Were you one of the tens of thousands of consumers who scooped up one of those Spotify “Car Things” back in 2021? You know what I’m talking about – the funky looking portable devices that attached to your car dashboard and let you control your Spotify app via a touch screen or voice commands?
It’s true: when you bought it, you probably weren’t expecting to be toting around your Car Thing at a vintage car show in 2060. On the other hand, you probably didn’t imagine that Spotify’s portable electronic device experiment that you just dropped $90 on would be declared “dead” in July, 2022 – barely a year later, and just five months after it went on sale to the general public?
From ‘Wow’ to ‘Waste’? 2 Years
And, as it turns out, declaring the Car Thing experiment dead was just the first shoe to drop. Less than two years later, Spotify followed that up with the decision to effectively “brick” its Car Thing devices – ending support for the hardware after December 9, 2024. After this date “Car Thing will be discontinued and will no longer be operational,” Spotify said. In other words, the Car Thing hardware is effectively trash – not because of any failing in the device itself, but because the maker of the hardware has made a business decision to stop supporting it.
Consumers who put their hard earned money down to purchase a Car Thing were offered no refund on their investment (as Amazon offered with its Halo health devices), nor were they given a credit towards other Spotify services. Nor was Planet Earth reimbursed for the costs it will bear should Spotify customers follow its guidance to “(dispose) of your device following local electronic waste guidelines.”
e-bikes to network appliances: abandonware is growing
The Car Thing imbroglio led to outrage among Spotify’s customers. But it is part of a growing trend in which smart device makers – empowered by always on Internet connections, digital rights management technology, cloud-based administration servers – are effectively abandoning or killing off devices they no longer wish to support – from smart home systems to e-bikes to enterprise security appliances.
To be clear: this marks a stark departure from consumers’ choices with previous generations of products. Mitsubishi may have decided that it wanted to get out of the pencil sharpener business, for example, but its customers continued using the hardware it sold for decades – or longer, as those mechanical devices did not have “smart features” and couldn’t be “bricked” simply by shutting off access to a remote server.
For both businesses and consumers, the costs of arbitrary decisions by manufacturers to kill off otherwise functional devices used by their customers are huge-and growing. As the Internet of Things (quickly) ages, the gap between the useful life of hardware and the desire, ability and intention of manufacturers to continue to support that hardware is growing. Your smart LG or Samsung refrigerator may have a useful life measured in decades, for example. But the OEM only wants to support its software for a few years – 6? 8? After which they will cease providing security and feature updates. They may even follow Spotify’s lead: arbitrarily shutting off servers that enable key features, or even bricking the device.
Panel: cyber experts weigh in on the abandonware crisis
What recourse should consumers have? What guardrails should we put in place to prevent “Car Thing” style scandals where consumers spend considerable sums on a smart product, only to see it “bricked” months (weeks?) later? And what are the cybersecurity implications of a growing, global population of abandoned, but Internet connected stuff?
That was the subject of a panel that SRFF co-hosted with the application security firm Veracode earlier this month. “Bricked and Abandoned” was an invitation-only event that took place on the sidelines of the RSA Conference in San Francisco. In it, panelists discussed the various dimensions of the “bricked and abandoned” phenomenon: from SOHO routers to automobiles and medical devices. They also talk about both regulatory- and policy based responses to make EOL decisions less disruptive to consumers, businesses and the environment.
Listen to the panel discussion | Read the transcript
Panelists
- Allan Friedman, Senior Advisor and Strategist, Cybersecurity and Infrastructure Security Agency (CISA)
- Window Snyder, Founder and CEO at Thistle Technologies
- Tarah Wheeler, CEO & Founder, Red Queen Dynamics
- Jake Williams, Instructor, IANS
- Chris Wysopal, Founder & CTO, Veracode
- Paul Roberts (moderator), Founder, Secure Resilient Future Foundation
Transcript
[00:00:00] Paul Roberts, SRFF: All right thanks everyone for joining us here this morning. This is the Bricked and Abandoned panel. We’re gonna talk about the antisocial future of the the possible antisocial future of the Internet of Things and how we as a community, cybersecurity community and as a society can avoid that antisocial future and maybe I am going to start off first of all by thanking Veracode for hosting this event and providing us breakfast and a beautiful room and an amazing panelist on top of it all absolutely could not have done this [00:01:00] without them and so big hand for Veracode.
Paul Roberts, SRFF: Thank you so much.
Paul Roberts, SRFF: (applause) The other sponsor is a group that that some of us are standing up called the including me as president of the Secure Resilient Future Foundation or SRFF.
Paul Roberts, SRFF: And we’re going to talk more about SRFF and what our mission is and what we’re all about. Near the end of our session. And so stay tuned. But we’re, this panel is very kind of integral to what SRFF is going to be doing. So here’s our agenda. And as you can tell, the first thing on that is introduction.
Paul Roberts, SRFF: So I wanted to, first of all, take just a minute and let this pretty impressive panel introduce themselves to you and and tell you a little bit about themselves. And I’ll start with Jake immediately to my left.
Jake Williams, IANS: Appreciate it. Thanks. My name’s Jake Williams. Gosh, I’ve been in the security community a while. Used to be a government hacker back in the day. Then the Russians outed me and That was fun, and yeah, anyway, thanks. Great.
Window Snyder, Thistle Technologies: I’m Window [00:02:00] Snyder. I’m the founder and CEO of Thistle Technologies. We make it easy for device developers to get sophisticated security capabilities into their products really easily.
Window Snyder, Thistle Technologies: Prior to that, I was the CISO and the CSO at Square, at Fastly, at Mozilla, former Chief Software Security Officer at Intel, and worked on security and privacy for almost six years at Apple for iOS and OS X. So…a lot of platform security work.
Chris Wysopal, Veracode: So I’m the opposite of Window in my 18 years. I was, I’ve been at Veracode the whole time, but I’m the founder and CTO of Veracode. We do application security testing. Before that I was a application security consultant and before that I was a vulnerability. vulnerability researcher, so I guess I’ve been finding vulnerabilities my whole life.
Tarah Wheeler, Red Queen Dynamics: Hi, I’m Tarah Wheeler. I’m the CEO of Red Queen Dynamics. We make a SaaS compliance product for small businesses to get and stay compliant with their cyber insurance, vendor assessment, and compliance frameworks needs.
Tarah Wheeler, Red Queen Dynamics: Yeah, I like helping small businesses. I get very [00:03:00] annoyed when people are disempowered, and that’s why I care about the right to repair movement, as well as abandonware, and I’m also a senior fellow for global cyber policy at the Council on Foreign Relations. And I spend an awful lot of my time doing textiles and trying not to let my husband break into too many places.
Tarah Wheeler, Red Queen Dynamics: And it’s it’s wonderful to be here today.
Allan Friedman, CISA: Thank you for having me. I guess I’m the role of “The Man” on this panel. My name’s Allan Friedman. I’m a senior advising strategist at the Cybersecurity and Infrastructure Security Agency. That’s America’s civilian cybersecurity agency. I’m most well known as being the guy who has not shut up about SBOM for about six straight years. We do other things too. Before I joined government, I was a professor. So I’ve been in cybersecurity policy for about 20 years.
Paul Roberts, SRFF: I’m Paul Roberts. In, in this context. I’m the president of of SRFF, Secure, Resilient Future Foundation, but I’ve got a bunch of other titles. I’m a Cyber Content Lead at a ReversingLabs a cyber security company that does threat intelligence, supply chain security and I’m also the editor in chief of the [00:04:00] Security Ledger, a long time, I’m the least technical person up here a long time cyber security journalist and also been very involved in the last five or six years in the right to repair movement on the board of on the board of the Repair Coalition so very much.
Paul Roberts, SRFF: to a lot of what we’re going to be talking about. Okay, so to get the conversation going, and we are going to be doing questions and answers at the end. We’ve got folks with mics around, and I would say generally, I think if something occurs to you and you just want to throw your hand up and ask a question, I don’t think we need to formally wait for the end of the event to do that, so if you really, if you feel like you, you want to jump in and contribute an idea please do.
Paul Roberts, SRFF: So this is, The sort of germ of the idea for this panel was that we have an epidemic of end of life devices that is in its early stages, but is going to get a lot worse in the years to come. So 29 billion Internet of Things devices projected by 2030 and that’s double from 2020.
Paul Roberts, SRFF: And really no laws that sort of govern or mandate end of life devices. [00:05:00] necessarily how to manage those devices. And what we’re starting to see is a real divergence between the useful life of the device. Let’s take a smart refrigerator, smart home appliance might have a useful life of a couple decades. Um, And the ability or intention of the software, of the company that makes it to support the software that runs the device, which might be measured in five, six, seven, eight years, something like that.
Paul Roberts, SRFF: So there’s this huge divergence and what that’s leading to is a lot of end of life devices that manufacturers have just walked away from. Salient example of this, there are many of them, but is the recent Chromebooks. Story that came about where, during the pandemic, We, as a country, went into this massive nationwide experiment in remote learning 48 million K 12 students, and they suddenly all needed one to one devices to attend virtual classes.
Paul Roberts, SRFF: Many districts, including my own in Massachusetts, bought Chromebooks because they’re less expensive and did what needed to be done. As it turns out, many of those Chromebooks had a [00:06:00] Support lifespan of four years. And four years from the date of certification, not from the date of sale, which meant if you bought them and they’ve been sitting around in a warehouse for a year and a half you might not have four years.
Paul Roberts, SRFF: You might have two and a half years. As those started to come to the end of their lives, or that, that deadline started to approach, there was a lot of pressure on Google to change its policies, including by U. S. PIRG, and we got Nathan Proctor from PIRG here and they were successful in getting Google to agree to extend the support time from four years to 10 years for Chromebooks and that, It’s estimated we’ll save U. S. school districts about $1. 8 billion dollars. But that was an arbitrary decision. There was nothing, Google was under no legal pressure or requirement to do that. And if they hadn’t not only would there have been potentially a economic consequence, but there might have been a cyber security consequence as well.
Paul Roberts, SRFF: Old, outdated, districts using old, outdated, unpatchable devices. [00:07:00] Okay but that’s not all. And there are much bigger stakes than K 12 Chromebooks. And I’m going to toss, I’m going to toss the mic to to Allan down there to talk about this. And you brought up in one of our discussions the hack of Guam as relevant to this.
Paul Roberts, SRFF: So go ahead.
Allan Friedman, CISA: So the short version is many aspects of the U. S. intelligence community, the U. S. cyber defense community, and our global partners on both sides. identified some strange behavior that didn’t look like other threat actors back in 2022. And digging into it took quite a lot of work.
Allan Friedman, CISA: One of the first steps of their attack was to build a botnet. Now, botnets aren’t new, right? Okay, someone can’t use their link, their Minecraft server. But this was a botnet of home routers. So plugged into a non trivial pipe to then cover. actual damaging traffic, including putting live implants on critical infrastructure on American owned, an [00:08:00] American company owned, critical infrastructure.
Allan Friedman, CISA: Not an intelligent target, but water, lights, and of course, telecom. A relatively small number of small home office, home and office routers popped the island of Guam. So there is real stakes at what we’re trying to do.
Paul Roberts, SRFF: And this is not an unusual thing. In fact we saw I know Lumen Black Lotus Labs did a lot of research finding that SOHO, end of life SOHO routers were the foundation for a lot of Chinese APT attacks on large corporations, Microsoft among them.
Paul Roberts, SRFF: I guess I would ask the panel. So as we look at this is our SOHO routers are they the canary in the coal mine for this larger end of life device issue? Just because they’re these IOT devices that have been out there deployed for a decade or more two decades
Chris Wysopal, Veracode: Yeah, I would say yes.
Chris Wysopal, Veracode: Yeah, I mean I look at this the Soho router is the first Internet of Things devices because it was something that Had a full [00:09:00] computer on it that had to run had to be connected to the internet to function has lots of capability. And the other aspect I see with the SOHO routers are the incentives of the person who owns the router are different than perhaps the way the attackers think about using that router because they, someone might say, hey, I’m a small retail shop.
Chris Wysopal, Veracode: I don’t really have anything for anyone to steal. So I don’t really care about updating it. I don’t even think about it. I don’t have people saying your infrastructure is at risk. You need to keep these devices up to date. It’s just not thought of that way because they don’t think it’s a security risk.
Chris Wysopal, Veracode: So the incentives aren’t there for them to even care about end of life or care about updating. Yeah.
Allan Friedman, CISA: I’m sorry. I also want to chime in on a little bit of a “why now?”. Because until very recently, including 2017 when the US government wrote a report in response to the Mirai botnet, we didn’t say that IOT wasn’t a major risk, but we did.
Allan Friedman, CISA: Why? Because [00:10:00] American households had this magical firewall called Network Address Translation. That is no longer a binding assumption and it is getting less and less as both our devices and our networks mature.
Window Snyder, Thistle Technologies: I’d like to add something to Chris’s point about incentives here. That if we’re talking about routers, not these specific routers, but let’s just say cable modem routers in general.
Window Snyder, Thistle Technologies: And you’ve got a deployment of a hundred million devices. And you’ve got a failure rate for update that looks like 1%, and I’m going to tell you it’s absolutely not 1%. It is way higher than 1%. An update failure means that device is bricked, and the way for the user to get out of it is to take another computer, download a firmware update, take a USB cable, plug that into the cable modem router.
Window Snyder, Thistle Technologies: Use the computer to flush the firmware for the cable modem router, and that might get them back up and running. But for 1 percent failure rate, you’ve got 1 million people who are down calling their provider saying Oh I, my internet is down. And oh, how are they going to download the firmware update in the first place when the internet is down?
Window Snyder, Thistle Technologies: It’s completely undoable. Update for devices is [00:11:00] really different than update for a web browser where if you fail you can mostly get going again. Restart it yourself, restart your computer, get back to a known good state. But if we’re talking about a device, if it’s a car, it has to come back to the dealership.
