[jjguy]

This is the new normal, folks. Consumer technology is manufactured for six to twelve months, but live in our homes for three to five years. Today's manufacturers cannot afford to update software for hardware devices they have already moved on from. Changing that requires a significant upheaval in their business models.

This applies to every "connected device:" printers, cell phones, home routers, refrigerators, thermostats -- you name it. Michael DeGusta did a great infographic demonstrating this for Android phones in 2011 [1, 2]. Sadly, this hasn't materially changed in the eight years since. Just this year, Google added new terms to the Android license requiring security patches, but even then only for "popular devices." [3] Imagine those dynamics in the secondary and tertiary markets of printers and refrigerators.

As an industry, we've been to this rodeo before. The advancements we've made in operating system and core applications security over the last 20 years have more about patching speed and agility than shipping fewer bugs. However, those areas have backing and control from Apple and Microsoft, managing the end to end ecosystem. There is not a similarly equipped manufacturer of embedded operating systems with the scale to provide post-sale/post-deployment patching infrastructure.

Since this is Hacker News, I'll point out the enormous opportunity to anyone who can address that problem. Can you provide an "enterprise class embedded OS" to device manufacturers and address post-deployment updates? Can you provide infrastructure device manufacturers can use to manage post-deployment updates themselves? Do you have a better approach to it? There's a burgeoning multi-billion dollar market waiting for a few leaders to take it over.

1 - https://theunderstatement.com/post/11982112928/android-orpha...

2 - img link is broken in his post, the graphic itself: http://media.theunderstatement.com/016a_android_orphans.png

3 - https://www.theverge.com/2018/10/24/18019356/android-securit...

[dangus]

Until consumers are willing to spend on subscription services to keep devices up-to-date, new hardware is the de facto method of paying for software development work.

Of course, in reality, this CVE seems almost un-exploitable in the wild, anyway. How will an exploiter get to the login page in the first place? They'd have to know your network password and be in your physical vicinity, or your ISP would have to send traffic to your router's login page from the Internet.

So they'd have to physically drive around looking for these three specific D-Link routers.

And then what would they get out of a successful exploit? Access to your network's traffic and unprotected file shares (most people don't even have any file shares), and even that level of access will be rather useless for getting important information like bank credentials (protected by HTTPS).

Am I wrong about any of this?

A lot of non-technical people use old Android phones, old printers, etc, and never experience any serious security breach. Some of them do experience a security breach, but it's far more likely to happen in a social exploit (phishing, whaling, etc) or institutional breach (your reused password being breached from a database hack of a popular website). In a lot of ways, ignorance is bliss.

[spartas]

>Of course, in reality, this CVE seems almost un-exploitable in the wild, anyway. How will an exploiter get to the login page in the first place? They'd have to know your network password and be in your physical vicinity, or your ISP would have to send traffic to your router's login page from the Internet.

Nope. Not at all. Most router attacks these days are malicious JavaScript (like in ads and trackers) that send HTTP requests to the router from the user's own web browser (already inside the network). No proximity access is needed

https://arstechnica.com/information-technology/2019/07/websi...

[jjeaff]

Would this not also require some sort of exploitable CORS vulnerability?

[chopin]

CORS prevents the JS from seeing the result but it doesn't prevent the sending of the request.

This is one of the reasons my internal network is not 192.168.1.1/24 and the router is not 192.168.1.1.

[spartas]

> This is one of the reasons my internal network is not 192.168.1.1/24 and the router is not 192.168.1.1.

Do you also disable WebRTC on all clients on your network? An attacker (or script) may be foiled by your non-standard gateway network, but your work in obfuscating the router is wasted if they can get at your client IP address.

[kbenson]

Doesn't CORS generally send an OPTION request first to see if the target site even allows the requests, thus preventing this? That's what I've seen when trying to work around browser CORS limitations.

[upheaval7276]

only for ajax requests that are not "simple", that is requests that cannot be sent w/out JavaScript. The sending of this OPTIONS request is referred to as a pre-flight. A more through description at https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS

[foxylion]

You can also just do a normal form post request into an invisible iframe that is generated by the attacker's javascript.

