Open Device, Insert Code

한국어 | 日本語

Your browser either does not support Javascript or you have it disabled. Please enable Javascript to be able to navigate our site and utilize features.

COMPANY

Company About MontaVista OpenSource Community Management Team Board of Directors Community Leadership Careers Awards News Events Locations Blogs Document Library
SOLUTIONS

Solutions Communications Mobile Devices Intelligent Devices
PRODUCTS & SERVICES

Products & Services Professional Edition Carrier Grade Edition Mobilinux Developer Tools Evaluation Center Support Packages Professional Services Board Support Real-time Linux Document Library
SUPPORT

Support Support Lifecycle FAQs
PARTNERS

Partners Partner Ecosystems Program Details Become a Partner Partner Directory
EDUCATION

Education Training Webinars

I’ll take 5 kilograms of security with that order, please.

May 15th, 2008

Recently exposed in the NY Times and picked up on by good folks such as Bruce Schneier (read his whole post… it is a great summary) is an alarming study conducted by the Medical Devices Security Center identifying a host of privacy and integrity attacks that can be implemented by exploiting the wireless interface between a pacemaker and the external control unit.

Wow… being pwned never seemed like such a direct threat to human life.

The above is a snippit from the paper describing the kinds of attacks they were successful in demonstrating in vitro.The paper is fascinating. Part of their attack tooling was the Free GNU Radio project. GNU Radio and some radio interface boards created to be compatible with GNU Radio were used to both analyze the over the air communications and generate the transmissions used for the active attack.

What gets me is that while this is clearly a complex attack I’ve seen the genesis of these assaults first hand. I recently viewed a multi-page requirements document for an innovative device. Thousands of man hours of labor were implied by the requirements. There was a line item that simply stated one requirement:

Security

That’s it. A single bullet.

I’ve seen much better from other folks. I’ve actually been in security reviews with customers, discussed the risks and security objectives of their designs. I’ve met folks who had that security mindset that can at once be confounding yet stimulating. Most, however, just see security as something that is bundled in a package (like the great OpenSSH) or is the result of installing all the updates.

There is more to it. Read some Ross Anderson. Read some Bruce Schneier. I’m just a security engineering wannabe but I still learned a lot.

Use your vendors, too. No one wants to see their product implicated as part of the next great security failing. MontaVista has people who can help you to understand your risk profile. If technologies are the right answer we can help you get the most out of Open Source to address those security risks.

But we don’t, and never have, sold security by the kilogram. Sorry.

ShareThis

This entry was posted on Thursday, May 15th, 2008 at 10:27 am and is filed under security.

Social Web
E-mail

Recent Posts

Pages

Archives

Categories

Blogroll

Meta

I’ll take 5 kilograms of security with that order, please.

Leave a Reply