Window Snyder, Thistle Technologies: If it’s that cable modem router it’s, your internet is down. If it’s a phone, you have to come back to the mobile store. If it’s industrial manufacturing equipment, you’ve shut down the assembly line. If it, or the entire the line. If it’s a satellite, it’s gone forever, right? The stakes are completely different when it comes to reliability for update.
Window Snyder, Thistle Technologies: And it’s, even if they have an update mechanism built in, even if they have the desire to ship a security update, they’re The bar is so much higher for updating devices that it just basically doesn’t happen.
Chris Wysopal, Veracode: So the end user doesn’t want to update, and the manufacturer doesn’t want to update. I see a big problem.
Jake Williams, IANS: I was going to mention here too, one of the other big things that we are going to see a landslide with, and I already work several incidents a year with these, are the SOHO storage. So your, your Western Digital My Books that, are now 10 years out of date, but are still being seen in regulated data environments, right?
Jake Williams, IANS: And you talk about failure [00:12:00] rate with updates, Window, that’s a fantastic fantastic example because here, you have a very real chance of losing your data, right? And separately from an incentive standpoint I think Allan mentioned, that idea of NAT.
Jake Williams, IANS: The NAT firewall is no longer there. These things, by design they say, Oh, use UPnP and you can open it right up to the internet. Or, so that you can synchronize from your home office to your, to the work location, and this is just a dumpster fire waiting to yeah.
Tarah Wheeler, Red Queen Dynamics: Building on the incentives question, especially the one that Wendell and Chris brought up, when I work with small business owners and managed service providers, one of the biggest challenges we have is that we can go to a small business, 30 person trucking company in Iowa, and say, your payments processing system is broken, it’s down.
Tarah Wheeler, Red Queen Dynamics: And they say I don’t understand why. The credit cards still work, we say, but it’s completely compromised. You are leaking this data everywhere and they say, there’s why would I care, right? That’s not a thing that’s relevant to them, right? They’re, the credit card payment processing machines that they’re operating still work to take money and after that point, [00:13:00] they have no incentive to replace it.
Tarah Wheeler, Red Queen Dynamics: They have to replace it if they are not experiencing regulatory pain or a problem with their cyber insurance provider. So we don’t just have a problem with the manufacturer and the end user. It’s that there’s almost a very active anti incentive for an end user who has to pay for an expensive upgrade to be in a position where they want to spend more money on that.
Paul Roberts, SRFF: That’s true in the SoHo routers case too, because what they were saying, If the SoHo router fails and you lose internet connectivity, you’re going to be on the phone immediately because that affects everything. But if the SOHO router just gets owned and is using, used to do brute force attacks on some company, but is still, delivering your internet access,
Chris Wysopal, Veracode: You don’t even know.
Paul Roberts, SRFF: You don’t even know. And you don’t care about it. Yeah.
Audience Member: So this is probably the perfect panel to answer this question, and I’ve had it for a while, which is, if the PRC bombed Guam, We, the people, would be paying for remediation via our military, right? How is this not considered to be just as much of a threat as that?
Audience Member: [00:14:00] And at what point is government going to get involved to fund it? Because right now, this is an awareness problem, but it’s also a money problem. I don’t know about you all, but the businesses I work with, Don’t necessarily have the money to buy new IOT and refresh every, year, two years, four years.
Tarah Wheeler, Red Queen Dynamics: If North Korea had, instead of in 2014, taken out Sony, cost about a hundred million dollars in damage, if they had instead bombed an airfield in Austin, Texas for the same tune of a hundred million dollars, we would not be having this problem.
Allan Friedman, CISA: I obviously cannot speak to national security strategy. What I can say is the reason Paul put this on the slide and that we’re talking about it is because those routers were end of life and we don’t have a good understanding of whose responsibility is it to talk about that? And there’s been very active communication, and I’ll just talk about the high level infrastructure side before zooming down to IFT, between the global service providers, the international carriers, and the giant network manufacturers, [00:15:00] to say, “Yeah, but the status quo doesn’t cut it. We need to figure out how to share the burden from the market side.”
Paul Roberts, SRFF: And this end of life is not just a consumer issue, right? We saw this with the Ivanti and Pulse Secure, right? So this was, these were end of life devices that were being deployed in highly sensitive environments with and security devices running an end of life operating system.
Jake Williams, IANS: I’m in regulated data environments all the time that are operating on, on frankly, ancient hardware. I actually had not two years ago, actually still saw VMS. running on deck alpha hardware. And so I, I saw several DEC Alpha machines sitting in the corner, partially disassembled in the data center, and I’m like, Oh, you’re finally getting off your DEC Alpha. It’s no, that, that used to be the staging environment. Used to be the staging environment. Now they’re parts servers, right? And these are, and so then you move out to the perimeter, and you’d like to think that’s not the case anymore, but again, I’m working with a major And this isn’t like a small problem, small business problem [00:16:00] either, although it is a much bigger problem than small business.
Jake Williams, IANS: Multi billion dollar corporations who are replacing firewalls at their core and then taking the end of life stuff and instead of recycling it, they’re moving it out to their remote offices.
Paul Roberts, SRFF: The end of life question- there are a number of questions that come from that, right? Something being abandoned or no longer supported by their manufacturer isn’t a problem in and of itself, as long as there’s a way for the community, whether that’s a third party business or the commons, to continue to pick up the baton that the manufacturer has laid down. And say we are gonna continue issuing software updates, we’re gonna continue managing, right?
Paul Roberts, SRFF: In which case, it doesn’t matter that the manufacturer declared it end of life. But the problem is that’s not happening. So I guess who who’s gonna pay for that? Who’s gonna pay for that? So I guess one question is, what is the fix for this? Should manufacturers be required to support their stuff forever or for some long period of time, which is somewhat what the E. U. Has [00:17:00] proposed with or actually enacted with certain types of consumer devices. Mandatory 10 year support life span. Or is there a market based way to do this to address this issue? I’m gonna ask you what you think.
Window Snyder, Thistle Technologies: So it is difficult for companies to support technology for a very long time because it prevents them from actually deploying those resources to something that generates new revenue as opposed to a small amount of revenue from, let’s say, a support contract, et cetera.
Window Snyder, Thistle Technologies: Additionally, as you do better security work, it’s going to be in your most modern products. You can’t bring all of that great security work back to your old hardware, your old even if it’s an operating system, you can’t bring it all back. And if you do, you basically have re-written the operating system and the the answer is still your latest work.
Window Snyder, Thistle Technologies: Being able to support really old technology long term gets harder and harder basically every year. And the set of things that you identify, let’s say you’re looking at a a component that is parsing and it has a lot of memory corruption issues. The fix for this is not to fix all the memory corruption issues.
Window Snyder, Thistle Technologies: The fix for this might be to rewrite that component with memory safe, in a memory safe [00:18:00] language. But then you can’t necessarily bring it back to the existing system, right? So the fixes don’t always work. They’re not necessarily able to, to backport. So options include things like asking or escrowing your software with a third party, allowing them to sell support contracts to the parties that still need it.
