[SystemSafety] "Ripple20 vulnerabilities will haunt the IoT landscape for years to come"

Fri Jun 19 19:47:03 CEST 2020

I seem to recall some analysis that showed air-gaps were very difficult
to achieve/maintain.

Perhaps a non-computerised safety-critical system is one way to prevent
interference
Not so difficult these days with FPGAs and ASICs.

Peter

On 19/06/2020 03:20, Les Chambers wrote:
>
> I recently had cause to research current vulnerabilities in our
> Internet security regimes. I uncovered some mind blowing stuff
> particularly relating to man in the middle attacks and how easy it is,
> firstly on local area networks and secondly in transport layer
> security where I thought we were safe. If you want to be really afraid
> just Google 'SSL strip'.
>
> Security experts seem to have given up on LAN security because of the
> massive rollout of firmware in network cards. That code was written
> when security wasn't an issue. And it's everywhere. And it will not be
> fixed. Ever. Wireless nets are another very sad story. Easily
> breakable from a range of 800 metres with the right antennas and
> equipment.
>
> I'm sure better minds than mine are trying to fix these problems with
> various security wrapper strategies but I was amazed to find that the
> problems havn't been solved. Maybe it's because we have too many
> engineering minds working and not enough criminal minds. There is a
> difference I'm told by a Professor of computer science.
>
> You may have noticed that the keys are getting longer. I'm advised
> that this is not because computers are getting faster. It's just that
> the math is getting better.
>
> So, like coronavirus there may never be a cure. We must all just suffer.
>
> So if you've got a safety critical system your only option is AIR GAP.
> And I'm sure there is someone out there who would give me an argument
> on that.
>
>  
>
> Enjoy your day.
>
> Cheers
>
> Les
>
>  
>
> *From:*systemsafety
> [mailto:systemsafety-bounces at lists.techfak.uni-bielefeld.de] *On
> Behalf Of *Martyn Thomas
> *Sent:* Thursday, June 18, 2020 6:22 PM
> *To:* systemsafety at lists.techfak.uni-bielefeld.de
> *Subject:* Re: [SystemSafety] "Ripple20 vulnerabilities will haunt the
> IoT landscape for years to come"
>
>  
>
> From the descriptionin the linked article
> <https://www.zdnet.com/article/ripple20-vulnerabilities-will-haunt-the-iot-landscape-for-years-to-come/>,
> the three most serious vulnerabilities seem to be buffer overflows.
> Such errors are easily avoidable but new vulnerabilities will continue
> to be built into products until programmers change the way they write
> and verify software.
>
> Thousands of development teams have incorporated these library
> routines in their products and, unsurprisingly, failed to find the
> vulnerabilities in their testing. Yet today, thousands of development
> teams will continue to resist using better methods, tools and languages.
>
> As Tony Hoare wrote decades ago: ‘In any respectable branch of
> engineering, failure to observe such elementary precautions would have
> long been against the law.’
>
> Martyn
>
>  
>
>
> _______________________________________________
> The System Safety Mailing List
> systemsafety at TechFak.Uni-Bielefeld.DE
> Manage your subscription: https://lists.techfak.uni-bielefeld.de/mailman/listinfo/systemsafety

-- 

Peter Bishop
Chief Scientist
Adelard LLP
24 Waterside, 44-48 Wharf Road, London N1 7UX

Email: pgb at adelard.com
Tel:  +44-(0)20-7832 5850

Registered office: 5th Floor, Ashford Commercial Quarter, 1 Dover Place, Ashford, Kent TN23 1FB
Registered in England & Wales no. OC 304551. VAT no. 454 489808

This e-mail, and any attachments, is confidential and for the use of
the addressee only. If you are not the intended recipient, please
telephone 020 7832 5850. We do not accept legal responsibility for
this e-mail or any viruses.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.techfak.uni-bielefeld.de/pipermail/systemsafety/attachments/20200619/4a89d4c0/attachment.html>