Spitballing IoT Security

Edward Dore edward.dore at freethought-internet.co.uk
Thu Oct 27 21:32:28 UTC 2016


> On 27 Oct 2016, at 21:25, Alan Buxey <A.L.M.Buxey at lboro.ac.uk> wrote:
> 
> Hi,
> 
> 
>> At which point the 3GS was almost 5 years old (having originally been
>> released in June 2009) and had been already superseded by the iPhone 4,
>> 4S, 5 and 5S/5C.
> 
> But the release of and presence of those phones does not make the older phone suddenly stop working.  As noted,  the phone might be obsolete to those people hungering for the latest tech but as a phone and web client etc it still works fine. ....and will continue doing so whilst the battery is okay. ... and then,  with no updates it can be the next attack vector

No, but at some point everything has to be discontinued. You can't reasonably expect manufacturers to continue to support their products indefinitely, particularly without recompense.

To put it another way; are you willing to either pay more up front or some kind of ongoing fee in order to fund the manufacturer continuing to produce software updates for a device which is multiple years and multiple generations out of date?

> 
> Which is the point.  These things stay out there...like those winXP boxes.  There are 2 choices
> 
> 1) manufacturers are responsible for the devices.  No longer caring for them?  Recall them.  Compensate the users.
> 
> 2) stronger obsolescence.  eg kill switch/firmware tombstoning/network connectivity function ending timebomb
> 
> as a user of lots of legacy tech i find either option bad :/
> 
> alan

Windows XP was released in October 2001 and finally killed in April 2014. Even the last service pack was released in April 2008. That's a pretty long life and I don't think it would be reasonable to expect Microsoft to continue to spend time and money supporting it any further.

Users need to take some responsibility when it comes to making sure that their software (or firmware in the case of embedded devices) is still supported by the manufacturer. If you choose to use it past the end of the manufacturer's support, then you need to be prepared for the potential consequences of doing so, including that your service provider disconnects you from their network as your device(s) are participating in DoS attacks.

Of course, the manufacturer needs to provide the user with some kind of reasonable expectation of the lifetime of a device so that they can make the appropriate plans to invest in a suitable replacement.
In the case of Windows XP there has been a published official lifecycle for an extremely long time (since SP3 was released?). There was also a lot of press coverage before and after the end of support, so it shouldn't exactly come as a surprise to anyone.
For the iPhone, new versions of iOS generally support the last 4-5 iterations of the hardware (I'm not sure if there is an official published policy about this), which is typically updated annually. Currently that is the iPhone 5/5C from September 2012, the iPhone 5S from September 2013, the iPhone 6/6+ from September 2014, the iPhone 6S/6S+/SE from September 2015 and the iPhone 7/7+ from September 2016.

Edward
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 496 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20161027/cf2ad2bf/attachment.sig>


More information about the NANOG mailing list