[singron]

You can submit forms without CORS as long as there is no CSRF protection. I don't know what CSRF protection is being used.

[peeters]

Depends on the attack and the vulnerability. The article does say this:

> The attacks work when routers use weak administrative passwords and are vulnerable to CSRF attacks.

Which implies that a cross site request is being made. So e.g. you put a hidden form in a netf1ix.com page whose action is at some URL on the router. The user ends up accidentally posting data to that URL which is not affected by CORS and same-origin.

[jtaft]

Normal form posts don't require pre-flight requests. DNS rebinding attacks can be used too.

[dredmorbius]

Until consumers are willing to spend on subscription services...

You cannot shift a Gresham's Law race-to-the-bottom dynamic by insisting on consumer (or producer) willpower. You've got to enforce a floor.

In other consumer (and industrial) products, this has tended to happen through the combined mechanisms of strict liability, certification, and independent inspection (in specific cases).

Where manufacturers, or as seems more likely given the industry concentration around sales points, retailers, are liable for the consequences of unfit-for-purpose devices and services, a reasonable set of minimum requirements (including life-of-product and update requirements) can be specified, then you might see a shift to some mix of time-of-sale plus subscription service pricing and payment models.

More likely you'll see devices bundled with services (which sometimes happens), though preferably in a far more user-friendly basis than is presently the case (e.g., cable service set-top boxes).

There's actually a long history of leased-equipment business in the IT sector, most notably as pioneered by IBM in the 1950s and 1960s.

[harikb]

As soon as warranty/support expires, the device must be free for DRM/reverse-engineering. This will incentivize manufacturers to offer longer support.

Edit: Rather they should actually provide the spec, drivers etc

[ekianjo]

As support expires or EOL the manufacturer should be forced to release their firmware code to ensure older devices can be patched, if they want to keep operating and selling new devices. this requires legislation though.

[agret]

There are a lot of routers using GPL code that have open source firmware available (ddwrt,openwrt,tomato,etc.) I think once support for a device ends it should be mandated that the company release the source code for future development.

There is a worrying increase in the amount of IoT devices that will remain forever unpatched due to the (cheap overseas) manufacturers never updating them or ending support for them.

[swinglock]

Make that one year before ending support, so there is both time to prepare and incentive to open source early.

[ralph84]

Ma Bell was leasing telephones since the days of Alexander Graham Bell. In fact you weren't allowed to use any telephone except one leased from your telco until the breakup of the Bell System in the 80s.

Not sure that is what we want to go back to.

[dredmorbius]

There were definitely problems and abuses with the model.

But the hardware itself was robust and reliable.

[bsder]

Remember: "We don’t care. We don’t have to. We’re the Phone Company"

Fake commercial on Saturday Night Season 2 Episode 1.

(It wasn't called Saturday Night Live until later.)

[dredmorbius]

I find the story of Walter Shaw Sr. even more instructive.

Independent inventor convicted and gaoled by AT&T for "misdemeanor attachment", the crime of attaching non-AT&T equipment to AT&T's phone network.

https://en.wikipedia.org/wiki/Walter_L._Shaw

More on this in the first bit of "The Inventor and the Thief" on Snap Judgement:

https://www.wnycstudios.org/podcasts/snapjudgment/episodes/l...

[CamperBob2]

Because the hardware didn't do much of anything!

[dredmorbius]

Contrast Minitel, a videotext online system provided by the French government phone monopoly Postes, Télégraphes et Téléphones in 1980.

https://en.wikipedia.org/wiki/Minitel

[wmf]

See also the Charter lawsuit where it was revealed that Charter was renting very old equipment to their customers for years and didn't care.

[dredmorbius]

That's where the minimum standards aspect comes in. The problem of noncompetitive monopolies failing to innovate and actively quashing independent inventors (see: Walter Shaw, Sr., amongst many others) is a risk of this approach.

[Aloha]

AT&T didn't just come out and install a newer telephone because they had a newer model. If the equipment is fit for the service why replace it?

[TheSpiceIsLife]

If you rent a $100 device at $10 a month for 10 years you end up paying $1200 and still not owning it.

