[Cryptography] You can't trust any of your hardware

Jerry Leichter leichter at lrw.com
Fri Aug 1 16:34:26 EDT 2014 

On Aug 1, 2014, at 1:11 PM, Joe St Sauver <joe at oregon.uoregon.edu> wrote:
> #I dunno how to fix this. The best I can come up with is to make more of
> #these exploits happen - post anonymous bounties to get firmware and
> #schematics leaked?
> 
> Use of non-rewritable ROMs would obviously "fix" the vulnerability (for 
> some definition of "fix," but that assumes you can produce flawless code 
> that might never need to be patched or updated (or that you can live with 
> pitch-and-replace (rather than patch ) as an update/remediate strategy)....
How many USB devices have ever been patched after sale?  I know of one example, which I mentioned in my original posting:  The Apple aluminum keyboard, introduced in August of 2007, has received exactly one update during its lifetime.

I, personally, know of no other examples.  If anyone else does, I'd like to hear about them.

USB devices are generally pretty cheap.  There's little motivation to publish patches - there's no general way to reach users, you have to worry about whether the users even have a system they could use to patch the device, and most will never bother anyway.  So for your expense you gain nothing in the market.  It's hard enough (effectively impossible) to get more complex, expensive devices like WiFi routers patched in the field - typical USB devices are just not worth thinking about.  (Apple could even *consider* doing a patch because it had an easy pathway to push patches out to all Apple systems, thus capturing most Apple keyboards.)

Doing patching on devices still at the factory, or even in the supply chain, might be more realistic - but most organizations these days run such lean supply chains that the fraction of devices you could actually get to this way is tiny.  Hardly worth the effort except maybe at initial release.

So, yes, for pretty much all USB devices, the code that was initially installed will be the code that's in the device until it's discarded.  It has to be "right enough".

I suspect most "patchable" devices are that way because that was the interface used to upload their firmware to begin with, and it's not considered worth the cost to lock out later uploads, even if there's no realistic change there will ever be a need for them.

                                                        -- Jerry

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4813 bytes
Desc: not available
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140801/088b4ca3/attachment.bin>

More information about the cryptography mailing list