Window Snyder, Thistle Technologies: So folks who can’t move off are able to move off, but the majority of the population is able to move on to the latest and greatest work, which will include security work that goes well beyond point fixes for individual vulnerabilities, making the entire deployment more secure, but that’s still incredibly difficult to do because once there is an option to support the old stuff it’ll make us all less secure by creating an environment where we have technology and vulnerable software that survives longer.
Window Snyder, Thistle Technologies: Because there is a path. This is something that, that Microsoft really struggled with. I skipped that part of my resume, but I also did security sign off for Windows, while I was at Microsoft for multiple releases of the operating system. And from having seen it with OS X and iOS, from having seen it with Windows, from having seen it with a lot of these different platforms, I know there’s this complicated balance you’re trying to achieve with both keeping customers happy, and Microsoft does this for a very long time.
Window Snyder, Thistle Technologies: They keep their operating system out [00:19:00] there and supported in the world for a very long time. Support contracts for even further. But when they saw how they couldn’t get past this really entrenched malware ecosystem because there was such an enormous deployment of this old, of the old operating system they really tried to get folks to, to move off of it and to move on to their latest and greatest work.
Window Snyder, Thistle Technologies: It’s complicated on both sides. So even if you just assume that everyone’s got the best intentions which I know it’s hard to do that, but let’s just say everyone’s trying to make sure that we’re all secure, we’re all using computers and technology that we can have confidence in it’s still incredibly difficult to manage all these different moving parts.
Chris Wysopal, Veracode: I think one of the solutions is for the manufacturer to say we’re declaring bankruptcy on this piece of software, and we’re gonna ship everyone a new piece of software that’s fixed. This this didn’t happen with Flash, but they just said, we’re not supporting Flash anymore. Flash is gone.
Chris Wysopal, Veracode: It’s deprecated. No one use it. Because they just couldn’t keep up with securing it, because it was written so, Insecurely. There was a time, I think it was early 2000s where Norton Antivirus had an older version that they just couldn’t support anymore and they just decided to give everyone who bought the old version, the new version of Norton Antivirus, which was [00:20:00] rewritten.
Chris Wysopal, Veracode: So that is a solution. It’s obviously expensive, very expensive.
Window Snyder, Thistle Technologies: The situation with Flash, though, didn’t happen in a vacuum. So for having been on the OS X side of this within OS X they were shipping Flash and Flash had a lot of vulnerabilities that were outside of the control of what Apple could do for their platform.
Window Snyder, Thistle Technologies: Can’t mitigate the vulnerabilities or how long it takes to fix an issue. When it’s in your operating system and it’s controlled by a third party. So eventually it was no longer part of the OS 10 operating system, and Microsoft did the exact same thing, and eventually it wasn’t deployed as widely.
Window Snyder, Thistle Technologies: And so the value for Adobe was dramatically reduced when it wasn’t as widely in use. So it was a lot easier for them to eventually say that. Yeah. In addition to the cost of. that keeping up with the security issues, the value from having it deployed once upon a time in literally every web browser by default, was gone.
Chris Wysopal, Veracode: So that’s an incentive there, right? And someone who had control of a platform had an incentive perhaps, I don’t think this is going to happen, but ISPs could say we are not supporting these routers that are end of life anymore. You cannot have it on our ISP network. I don’t think that’s going to happen, but it is something to think about.
Allan Friedman, CISA: The country of Japan [00:21:00] tried that as an experiment several years ago. you Where they scanned the public consumer grade networks looking for vulnerable devices. And then notified the people who had them. Now raise your hand if you think the U. S. government should do that. Probably not a great idea.
Allan Friedman, CISA: But there is there are ways that your ISP can play that intermediary.
Paul Roberts, SRFF: Question?
Audience Member 2: Yeah talked about solutions being, send everybody a new router, or send everybody new software. In terms of sustainability, right? You brought up how long is long enough to sustain a piece of software, right?
Audience Member 2: In a world with finite resources, is this even like the best path to are we going to recycle these things when those things aren’t even in place? Is this even a solvable problem? Maybe the solution is. Make the perfect router, but we all know that perfect is never going to happen.
Audience Member 2: So what are we going to do? That’s right.
Window Snyder, Thistle Technologies: It’s easy to think about if it’s a router, we can just ship them to everybody else, right? But what if it’s a car? Cars are basically just computers [00:22:00] now on wheels. So yeah, there’s a recycling issue. But like a car is a computer, right? And so those things run around for decades with a lot of value you drive it for however many years, hand it off to the next person, they drive it for however many years, and it has a very long life, and it has a lot of value, beyond, let’s say the amount of time that manufacturer could or should be forced to continue to support it.
Window Snyder, Thistle Technologies: So getting to a place where we’ve got some sort of Option for community support is is going to be valuable. I think that’s kind of, what a lot of folks here are driving at. That, that we don’t have a a reasonable way today to support all these computers that are attached to incredibly valuable assets, devices.
Window Snyder, Thistle Technologies: Whether it’s your smart meter attached to your house, or it’s your smart fridge, or the smarter fridge that’s hanging out in the hospital while keeping medicine at the right temperature. There’s a lot of devices that are deployed in critical situations that have very little in the way of software support, whether for security issues or even just functional issues.
Audience Member 3: We also see that Sorry, I think the solution to the car thing is I rode my bike here and got a heart attack. And then something like [00:23:00] two weeks ago, I got my bike shot down the street.
Tarah Wheeler, Red Queen Dynamics: We also see that in rural hospitals and in less resourced medical facilities. A lot of end of life devices are no longer vendor patched.
Tarah Wheeler, Red Queen Dynamics: And one of the biggest challenges there is, it’s not just about the cost of replacing the device, it’s also about retraining and certifying the personnel that have to use older equipment. And that’s, it’s been One of the biggest problems in fully erasing Windows 7 from the landscape right now. I think Security Boulevard did a study in 2021 saying that at that time 27 percent of the devices that were vulnerable to WannaCry in 2017 still were.
Tarah Wheeler, Red Queen Dynamics: And I think Jake and I have done an estimation before for for a presentation we did that’s, it’s probably still at least between 12 to 17 percent of devices that were vulnerable at the time still are. Many of them are in the medical field because those devices are not patchable or repairable without also retraining staff and then dealing with the ensuing regulatory climate. Yeah.
Audience Member 3: Also, the FDA has to approve the patch too.
Tarah Wheeler, Red Queen Dynamics: Yeah. The FDA approving the patch. You can imagine that is a speedy [00:24:00] and facile process
Allan Friedman, CISA: Actually this is a great sign of, I think, progress from government technocrats is the FDA Absolutely. Security updates differently than a major feature update.
Allan Friedman, CISA: And it will fast track them and in some case allow you to say after the fact. And that’s amazing, and we should honor that. The thing that scares me about the medical device community, because I think they have made a lot of progress in security, is I don’t know we’re lucky if a medical device manufacturer is shipping a device with Windows 10.
Tarah Wheeler, Red Queen Dynamics: Yep.
Allan Friedman, CISA: That is the top of the line, I don’t know any manufacturer who is shipping a major product line with the next version. And when is Windows 10 EOL?