I can see why consumers and consumer advocate groups don’t like this.

[dredmorbius]

AT&T later in its history, 1960s - 1970s, offered the option of uplines (touch-tone, "Streamline", "Princess", and eventually Mickey Mouse telephones) as service upgrades. So there wasn't no interest in innovation, though I'd agree with the general view that the interest was low.

[wmf]

I should have said they were renting very old and inadequate equipment; it wasn't fine and they knew it.

[dangus]

And most consumers probably lease their routers through their ISP as modem/WiFi router combos, which essentially remain supported and updated by the ISP.

If we alternatively enforce a floor on security updates for user-purchased routers, let’s say we require security updates for the physical lifespan of the device (10 years?), they will be baked into the price of the device in some way, and I’m not sure the majority of home router customers who essentially look to spend around $20-40 will be willing to bear that cost.

An example of that in action would be purchasing a business SKU laptop compared to a consumer one, and taking a look at the length of driver support.

[cle]

Most routers I've seen have a setting to enable "remote management". The DIR 655 does (see pg. 75 of its manual). If you have enabled that, then its login page is accessible via the Internet.

Many small businesses not only have unprotected file shares, and have remote admin turned on so that their IT person can administer the router remotely (as silly as it is). I saw this so many times when I worked in IT. People make all sorts of assumptions about LAN privacy when setting up their network and devices.

[greggman2]

As others pointed out JavaScript can try to access stuff but even more than that, the 400 apps on your phone, the 50 on your Mac and all your Steam games on your PC, all have full network access that JavaScript in the browser does not have. They can access every port, send corrupted packets, and scan your entire network for exploitable devices.

[tinus_hn]

You can use Javascript in an ad to make the browser connect to the internal IP address, which often is something like 192.168.1.1 and then once you’re in you can add the device to a botnet and sell its bandwidth or reroute its traffic.

[Smithalicious]

I just fundamentally don't think a subscription service is fair here. After all, users are paying for the fixing of errors that shouldn't have been there to begin with. It's not the fixing of problems that are newly created but the fixing of defects that were there all along. Plus, the incentive here is backwards; in the most degenerate case, companies are incentivized to sell things as buggy as possible in order to sell the most bug fix subscriptions possible.

[ekianjo]

One solution would be to force the source code of non supported devices to be released (by law) so that third parties could be paid by individuals to update and patch them as long as there is a market.

[TheSpiceIsLife]

> Until consumers are willing to spend on subscription services...

Ok, I’m willing. Where do I sign up?

Which manufactures are offering this service for residential grade equipment?

[Marsymars]

Eero doesn't charge for updates, but they do have a subscription service for value-add services that cost them money, and have a pretty good track record of pushing automatic updates.

[lotsofpulp]

There is none. Everyone should have a Meraki security appliance in their home.

[TheSpiceIsLife]

Dear lord.

[syshum]

Until manufacturers are liable for the damage they cause to security, and data loss events for consumers manufactures will continue to have unrealistic planned obsolesce model (12 months should never be the expected life span of a router) to force consumers to continually buy new hardware

[CalChris]

I see your point but I overpay for the iPhone I’m typing this on partly for that upgrade service. It is also something I appreciate about the Tesla as opposed to every other car I’ve ever had.

[pbhjpbhj]

Why can't an attacker with router access poison the DNS, redirecting a bank address to the router itself with a fake cert, and duplication of the login screen and steal credentials that way? (Or probably better, steal online MUA [ie email] credentials).

I guess 2FA might block them, but if it were a typed in code you could still get it.

[mtgx]

Or manufacturers can stop making "smart" devices just so they can fill them with ads and malware, leaving customers exposed to unlimited amount of threats.

It's not like they're just "giving you the choice" either. TV makers have already started completely removing non-smart TVs from their line-ups for instance.

I don't want a smart TV. If I want my TV to be smart, I'll buy a $50-$100 set top box I can upgrade in 2-3 years and is probably significantly more secure. Meanwhile a "smart" TV I will keep for 10+ years, but won't receive updates even for 20% of its lifecycle.

