Avoiding the coming IoT dystopia

Posted Feb 13, 2019 2:52 UTC (Wed) by faramir (subscriber, #2327)
In reply to: Avoiding the coming IoT dystopia by ay
Parent article: Avoiding the coming IoT dystopia

I seem to remember that in the old days, there was a jumper on the motherboard which you had to move in order to flash a new BIOS. No special security software or key management required. Of course, back then people never thought twice about opening up their computer before doing a BIOS update. That would be inconvenient in the modern world for most users. So make it software controlled instead. Either the new firmware has a valid signature OR the jumper is set to permissive mode. The most expensive part of doing this would be dedicating a pin on the SOC to test for the state of the jumper before allowing unsigned firmware updates. Given that all bets are off if someone has physical access to the device, it's not obvious to me what the downside of this would be other than vendors not being able to segment markets for their "hardware" products by arbitrarily limiting functionality based on how much you paid.

Avoiding the coming IoT dystopia

Posted Feb 13, 2019 11:22 UTC (Wed) by excors (subscriber, #95769) [Link]

I don't agree with:

> all bets are off if someone has physical access to the device

It's still important to consider the time, skill, money, equipment etc required by an attacker with physical access, and how easily the victim can discover the attack.

If you invite your neighbours around and their kid sneaks into your bedroom and reprograms your IoT camera with some undetectable off-the-shelf spyware after thirty seconds with a screwdriver and a phone, that's not acceptable security. If they have to desolder the flash chip, plug it into a reprogrammer, then solder it back on again (which requires specialised equipment since it's far too small to do by hand), that's a very different category of attack; maybe that's good enough for a consumer product, though it still doesn't seem great. And if the only way to make it undetectable is to steal the device's private key by spending days with the chip under an electron microscope, that's another category again and is probably good enough. The difficulty is in achieving one of those stronger forms of security while still allowing the legitimate user to replace the firmware.