[SystemSafety] "Ripple20 vulnerabilities will haunt the IoT landscape for years to come"

[Les Chambers]

I recently had cause to research current vulnerabilities in our Internet security regimes. I uncovered some mind blowing stuff particularly relating to man in the middle attacks and how easy it is, firstly on local area networks and secondly in transport layer security where I thought we were safe. If you want to be really afraid just Google 'SSL strip'. 

Security experts seem to have given up on LAN security because of the massive rollout of firmware in network cards. That code was written when security wasn't an issue. And it's everywhere. And it will not be fixed. Ever. Wireless nets are another very sad story. Easily breakable from a range of 800 metres with the right antennas and equipment. 

I'm sure better minds than mine are trying to fix these problems with various security wrapper strategies but I was amazed to find that the problems havn't been solved. Maybe it's because we have too many engineering minds working and not enough criminal minds. There is a difference I'm told by a Professor of computer science.

You may have noticed that the keys are getting longer. I'm advised that this is not because computers are getting faster. It's just that the math is getting better. 

So, like coronavirus there may never be a cure. We must all just suffer.

So if you've got a safety critical system your only option is AIR GAP. And I'm sure there is someone out there who would give me an argument on that.

 

Enjoy your day.

Cheers

Les

 

From: systemsafety [mailto:systemsafety-bounces at lists.techfak.uni-bielefeld.de] On Behalf Of Martyn Thomas
Sent: Thursday, June 18, 2020 6:22 PM
To: systemsafety at lists.techfak.uni-bielefeld.de
Subject: Re: [SystemSafety] "Ripple20 vulnerabilities will haunt the IoT landscape for years to come"

 

>From the description <https://www.zdnet.com/article/ripple20-vulnerabilities-will-haunt-the-iot-landscape-for-years-to-come/>  in the linked article, the three most serious vulnerabilities seem to be buffer overflows. Such errors are easily avoidable but new vulnerabilities will continue to be built into products until programmers change the way they write and verify software. 

Thousands of development teams have incorporated these library routines in their products and, unsurprisingly, failed to find the vulnerabilities in their testing. Yet today, thousands of development teams will continue to resist using better methods, tools and languages.

As Tony Hoare wrote decades ago: ‘In any respectable branch of engineering, failure to observe such elementary precautions would have long been against the law.’

Martyn

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.techfak.uni-bielefeld.de/pipermail/systemsafety/attachments/20200619/6623d6df/attachment-0001.html>