[wil421]

> This is the new normal, folks. Consumer technology is manufactured for six to twelve months, but live in our homes for three to five years. Today's manufacturers cannot afford to update software for hardware devices they have already moved on from. Changing that requires a significant upheaval in their business models.

Ubiquiti has a number of CVEs and has addressed them in a timely manner, IMHO. If you’re buying the cheapest product then expect the cheapest support. My UniFi stuff is easy to manage and upgrade. I can set a number of auto updates I can’t do with other vendors.

[samgranieri]

I also have Ubiquiti networking equipment at home.

Originally I had a DLink gaming router, but as soon as that router went out of support I switched to Apple networking gear, thinking Apple would do an excellent job with support. Also, 802.11AC wasn't supported on my Dlink router.

Then I read an article about Ubiquiti networking equipment on ArsTechnica a few years ago and thought about getting that for a forever home.

The thing that sealed my home network upgrade was Apple discontinuing their networking equipment. I figured (at the time) that Apple would abandon support for their devices. I remembered the Ars article from 4 years ago, and took the plunge on a cloud key, access point, USG, and Unifi Switch. Is this overkill or a 1 bedroom apt or 2 bedroom condo? Yes. However, having the piece of mind that the hardware I bought has continuous software upgrades and excellent customer support via their forums is outstanding.

[onaraft]

Ubiquiti isn't really consumer, though. They want to target enterprises and businesses.

Sure, their hardware ends up in residential deployments more often than perhaps any other kind of enterprise computer stuff, but if you're not willing to call them "enterprise", I'm going to insist they be practically alone in their own category of "pro-sumer but actually professional-consumer, and not the yuppie garbage that you usually call pro-sumer that's just the normal consumer crap but priced at 4x with a slick black plastic case."

I agree with GP in that the spectrum you are suggesting ("you get what you pay for" actually looks more like this:

<cheap garbage> ----------- <expensive garbage> ----[huge $$$ gap]----- <enterprise stuff for price-insensitive corporations who value brand and risk-aversion more than actual specs>

Which I would reify into the realm of, for example, computer hardware, as follows:

<a $100 best buy laptop with Windows> --------- <a $4000 alienware desktop with windows> --------------- <a $40000 Dell server with out-of-band management and ECC ram and HSM's and dual power supplies and actual RAID controllers and so on>

The best buy laptop and the alienware desktop are going to have the same issues with regards to control and privacy, and you need to make a huge jump to get to anything remotely respecting you.

[wmf]

Ubiquiti is targeting small business (not enterprise) but their prices are firmly within consumer range. (For actual enterprise look at Meraki prices.) Likewise Apple Airport (RIP), Google Wifi, Eero, etc. have long-term support for a modest premium. There's no huge gap.

[supercommand]

Yeah, and you don't even need to install a super old version of java to manage or update Ubiquiti products either.

[jumpingmice]

I'm not really sure there is enough evidence behind your assertion. Google wifi APs have got continuous updates from Sep. 2015 to current day. Sonos players have been continuously supported for 15 years. Apple's just-released OS runs on 7-year-old hardware. There are and have always been fly-by-night organizations that sell junk with bad software and no updates. That's not new, nor is the existence of reputable vendors with long support policies.

[AceJohnny2]

All the brands you've cited are "luxury" brands whose proposition includes long-term support.

It's a different market segment that doesn't refute GP's point.

[nyolfen]

i have a $30 netgear router from walmart that has gotten security updates for at least three years

[mikehollinger]

I’m not going to be hacked because of my Apple TV or my google Wifi router; it’s going to be my light switch that does me in.

[greggman2]

Your Apple TV runs 3rd party apps, any of which could be hacking you.

[rlpb]

> Can you provide an "enterprise class embedded OS" to device manufacturers and address post-deployment updates? Can you provide infrastructure device manufacturers can use to manage post-deployment updates themselves?

Ubuntu is already doing this: https://ubuntu.com/internet-of-things

For Linux distributions, security updates and maintenance are a solved problem. Ubuntu adds to this a read-only filesystem with atomic updates for embedded devices, vendor-only apps and app stores, and so forth.

Disclosure: I work for Canonical, but not in this particular area.

