[SystemSafety] "Ripple20 vulnerabilities will haunt the IoT landscape for years to come"

Fred Pollard fred.pollard at gmail.com
Fri Jun 19 20:18:07 CEST 2020 

The only possible issue depends on whether you view FPGAs as computerised
or not given their programmability.  And as you know, some regulatory
domains would treat FPGAs as a computerised system

Regards
Fred
(My views, not those of my employer)

On Fri, 19 Jun 2020, 18:56 Peter Bishop, <pgb at adelard.com> wrote:

> I seem to recall some analysis that showed air-gaps were very difficult to
> achieve/maintain.
>
> Perhaps a non-computerised safety-critical system is one way to prevent
> interference
> Not so difficult these days with FPGAs and ASICs.
>
> Peter
> On 19/06/2020 03:20, Les Chambers wrote:
>
> I recently had cause to research current vulnerabilities in our Internet
> security regimes. I uncovered some mind blowing stuff particularly relating
> to man in the middle attacks and how easy it is, firstly on local area
> networks and secondly in transport layer security where I thought we were
> safe. If you want to be really afraid just Google 'SSL strip'.
>
> Security experts seem to have given up on LAN security because of the
> massive rollout of firmware in network cards. That code was written when
> security wasn't an issue. And it's everywhere. And it will not be fixed.
> Ever. Wireless nets are another very sad story. Easily breakable from a
> range of 800 metres with the right antennas and equipment.
>
> I'm sure better minds than mine are trying to fix these problems with
> various security wrapper strategies but I was amazed to find that the
> problems havn't been solved. Maybe it's because we have too many
> engineering minds working and not enough criminal minds. There is a
> difference I'm told by a Professor of computer science.
>
> You may have noticed that the keys are getting longer. I'm advised that
> this is not because computers are getting faster. It's just that the math
> is getting better.
>
> So, like coronavirus there may never be a cure. We must all just suffer.
>
> So if you've got a safety critical system your only option is AIR GAP. And
> I'm sure there is someone out there who would give me an argument on that.
>
>
>
> Enjoy your day.
>
> Cheers
>
> Les
>
>
>
> *From:* systemsafety [
> mailto:systemsafety-bounces at lists.techfak.uni-bielefeld.de
> <systemsafety-bounces at lists.techfak.uni-bielefeld.de>] *On Behalf Of *Martyn
> Thomas
> *Sent:* Thursday, June 18, 2020 6:22 PM
> *To:* systemsafety at lists.techfak.uni-bielefeld.de
> *Subject:* Re: [SystemSafety] "Ripple20 vulnerabilities will haunt the
> IoT landscape for years to come"
>
>
>
> From the description in the linked article
> <https://www.zdnet.com/article/ripple20-vulnerabilities-will-haunt-the-iot-landscape-for-years-to-come/>,
> the three most serious vulnerabilities seem to be buffer overflows. Such
> errors are easily avoidable but new vulnerabilities will continue to be
> built into products until programmers change the way they write and verify
> software.
>
> Thousands of development teams have incorporated these library routines in
> their products and, unsurprisingly, failed to find the vulnerabilities in
> their testing. Yet today, thousands of development teams will continue to
> resist using better methods, tools and languages.
>
> As Tony Hoare wrote decades ago: ‘In any respectable branch of
> engineering, failure to observe such elementary precautions would have long
> been against the law.’
>
> Martyn
>
>
>
> _______________________________________________
> The System Safety Mailing Listsystemsafety at TechFak.Uni-Bielefeld.DE
> Manage your subscription: https://lists.techfak.uni-bielefeld.de/mailman/listinfo/systemsafety
>
> --
>
> Peter Bishop
> Chief Scientist
> Adelard LLP
> 24 Waterside, 44-48 Wharf Road, London N1 7UX
>
> Email: pgb at adelard.com
> Tel:  +44-(0)20-7832 5850
>
> Registered office: 5th Floor, Ashford Commercial Quarter, 1 Dover Place, Ashford, Kent TN23 1FB
> Registered in England & Wales no. OC 304551. VAT no. 454 489808
>
> This e-mail, and any attachments, is confidential and for the use of
> the addressee only. If you are not the intended recipient, please
> telephone 020 7832 5850. We do not accept legal responsibility for
> this e-mail or any viruses.
>
> _______________________________________________
> The System Safety Mailing List
> systemsafety at TechFak.Uni-Bielefeld.DE
> Manage your subscription:
> https://lists.techfak.uni-bielefeld.de/mailman/listinfo/systemsafety
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.techfak.uni-bielefeld.de/pipermail/systemsafety/attachments/20200619/05d41171/attachment-0001.html>

More information about the systemsafety mailing list