Paul Roberts, SRFF: I know one of the things you said when we were talking before this and Window I’m interested in your thoughts on this, too, is one of the problems is organizationally within companies. Often the acquisition team that’s making decisions about what hardware [00:25:00] and software to purchase. Is either totally separate from or, and probably not communicating with the security operations team. Who might look at some of these issues. And to this point, maybe in addition to software support whatever’s in the SBOM, there’s some issue around sustainability and resilience.
Paul Roberts, SRFF: How long is, how long are we going to be able to use this, right?
Allan Friedman, CISA: Go ahead. I’ll say three minutes and then I’ll be quiet because I think it’s important to think through what the role of government can be. And of course, giant in every country is different. But I put it in three buckets.
Allan Friedman, CISA: One is go after bad guys. And we’re not going to stop the people who did Vault Typhoon. But what we can do is use certain authorities to say you said you were going to do this and you didn’t. That’s lying to the American public. We don’t like that. That is the FTC’s domain, and there are other regulators that are moving that space, including I’m seeing discussion in [00:26:00] automotive and in the broader IT space.
Allan Friedman, CISA: The second is policy. Policy is a big, messy bucket, and one of the challenges we have when we think about it, especially in the security world, is understanding what the levers are. What can you actually do? Because something that sounds easy and common sense, you turn, turns out, has been part of three different agencies for 70 years, and there’s a mass amount of case law that says you can’t do it.
Allan Friedman, CISA: So being creative about that, and that means, and I think this group is a great start, of bringing together policy people and security people to help brainstorm what are effective solutions. And then the last thing that government does is we make infrastructure, right? We build roads, we build bridges, most of the time they stay up.
Allan Friedman, CISA: And we build digital infrastructure. We create vulnerability databases. Okay, bad example. But the, one of the things that we [00:27:00] are starting to work towards is what are some data standards that can talk about different categories of end of life that are machine readable so they can support tooling.
Allan Friedman, CISA: Will that help terrorist clients? Maybe not, right? We need to aim at the true have nots. What we can do is start to build data layers. And if you’re curious, there’s an Oasis standard that is just standing up. It’s called Open E O X dot org. It’s international. It’s open. So anyone could participate if this is something you want to talk about.
Jake Williams, IANS: If I can pick up from that, my RSA talk actually tomorrow is actually security for the have nots. And it’s specifically because we have this chasm, this giant gap between best practices and enterprise security and then what realistically even small medium enterprises can do and you know as much as I would love to say things like, you know If a vendor is gonna, basically abandon a piece of software But the hardware still is usable [00:28:00] life open source it or send it to a support contract Servicer so that you know somebody picks that up these small medium businesses, unfortunately are just not going to do that All right, they’re not getting you know, the folks that are most that we’re most worried about here I think great are simultaneously the folks that don’t have EDR deployed, don’t have MFA deployed, aren’t doing the bare minimum, you must be this tall to ride the internet stuff, right?
Jake Williams, IANS: It’s a hard problem and I don’t know what the solutions are. Outside of, as Alan mentioned the FTC at a minimum, right? You said you were doing this, you lied to the public, right? But those are very unique cases, I think.
Window Snyder, Thistle Technologies: To be fair, , small businesses should be treated more like consumers.
Window Snyder, Thistle Technologies: That it’s not fair to expect people to have to be an admin for their alarm clock, right? For all these devices that small businesses deploy, they don’t necessarily have an IT person, let alone a security person. So this business of being this tall to ride, they The right is actually this is the failure of the folks were building the technology.
Window Snyder, Thistle Technologies: It shouldn’t require this degree of management in order to stay up to date. It should be able to be updated without, let’s say, evaluating whether or not it’s going to come back up and disrupt your [00:29:00] business if it doesn’t right. So developing the kind of confidence that we all now have with like our phones when our phones get an update, once upon a time, that used to take, that used to take months and months of test passes that required multiple carriers to sign off. And now you’ve got, updates that can be turned around really quickly for security issues. And nobody even notices that their phone got updated unless it’s ooh, new features, right?
Window Snyder, Thistle Technologies: That degree of reliability has to happen for all of our devices, has to happen for all of our technology. Because it should not require a a small business that is, you know, operating with a narrow margin to have a security person or a security consultant to do that. Come in and do this. The degree of management that we expect for the enterprise, and they are going to be targeted because they’ve got a valuable asset.
Window Snyder, Thistle Technologies: And whether or not the attackers stealing credit cards from that small business they’re a launch point to other places. That’s again outside of their the set of things that they’re going to make an investment in mitigating if it’s not directly impacting their business when there are so many small businesses that are they’re operating so marginally.
Window Snyder, Thistle Technologies: So it’s on us as technology makers to build more resilient technology that does not require the kind of enterprise scale intervention and [00:30:00] management that, that most of these devices at this point require. Working on it.
Tarah Wheeler, Red Queen Dynamics: Yes, I’m working on it. And that’s the challenge I think too in the incentives here.
Tarah Wheeler, Red Queen Dynamics: That, that razor thin margin that Wendell’s talking about is where the real challenges lie because there’s no fat there to trim off. Resources into security updates. And as Jake has said a lot and in really powerfully, we’re looking at organizations that don’t have the same capacity as enterprises.
Tarah Wheeler, Red Queen Dynamics: And yet somehow we have the exact same expectations for them for their devices. This is an unreasonable expectation. And the problem with incentives is it also means that the people who build products to secure those services. Those companies stop at a certain point. They stop at a point where there’s no more, where there’s no capacity.
Tarah Wheeler, Red Queen Dynamics: I have to stop at a point where someone can’t afford to pay for the product that I build, right? And there is a long tail of small to mid sized businesses that are three guys in a truck with broken Android phones, and they can’t even afford 10 a month a person. Okay, that is the level of [00:31:00] security poverty line, Wendy Nather, that we are talking about here in this room.
Tarah Wheeler, Red Queen Dynamics: And those I think are the people that we’re here to talk about. It’s also, and this is a good way to tie back into policy making, it’s also fortunately the one thing that policy makers will sit up in their chairs and listen to when you’re testifying in front of them. They’ll listen to stories about small businesses because those are their constituents and they have an outsized voice for the size of their company and the trust of the American public.
Tarah Wheeler, Red Queen Dynamics: There’s a path there to policy making that calls attention to the plight of small to mid sized business owners who can’t afford security measures the way the rest of us in this room can.
Chris Wysopal, Veracode: So how do we stop a manufacturer from building a bare bones, super cheap product that the update doesn’t really work. And they have a product that is 20 percent cheaper than everyone else. And it does all the same stuff. And that’s available, on your at your store.
Paul Roberts, SRFF: And one of the issues, and this goes to the comment the gentleman made is Right now, there are no disincentives to create disposable tech, [00:32:00] right? If you’re HP or Epson and you’re telling consumers, throw away that 60 pound inkjet printer because we’ve just decided that it’s obsolete and you should get a new printer that cost is borne by that individual, by the community that they live in, their e cycling, e waste recycling program, and obviously by the planet.
