

So I wouldn't expect a project like this any time soon.

------
throwaway2048
I suspect this is going to cause a significant problem in the future with
regaurds to all these embedded home routers that stopped receiving updates 6
months after release. Its essentially an unmonitored backdoor to 95% of
networks on earth.

[http://www.devttys0.com/2013/10/reverse-engineering-a-d-
link...](http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-
backdoor/)

[http://arstechnica.com/security/2014/02/bizarre-attack-
infec...](http://arstechnica.com/security/2014/02/bizarre-attack-infects-
linksys-routers-with-self-replicating-malware/)

Not to mention the similar situation with android phones.

What a spectacular mess.

~~~
deelowe
Routers and switches are a concern, but I think the telsa example in the
article is one of the best ones. Appliances that are relatively easy to
replace is one thing, major purchases like a car, home automation, or similar
items is much more concerning. We see how GM and Toyota reacted with their
recalls. Are we going to see something similar from the future (less
startup-y/more corporate) nests of the world?

What happens when my alarm/sprinkler system is tied to my intelligent door
locks and a simple buffer overflow via bluetooth allows a cracker to flood my
entire business with a simple drive by attack? The internet of things brings
with it an unprecedented level of risk.

~~~
privong
> Appliances that are relatively easy to replace is one thing

But if the hardware still works fine, replacing it because of software issues
isn't really justified. It's far less wasteful to do software upgrades.

~~~
AnthonyMouse
> But if the hardware still works fine, replacing it because of software
> issues isn't really justified. It's far less wasteful to do software
> upgrades.

Unless you're a hardware manufacturer who wants to sell new hardware.

------
terminado
But like, wouldn't disabling internet access altogether also count as a
reasonable measure towards security?

What if you just didn't connect the device to any network at all?

What about that?

Are we trying to say that such a thing is unpossible?

~~~
jessaustin
It's not "unpossible" now, but eventually it will be. That is, we won't be
able to rely on either configuration or physical arrangements to isolate
networkable devices from networks. Of course you'll still be able to rip out
e.g. radio modules, but why do you want to break your toaster? b^)

------
nextstep
One of the many reasons why Android remains the bigger target for mobile
malware.

