On 1/4/2019 4:00 AM, Thiago Macieira wrote:
On Thursday, 3 January 2019 11:29:14 -02 Roland Hughes wrote:
Or you architect out everything which could be a security issue. There
is no command line or terminal. The few medical devices I know of
removed all support for inbound connections. The only method of
accessing them is to take the screws out of the case, open it up and
connect the custom debug board.
Physical access is still an attack vector.
And those devices still have an input mechanism: their scanner ports. It's
possible to send malformed data to their I/O pins to cause an exploit. Heck,
it's theoretically possible to do that with the scanning head itself: paint
your chest with some pattern in UV and when you go for a tomography, bam! the
device gets hacked. Remember how the iPhone 1 was jailbroken by a 1x1 pixel
TIFF image opened in the Safari browser?
I have no idea what you are speaking of here. Perhaps it is from a part
of the medical device world I've never worked in. None of the devices
I've worked with have exposed I/O pins. Even the patient monitor I
worked on had to have electrical protection so if someone stabbed the
thermometer into a wall outlet the current would never get to a patient
hooked to one of the other leads.
Perhaps I've just been lucky, but every device I've worked on to date
has had isolated components which communicate via a message queue. The
message queue only supports a limited number of serialized messages
(usually serialized COOA messages with fixed length fields.) If a stream
of garbage came in from a replaceable component, the stream would be
ignored by the message queue and an alarm sounded. Even the USB ports
I've seen on them will not communicate with an off-the-shelf keyboard,
mouse, thumb drive, or insert USB device here. Only a limited set of
custom devices could connect in any way.
While any component could theoretically fail, it cannot damage the unit
itself. Physical access can damage the unit itself assuming one wishes
to hit it with a hammer or throw it down several flights of concrete
stairs but the OS on many/most devices is not alterable in the field
without a soldering iron to replace the read only medium the OS is
stored on. Writable media is only used for the storing of data, logs and
configuration settings. Invalid/illegal settings are ignored and
generally when encountered at the start of some run cause the machine to
return to safe mode with some kind of "wrench" screen being displayed.
As a general rule you cannot select a different protocol without
stopping one run and starting a new one. Whether you believe me or not,
the independent testing agencies try feeding every illegal character and
configuration value set through each device they test.
But I do understand the cost of re-certifying a medical or avionic device. I'm
not saying people should update every day or every week, but they should still
keep up with the software, in their development tree. So like Konstantin said,
they will not be surprised when the time to update does come.
This is a bit of a misconception. A company isn't allowed to "update"
it's tool set without going through the full development process of
creating all of the documentation, getting approval, complete test set,
etc. The required QA process can be shorter, depending on the scope of
the change. A fix to correct a memory leak in a core tool like say, some
Qt class, could theoretically get through in months. Changing out a tool
like, say, "updating" from Qt 4.8 to 5.9 is treated as a new product.
Some companies may be able to get that treated as just an "enhancement"
but, generally it is viewed and treated as a new replacement product for
an existing product. Even with an accelerated approval process you will
be looking at a year or more from the time you start and several million
dollars spent.
Do you really want a surgical robot which is cutting on you running a PC
OS on a PC processor able to connect to the Internet? Some little hacker
poking around looking for financial/identity information could
accidentally have it remove your heart instead of your appendix.
Yes, so long as that device does proper security hardening, which includes the
ability to deploy fixes quickly. It also means it's not your regular desktop
OS, but a hardened version, like Safety Critical Linux. We had this discussion
20 years ago, when Linux was getting into telcos, and Carrier-Grade Linux came
about.
Maybe the IoT surgical robot is not a 2019 technology, but there are plenty of
other IoT ones that are. Those MUST update. Frequently. For those, if you're
not able to deploy a fix within one week, do us all a favour and don't sell
your device.
Should I assume that last statement was directed at Google and Android?
<Grin>
https://en.wikipedia.org/wiki/Android_version_history
https://blog.trendmicro.com/trendlabs-security-intelligence/android-based-smart-tvs-hit-by-backdoor-spread-via-malicious-app/
Automatic updates sound good, but we've all been on the other side of
them. One client site I was at recently pushed out Windows 10 updates to
their fleet of ThinkPad T440s laptops which bricked them. Their tech
support team didn't even blink when I turned the machine in. Every time
they push out updates a percentage of the machines in the field brick.
They didn't even waste much time testing them before pushing out another
batch because it always happened.
How many of us have left automatic updates turned in in our routers only
to come in one day to learn some or all were no longer working thanks to
an update? I have, that's why my routers are set to manual update now.
Having said all of this, I agree, IoT is going to be a train wreck hit
by a plane crash which rolls down hill into a daycare center during
afternoon play. Many of those devices have no ability to patch
themselves or be patched by a non-technical user. Lots of "new" products
being sold on eBay and other places which only list Android as their OS,
not the version. One has to go digging into other sources with the model
number and date of manufacture to learn they are still running, in some
cases, cupcake. These machines will just keep moving from home to home
with whatever exploit installed on them.
http://www.turn-keytechnologies.com/blog/network-solutions/how-cybercriminals-use-your-iot-devices
Even if 100% of the vendors of such products abandoned AGILE today and
adopted the software development practices of either the "safety" (life
and limb systems) or the NASA space systems, there is already too big of
an installed base of vulnerable (most likely already infected) equipment
still out there to make any difference within the next 5 years.
--
Roland Hughes, President
Logikal Solutions
(630)-205-1593 (cell)
http://www.theminimumyouneedtoknow.com
http://www.infiniteexposure.net
http://www.johnsmith-book.com
_______________________________________________
Interest mailing list
Interest@qt-project.org
https://lists.qt-project.org/listinfo/interest