Paul Roberts, SRFF: Thank you very much. But HP or Epson pay no cost for that. So there’s no, there are no decisions.
Chris Wysopal, Veracode: It sounds actually profitable.
Paul Roberts, SRFF: In fact, it’s profitable for them. That’s right. They get to sell a new inkjet printer. All right. Yes.
Audience Member 4: Chris I was thinking about what you just said about what’s stopping somebody from doing that. I think there’s this kind of duality of we have so many issues right now. So somebody may want to solve an issue by creating a product that is available right now. So many people need assistance. There are people out on the street right now who could use the technology of a sleeping bag to just buy that.
Audience Member 4: But then there’s also we’re thinking about 10, 20, 100 years in the future when, that’s going [00:33:00] to look like. I don’t even know if that was a question, but I think there’s this weird thing where it’s people want to help solve issues right now, but then when there are government regulations and then there are security issues because we try and make a small product so global yeah.
Audience Member 4: How are we supposed to make anything if we have to think about a hundred years in the future?
Allan Friedman, CISA: It is a little bit like the health authority preventing grandma from selling her jam by the side of the road. . Because there is a legitimate public interest in preventing toing. But right now the tool that we have is. ” Please, work with Cisco food producers. “
Chris Wysopal, Veracode: There can be reasonable regulation. A lot of states, you have to have a fence that’s four foot high around your pool. The oh, I don’t have kids at my house. I don’t, I’m not worried about toddlers that are my kids. It doesn’t matter to me.
Chris Wysopal, Veracode: It’s to protect the neighbor’s kids that might stumble into the yard. But there’s regulation there to make that pool. And everyone would say that’s reasonable, right? Because we’re talking life or death, right? Then that’s reasonable. [00:34:00] What is reasonable here?
Paul Roberts, SRFF: Tara, one, one of your suggestions was what you call a graceful default around end of life decisions by company. Cause again, right now these are completely arbitrary. The corporation decides solely based on profit loss, economic, Decisions, there’s nothing else that factors into it.
Tarah Wheeler, Red Queen Dynamics: So the idea that I had conversations with people about before answering questions from the other side of this debate small owners of fix it shops, right?
Tarah Wheeler, Red Queen Dynamics: How am I allowed to fix a nine year old iPhone? Am I allowed to fix this? And there’s often this legal sort of gray area where out of concern for liability, people won’t repair, replace or or deal with devices if they’re not sure they’re allowed to. And there’s a, there’s a. Permissions and a legal issue there.
Tarah Wheeler, Red Queen Dynamics: But really what we have to start doing is asking ourselves if a company goes out of business after four years, they’ve manufactured 10 million products. They’ve shipped them around the world. The the question that people will often have if that company has gone out of business is can I repair?
Tarah Wheeler, Red Queen Dynamics: I’m thinking about a friend of mine in Paris right [00:35:00] now who’s from Tennessee. She has one of the little Bluetooth devices that and her niece has it in her home in Tennessee, which is where my friend’s from. That device has gone end of life because the company has gone bankrupt. And so they’ve simply abandoned all of their devices.
Tarah Wheeler, Red Queen Dynamics: It used to be that she could push a button on this device and send a little message, Hey, I’m thinking of you. It’s one of the simple ways you can keep in contact with people to say hello to her niece. And I could fix that device, okay? This is this was bricked on purpose, and it’s a very simple brick.
Tarah Wheeler, Red Queen Dynamics: The problem is that I’m not actually sure if I could be in breach of any contracts or get myself into legal trouble. So the question I have is it possible for us to, at the end of life of a company, create a graceful default for any abandoned products that has almost what we would think of as an automatic entry into the public domain for any code and any hardware innovations that were part of that product.
Tarah Wheeler, Red Queen Dynamics: Any intellectual property that went into that, the company may be able to [00:36:00] sell some of its assets, but if it simply goes out of business and there’s no clear rights transfer to another party that can then also be held responsible for any problems with those devices, then how do we know if we’re allowed to work on devices or not?
Tarah Wheeler, Red Queen Dynamics: That right there can cause real problems, and there’s not really a good way to tell if a patent troll or if some company you’ve never heard of is going to come out of the woodwork and cause a problem for your three person repair shop in Seattle, Washington. That’s the real concern, and what I think is a real possibility is that there can be a legal clarity around the right to repair, especially when it comes to things that have been abandoned by their former manufacturers, that lets people be sure that they’re operating in good faith and have legal coverage to do does that make sense? Both the
Paul Roberts, SRFF: manufacturer and the third parties who might want to do it.
Window Snyder, Thistle Technologies: I’m excited for folks to be able to contribute and modify and update software for, let’s say, that smart frame. I get a little bit nervous when I start thinking about hobbyists going after cars. Or modifying their tractors that have got [00:37:00] an object avoidance mechanism in place there that is a safety feature that when modified is probably not getting, by the community or by an individual, probably not getting the same degree of rigorous testing that maybe John Deere gave it.
Window Snyder, Thistle Technologies: And and now those around the world and if it’s a car and it’s out there in the world being modified to do, there’s already a huge community around modifying cars and sewing machines and you name it every device out there, right? That we have some sort of, Consideration in place for some.
Window Snyder, Thistle Technologies: Some of these computers are actually physical objects that have safety considerations in the real world. That software is designed to mitigate and we need to keep the actual users of these devices after modification safe.
Paul Roberts, SRFF: Challenge you on that, though, I would say low riders, right? East L.A., right?
Paul Roberts, SRFF: These are cars that were sold as sedans, but now they can pop four feet off the ground, right? And that’s probably not great. But that’s that person’s car, and that’s what they want to do with it. They want to trick it out and customize it. Yeah, there are [00:38:00] laws about how far it has to be off the ground, and they have to comply with, the state laws about vehicle safety.
Paul Roberts, SRFF: But it’s their car to do with as they want. And nothing about vehicle avoidance or crash avoidance changes that basic right of ownership. And if they want to low ride their software, they should be able to do it.
Window Snyder, Thistle Technologies: I think low riding is different than, let’s say, modifying your headlights to blind everybody who all oncoming traffic.
Paul Roberts, SRFF: But that’s a state, but that’s a vehicle safety law, right? Yes, of course.
Window Snyder, Thistle Technologies: But. And you can’t, object avoidance and the software that, that mitigates these kinds of things is much closer to, let’s say, blinding oncoming software, which has a really specific law compared to, let’s say, Modifying.
Paul Roberts, SRFF: But in the aggregate, manufacturers use those types of arguments in order to constrain, not just doing things that are going to harm other people, not just the kid falling in the pool and drowning, but somebody being able to replace. Somebody being able to place their own windshield or bumper that gets damaged in a low speed accident. It’s got a sensor in it, and that sensor’s got to be calibrated properly, and we’re the only [00:39:00] ones who can do that. The price will be $13, 000.
Window Snyder, Thistle Technologies: So there’s no absolution to this.
Jake Williams, IANS: Your coffee maker has DRM for your coffee. That’s right. It has DRM for coffee pods now. It doesn’t. Come on, right? That is At any point, they’re going to obsolete my coffee maker.
