Re: Spitballing IoT Security

[Edward Dore <edward.dore () freethought-internet co uk>]

> On 27 Oct 2016, at 21:25, Alan Buxey <A.L.M.Buxey () lboro ac uk> wrote:
>
> Hi,
>
>
> > At which point the 3GS was almost 5 years old (having originally been
> > released in June 2009) and had been already superseded by the iPhone 4,
> > 4S, 5 and 5S/5C.
>
> But the release of and presence of those phones does not make the older phone suddenly stop working.  As noted,  the 
> phone might be obsolete to those people hungering for the latest tech but as a phone and web client etc it still 
> works fine. ....and will continue doing so whilst the battery is okay. ... and then,  with no updates it can be the 
> next attack vector

No, but at some point everything has to be discontinued. You can't reasonably expect manufacturers to continue to 
support their products indefinitely, particularly without recompense.

To put it another way; are you willing to either pay more up front or some kind of ongoing fee in order to fund the 
manufacturer continuing to produce software updates for a device which is multiple years and multiple generations out 
of date?

> Which is the point.  These things stay out there...like those winXP boxes.  There are 2 choices
>
> 1) manufacturers are responsible for the devices.  No longer caring for them?  Recall them.  Compensate the users.
>
> 2) stronger obsolescence.  eg kill switch/firmware tombstoning/network connectivity function ending timebomb
>
> as a user of lots of legacy tech i find either option bad :/
>
> alan

Windows XP was released in October 2001 and finally killed in April 2014. Even the last service pack was released in 
April 2008. That's a pretty long life and I don't think it would be reasonable to expect Microsoft to continue to spend 
time and money supporting it any further.

Users need to take some responsibility when it comes to making sure that their software (or firmware in the case of 
embedded devices) is still supported by the manufacturer. If you choose to use it past the end of the manufacturer's 
support, then you need to be prepared for the potential consequences of doing so, including that your service provider 
disconnects you from their network as your device(s) are participating in DoS attacks.

Of course, the manufacturer needs to provide the user with some kind of reasonable expectation of the lifetime of a 
device so that they can make the appropriate plans to invest in a suitable replacement.
In the case of Windows XP there has been a published official lifecycle for an extremely long time (since SP3 was 
released?). There was also a lot of press coverage before and after the end of support, so it shouldn't exactly come as 
a surprise to anyone.
For the iPhone, new versions of iOS generally support the last 4-5 iterations of the hardware (I'm not sure if there is 
an official published policy about this), which is typically updated annually. Currently that is the iPhone 5/5C from 
September 2012, the iPhone 5S from September 2013, the iPhone 6/6+ from September 2014, the iPhone 6S/6S+/SE from 
September 2015 and the iPhone 7/7+ from September 2016.

Edward

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail