[Cryptography] You can't trust any of your hardware

[Joe St Sauver]

Hi,

Pete Todd commented:

#I dunno how to fix this. The best I can come up with is to make more of
#these exploits happen - post anonymous bounties to get firmware and
#schematics leaked?

Use of non-rewritable ROMs would obviously "fix" the vulnerability (for 
some definition of "fix," but that assumes you can produce flawless code 
that might never need to be patched or updated (or that you can live with 
pitch-and-replace (rather than patch ) as an update/remediate strategy).

The best practical solution I can think of to fix this would be to interpose
a manually operated physical switch on each device that would need to be
intentionally closed by the user to update the firmware on the device. 

[This sort of scheme would effectively be the firmware equivalent of a 
"write protect tab" on old floppy disks (man, sometimes I feel really 
old even *mentioning* stuff like that :-))]

After completing the intentional firmware update the physical switch would 
then be reset to its normal open state, thereby preventing involuntary.
programmatic updates of the device's firmware. That would, I think,
*largely* eliminate the issue of firmware being tampered with by malware, 
while still allowing occaisionally needed updates to be intentionally 
applied (albeit only by someone physically in contact with the device).

Corner cases? Presumably social engineering around activating the 
switch when you shouldn't be, or efforts to piggy back malicious 
updates on top of legitimate patches. I could also see people with large
centrally managed farms of systems being grumpy about having to 
manually physically switch-on hundreds or thousands of devices to
push firmware updates (but presumably this wouldn't be happening on
a daily (or even quarterly) basis).

Regards,

Joe