Speaking for myself, I find it frustrating that Ubuntu's solutions aren't more widely known and recognised. As far as I know, our community is very aware of the issues involved in this space and there is no other solution that solves the "IoT maintenance" problem properly.

[LilBytes]

I've been looking forward to seeing Canonical's adoption in IoT getting better and better. Here's to hoping.

[megous]

> This is the new normal, folks. Consumer technology is manufactured for six to twelve months.

Not completely true. For example, just something I discovered recently is that some e-book readers have very long lifespan if you look inside and ignore the battery. There's not even an electrolytic or tantalum capacitors there. Really nothing that will expire.

If you don't kill it mechanically, these will survive for 10 years+ just fine. Even the internal memory holding the OS and your data is easily replaceable (uSD card, and no other memory that can get corrupted). Indeed you can easily upgrade your $150 2GB e-book reader to 32GiB for $6, with a much faster uSD card. Or even replace the OS completely. ;)

The only thing that makes these devices' lives limited is the battery and the cheap noname uSD card. They even make it so that display is easily replaceable, no glue or anything.

What I hate is lack of commitment to free software. Manufacturer will just dump incomplete old kernel code on github once, without a source code to also GPLed bootloader, after years of nagging from users, and calls it a compliance with GPL.

They don't even bother with mainline Linux support, that would make it so that anyone could use their device for whatever creative prupose and it would get automatic longterm software support for free, even after they would not want to bother anymore to support it.

It's not even a cost thing, I just reverse engineered one such device and it now runs Linux 5.4-rc2 and all HW works, including an eink display driver. It took about 2 weeks of occasional work. Instead the manufacturer probably spent huge amount of time hacking together some old kernel and messy SoC vendor drivers, so that the OS at least holds together for their purposes.

It's probably just some culture thing of not giving a fuck about anything but themselves. And there's a huge amout of waste as a result. At least some people sell these devices if they are just locking up/hanging (sure sign of uSD card data corruption) on eBay. But many will probably just throw it out. Such shame.

So yeah, some tech is indeed solid, but manufacturer will gladly mess all the benefits up on the software side, for no real reason, at least to me.

[namibj]

What model is that?

[megous]

http://linux-sunxi.org/PocketBook_Touch_Lux_3

But I hope people will buy second-hand or broken + replacement display instead of supporting the company and buying new, if they want to play with it. They don't really deserve any support for abusing the free work of others and violating the GPL license.

[lstamour]

> Can you provide an “enterprise class embedded OS” to device manufacturers and address post-deployment updates?

How about Microsoft’s Azure Sphere Linux/cloud product with “10-year lifetime” support?

> Azure Sphere will feature a turnkey cloud security service that guards every Azure Sphere device, including the ability to update and upgrade this security protection for a 10-year lifetime of the device.

https://blogs.microsoft.com/blog/2018/04/16/using-intelligen...

Samples: https://github.com/Azure/azure-sphere-samples

Pricing, with support through July 2031: https://azure.microsoft.com/en-ca/pricing/details/azure-sphe...

[wmf]

Azure Sphere looks awesome but they need more SoC models for different use cases.

[ncmncm]

> Can you provide an "enterprise class embedded OS" to device manufacturers and address post-deployment updates?

Yes. At least for routers, the topic of the article, OpenWRT is that OS. Any manufacturer can make it work on their router very cheaply. Any customer can install and upgrade it indefinitely.

[patcheudor]

For D-Link this is the normal, normal and has been for years. Check out VU#924307 which they never fixed. It could be triggered either by an attacker or just in the normal course of using the router:

https://www.kb.cert.org/vuls/id/924307/

[deogeo]

> Consumer technology is manufactured for six to twelve months, but live in our homes for three to five years. Today's manufacturers cannot afford to update software for hardware devices they have already moved on from.

And yet my over 10 year old PC still gets the latest updates. Manufacturers have brought this on themselves, by locking and closing their devices, and insisting on proprietary solutions when open alternatives exist, or could exist.

[AceJohnny2]

> Can you provide an "enterprise class embedded OS" to device manufacturers and address post-deployment updates? Can you provide infrastructure device manufacturers can use to manage post-deployment updates themselves?