Allan Friedman, CISA: Can I pull in Jake, because Jake and I have talked about this, of the difference between secure by design and safe by design, right? And a lot of people in this panel work with things that are even more risky than cars if something goes on. You want to talk about how regulators and engineers think about that?
Jake Williams, IANS: Yeah, definitely. And I think that’s really important, right? We talk about security and think about, the exploitation of a vulnerability versus again, how does, ultimately, what are the configuration options that you’re even allowed to, allowed to tweak? And ultimately then for a failure mode does it fail into a safe mode?
Jake Williams, IANS: Does the device fail into a safe condition? And again, I can think of countless biomed devices, certainly stuff on the utility space, in the utility space, a lot that we ultimately engineer and go out of our way to engineer as safe by design. That software particularly for, for failure mode [00:40:00] operation is typically run off of a separate processor is very often, again, not something that we’d expect to be modified.
Jake Williams, IANS: And typically not something we’d expect to be even accessible to the end user, right? As opposed to, the control software around it that may have a lot of vulnerabilities, right? Like I think about IP
Paul Roberts, SRFF: So we need some definition as well, yes?
Audience Member 5: Are we putting a cart before the horse if we’re expecting device manufacturers to support something for 10 years and we don’t have operating systems that last for 10 years? Or are you, or are there support for half that?
Chris Wysopal, Veracode: Or open source libraries that can be vulnerability free for 10 years.
Tarah Wheeler, Red Queen Dynamics: Very arguably what Window has said, and we’ll be a little bit separate on this, but I want to support what you just said, and very clearly raise the fact that there are times when it’s okay to have hobbyists and individuals modifying technologies.
Tarah Wheeler, Red Queen Dynamics: And there are times that it should not be appropriate. I don’t necessarily want to see an x ray machine modified by an individual, even if they think they can fix it. It’s not a joke at this point. It’s funny, but its funny because its true. Josephine Hospital in Southern Oregon experienced the failure of a multiple of their devices, [00:41:00] and there’s a real question as to whether or not They should be permitted to have some guy with a hatchet in there, trying to fix up the devices that are there, even though they have the right to do it’s a private hospital. They’re not experiencing subsidies. Hang on for one second on this one. I really want to make sure that we hear that there’s a difference between, I want to make, “I want to overclock something that’s cool in my house, and I’m going to treat people,” and there’s a major consumer safety issue.
Tarah Wheeler, Red Queen Dynamics: I’m going to fall on the rights of the individual, but I think that, to your question, Fitz, I think the real issue is, We can’t guarantee 10 years of an operating system because we don’t know the company’s gonna last that long. We can guarantee that the U. S. is gonna last that long, and if we don’t, we have very different problems than the ones we’re describing in this room.
Tarah Wheeler, Red Queen Dynamics: And the regulatory work may be the only thing that I think solves that problem.
Paul Roberts, SRFF: The danger that we all need to be aware of as a cybersecurity community is that manufacturers will take that argument about you don’t want anybody with a hatchet fixing your X ray machine, and use that as a broad brush to characterize Licensed third party medical device manufacturers who just don’t happen to be their [00:42:00] authorized manufacturers.
Allan Friedman, CISA: And there is a 12 year old government policy that actually goes all the way back to 1996, that addresses the copyright protection. The Digital Millennium Copyright Act, all the way back to 1996, has a process where every three years, the community can say, “we would like to break the copyright protection,” which is to say, how the DRM is implemented.
Allan Friedman, CISA: To do socially valid things. And it’s been fantastic to see the security community engaged. Matt Blaze has done this for voting machines. A lot of folks have done this for cars. People should keep doing this. And the other thing is also parts of the government have chimed in as well.
Allan Friedman, CISA: So I’m very proud that my former government agency, NTIA, has joined with the security research community for the last eight years to work with the Copyright Office. Copyright office likes copyright. And say, “Yes, this should be an exception. This isn’t what copyright is [00:43:00] for.”
Jake Williams, IANS: Can I just make, coming back to the safe by design thing, I think it’s illustrative to note that and I’m going to use an ID pump as a very simple example here, right?
Jake Williams, IANS: Because the manufacturers will go and say, oh my gosh, right? Imagine if somebody updates your intravenous pump, right? But this thing’s running two different processors, two different operating systems, one of which controls the drug library, right? That one’s not publicly accessible. It’s not something you’re going to exploit over the network connected IV pump The other one is controlling the dosage.
Jake Williams, IANS: It’s sending the telemetry. And I say controlling the dosage because the other processor has a failsafe, right? And that’s what stops you as a hacker from, using the root, running as root, no authentication required telnet to jump in and, basically OD a patient, right?
Jake Williams, IANS: And so this is the whole safe by design piece, right? While I would certainly argue that we shouldn’t be in there, on the right side, the OT side, if you will, right? Of things there’s, there should be nothing restricting someone from going in and patching the vulnerability with the actual network accessible [00:44:00] portions of our IoT devices.
Allan Friedman, CISA: I want window to tell me how much she trusts those fail safe devices.
Window Snyder, Thistle Technologies: So a lot of these systems that are running microprocessors, or let’s say it’s made up of many computers, and you’ve got your CPU and you’ve got a bunch of microcontrollers spread out through the device, like a car or a laptop, looking at, let’s say, a laptop with 26 different components with writable firmware on them.
Window Snyder, Thistle Technologies: Some of those microcontrollers running processes are operating systems that don’t have separation of space. They don’t have separation between code and data. They don’t have any of the modern memory corruption mitigations that we have in place today. And I bring up memory corruption because if you look at the public databases, there are 65 to 70 percent of the vulnerabilities in those databases are memory corruption issues.
Window Snyder, Thistle Technologies: So memory corruption is overwhelmingly like one of the biggest problems. Now, those devices don’t have separation between code and data. It’s 1996 in there, going back to 1996 in there. And I go back to 1996 because that’s when we saw, actually 1995, when we saw split VT being, being exploited.
Window Snyder, Thistle Technologies: It was like the first public acknowledged demonstration [00:45:00] of a memory corruption vulnerability being exploitable. And after that, system operating systems, general purpose operating systems, for the most part got in gear and started trying to develop mitigations against memory corruption. But what, for whatever reason, micro processors and the operating systems that run on them haven’t gotten on board to the same degree.
Window Snyder, Thistle Technologies: So we have basically the 90s in all of these different little processors. So to say that we’ve got like these fail safes when we haven’t even done the basics to say what this 2024 what are those operating systems gonna look like 10 years out from now, right? When the The devices are mostly uninspectable by not just the user, but also by the administrator and even the sophisticated enterprise organization.
Window Snyder, Thistle Technologies: Even if they want to hire the right folks to go investigate those kinds of fingers out here in the audience to go investigate those devices, they can’t do it for every device that’s employed in their environment. So you, even when you know that you’ve got a problem, you can’t mitigate it.
Window Snyder, Thistle Technologies: Even though you know that the system is easily corrupted, there’s not necessarily a way to get back to a known good state or inspect the state that it’s in. Those devices are incredibly vulnerable, unmanageable, and are [00:46:00] just so hugely vulnerable, attached to critical systems, attached to basically everything that we do and not built even to remotely the level of security resilience that you see from like a general purpose operating system running on a consumer device.
