Crypto dongles to secure online transactions

dan at geer.org dan at geer.org
Wed Nov 11 10:53:44 EST 2009


Matt Crawford writes:
-+-------------------
 | Imagine a couple of hundred million devices with updatable
 | firmware on them, and one or more rogue updates in the wild.


So should or should not an embedded system have a remote
management interface?  If it does not, then a late discovered
flaw cannot be fixed without visiting all the embedded systems
which is likely to be infeasible both because some will be where
you cannot again go and there will be too many of them anyway.
If it does have a remote management interface, the opponent of
skill focuses on that and, once a break is achieved, will use
those self-same management functions to ensure that not only
does he retain control over the long interval but, as well, you
will be unlikely to know that he is there.

This leads to a proposal on what to do about the future:
Embedded systems, if having no remote management interface and
thus out of reach, are a life form and as the purpose of life is
to end, an embedded system without a remote management interface
must be so designed as to be certain to die no later than some
fixed time.  Conversely, an embedded system with a remote
management interface must be sufficiently self-protecting that
it is capable of refusing a command.

Long live HAL,

--dan

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list