Paul Roberts, SRFF: So we’re running Couple minutes over. One idea I just wanted to throw out there before we break is the idea that I think Chris raised and Tarah also, which is open sourcing, particularly in the consumer sector or the home appliances, personal electronic devices of when manufacturers end of life or abandon a product of merely open sourcing it.
Paul Roberts, SRFF: And we have Peter Mui at the back who is started the whole FixIt Clinic, and he’s got a bunch of examples, including the Pebble watch of of technology where that’s been done, right? That’s right. Pebble went out of business but they open sourced their software, and the community has, for the last eight years, been supporting these early generation smartwatches itself.
Paul Roberts, SRFF: Moder updating the software, maintaining the cloud services, and so on. That’s one model. Thoughts on that? Is that a possibility? Is that [00:47:00] something that we might make a graceful default?
Tarah Wheeler, Red Queen Dynamics: At the end of life of a company, the job of that company is to wrap up its financial affairs legally and appropriately and to take care of its outstanding obligations.
Tarah Wheeler, Red Queen Dynamics: Very rarely do they think about the idea that they may need to handle the legal implications of the devices they’re about to abandon. And that’s why I think there’s a real call for having a graceful default on that. A default policy for devices that could be left to consumers with no company left to address their concerns and issues.
Tarah Wheeler, Red Queen Dynamics: That’s, I think, the real question. Pebble did the right thing, but I don’t know how much energy and effort it took to do the right thing at the end of life of that company. Most companies are not going to have that capacity. Having a de facto Graceful exit that is legal clarity for people who want to repair or work on those devices is important.
Tarah Wheeler, Red Queen Dynamics: And I’ll be frank, if there are medical devices that are abandoned in that same way I’m not as concerned because those are the kinds of devices that get picked up, repaired, and are part of support contracts. I do want to see a regulatory element there, but for regular consumer grade devices, we need to have a de facto [00:48:00] graceful exit into legal clarity.
Chris Wysopal, Veracode: So this sounds like something that the consumer would, and the consumer, I’m using the broad consumer, could be a business. Thank you. when they purchase the device.
Tarah Wheeler, Red Queen Dynamics: I believe it. They should be.
Chris Wysopal, Veracode: How long will updates be available? Like the CRA is saying in the EU. I think it’s actually the minimum is five years But the actual patch needs to be available for 10 years.
Chris Wysopal, Veracode: So you’re talking 15 years that you know when you buy the device You’re, the company knows they’re signing up to have a patch that comes out in year five to be available for ten more years after it’s end of life. Now, I don’t know how that deals with going out of business, but I think a lot of this is you know what you’re getting, right?
Chris Wysopal, Veracode: Right now you have no idea whether that device is gonna get bricked or put out to the open source community. You just don’t know what the company is going to do. They probably retain all those rights when they sell it to you to do either of those things. And what we need is for people to know what the plan is for the device and how long it’s going to be supported and what the support is [00:49:00] like.
Chris Wysopal, Veracode: Because otherwise, you just don’t know what the value of the device is that you’re buying. You really literally don’t know whether this device will be this great thing that will last for 20 years or it will last for 3 years.
Chris Wysopal, Veracode: That seems like a huge range. And right now, it’s just, there is no buyer beware because the buyer doesn’t even know what’s going to happen.
Chris Wysopal, Veracode: Yes, Peter. So aren’t we gonna get a big test of this very similar week in California where right to repair takes effect on July 1st? It says any electronic device over a hundred dollars retail, the manufacturer has to provide seven years of heart service manual and diagnostic tools.
Audience Member 5: Yes. In California that’s been around since the eighties. That song.
Paul Roberts, SRFF: But we have state right to repair laws now in Minnesota Oregon, California and New York that are starting to take effect.
Chris Wysopal, Veracode: But that doesn’t necessarily get you a patch for a vulnerability. Someone still has to do that work.
Ryan English, Lumen: I thought I’d mention this before we run out of time. What we’re talking about is time and the research that we did on the Moon botnet we’re talking about the other component to the moon [00:50:00] was faceless. which was a separate entity. Faceless keeps a running bounty on all devices that are reaching end of life. That bounty continuously updates, and they offer any amount of money for a POC for any device that’s on that bounty list.
Ryan English, Lumen: Once they get a POC from the 7, 000 new criminal users per week that are coming to Faceless, which, pretty decent group of people to get your POCs from, then the moon goes and weaponizes and recruits 6, 8, 10, 000 new bots into their botnet. So whatever, we, I’ve heard some really good ideas from you all this morning, but the research that we had that went into that paper, they, the race is against people who are motivated to, to I don’t want you profanity, but your opponent is motivated.
Chris Wysopal, Veracode: They sound like they’re more organized.
Ryan English, Lumen: And they’re money organizes, right?
Tarah Wheeler, Red Queen Dynamics: Yep, it does.
Ryan English, Lumen: And the organized crime groups do this on purpose to [00:51:00] basically crowdsource the POC. And then they go, we watch them get 6, 000 units in a week. to go recruit into the botnet So it’s a race against time.
Paul Roberts, SRFF: The final point I’m going to make is that this is what the Secure and Resilient Future Foundation, Secure and Resilient Future Foundation was created. So we, there’s a picture up there of Mr. Wysopal and his buddies…?, 25 years ago.
Chris Wysopal, Veracode: Never gets old.
Paul Roberts, SRFF: Never gets old. We’ve had 25 years of stern warnings as a cybersecurity community to industry, to the government and sadly, I think we’d all agree, we don’t have a lot of wins to show for it.
Paul Roberts, SRFF: We can all look around at the state of the of the internet right now and cyber risk and attacks. All the trend lines are going in the wrong direction. And as we’re talking about with IoT, we have new challenges that demand, are gonna demand a new approach and new strategies. And Secure, Resilient Future Foundation is what it’s like formalizing you and L0pht up there as practitioners, [00:52:00] people at the grassroots and the cybersecurity community saying we’re using our knowledge and influence to try and help you make the right policies and decisions to guide future or create a future that’s resilient, that’s secure, right?
Paul Roberts, SRFF: That’s sustainable. And so that’s what Chris and Tarah are on the board with me at SRFF, and that’s what we’re going to be doing. But to do that we need a couple of things. We need your involvement your time, your expertise, your thoughts your participation. And, Also we need money.
Paul Roberts, SRFF: We’re a 501c4 non profit and we’re going to be doing the types of things that advocacy groups do. Doing research doing reports educating both policy makers as well as the private sector on some of these issues. And part of this panel is to reach out to you and say, first of all, here we are we’re launching and we would love to have you be involved.
Paul Roberts, SRFF: And scan the QR code of your choice, or QR codes and I would love to follow up with you afterwards if you’re interested. [00:53:00] Thank you.
Paul Roberts, SRFF: And thank you to my panelists, this has been really, sitting on stage with folks of this caliber is is, a real honor. Thank you all so much for taking the time.