Partly to your point, Buffalo was using DD-WRT for their wireless routers [1]. I have two of them at home, updated to the latest LEDE/OpenWRT. They're mostly fine [2].

Buffalo's support was not great, lagging far behind the latest DD-WRT when they were still providing those updates. As a power-user, I didn't mind since I could switch, but it was not a great showing for vanilla consumer.

Sadly, Buffalo has stopped making them, I suppose the business model didn't survive such a low-margin segment. I definitely appreciate the continued open-source support though!

[1] such as https://www.buffalotech.com/products/airstation-highpower-n3...

[2] I've had to reboot the main one to regain network connectivity a couple times, and it currently loses Wifi settings on power loss. Not great, but not enough to make me switch away yet.

[m463]

I think there are other brands that allow openwrt, such as the linksys wrt ac series:

https://openwrt.org/toh/linksys/wrt_ac_series

Their support for the first models in the beginning was a little spotty, but I think they are great systems now

[dehrmann]

> but live in our homes for three to five years

I have a wrt54g that's 10+ years old running at my grandma's house...and running dd-wrt because no one making APs 10 years ago, and even now, was that good at security and stability.

What's telling is that the hardware is the part that still works, and I bet part of it is that software fixes are easier than hardware, so you can get away with lower quality software.

[m463]

I think that's a great idea (I run openwrt)

However - I have to ask - have you upgraded her dd-wrt?

[dehrmann]

I check in on it once a year, or so. It's not really enough, but the hardware's so limited, I don't think there are many changes getting made to it, anymore.

[ghaff]

I daresay people aren't going to like this answer but, you ultimately have to align the interests of the manufacturers and the consumers. Which probably means some sort of subscription model and even a requirement that the subscription be current to function.

I know. Yuck. But the only other real possibility is to legislate that such updates be made available for N years as part of the purchase conditions.

[eropple]

> the only other real possibility is to legislate that such updates be made available for N years as part of the purchase conditions

I am unclear why this is not the preferential solution here. "Don't sell lemons" is a societal good.

[redwall_hp]

Laws requiring that consumer electronics not be effectively disposable is also a net good for the environment as well. I'd like my router to have active cooling (so it doesn't self destruct from heat) and run an open source firmware that will survive longer than a single manufacturer may be willing to maintain it. (They all can jointly contribute.)

Phones should have some level of modularity and repairability, so they can last a multiple of their present service life. (Think smaller scale standards like in desktop PCs.)

[ryandrake]

We would need stronger consumer protection laws and regulations around defective products. My car’s manufacturer just fixed my 10 year old airbag for free, presumably not out of the goodness of their hearts but because they are required to.

[ghaff]

They're not necessarily lemons at the time of sale though. In general, we don't legislate that products need to upgraded and maintained after they're sold. (Yes, there are lemon laws and warranty requirements for defects--which are at least related.)

However, how would you feel about legislation that required five years of dealer service to be included with every automobile sale? Or other products in a similar vein?

There is an idea of harm to the ecosystem/society with unpatched IoT and other network devices though. So perhaps a heavy-handed approach is justifiable.

[eropple]

They were lemons at time of sale, though, we just didn't know it yet. Between that and the ecosystem/society argument, I think it's a no-brainer.

> However, how would you feel about legislation that required five years of dealer service to be included with every automobile sale? Or other products in a similar vein?

This analogy doesn't work for me; software bugs are defects, they aren't something getting old and falling apart. I think that a defect in an automobile should be repaired at manufacturer expense whether it's a year old or twenty.

[__jal]

The operative difference is that intelligent adversaries are not coming up with new and better methods of making your bumper fall off.

The economics of providing 5 years of defensive patching on a $100 device simply does not work.

[snuxoll]

Maybe they need to stop shipping a dozen different $100 models with wildly different specifications and come up with a common platform to reduce support costs, like most other industries.

Support costs increase as fragmentation does, it things sold at a reasonable price and without dozens of variations it would be more feasible to maintain longer supported life cycles - but these companies have no incentive to think beyond the next quarter’s earnings call.

[aaron_m04]

> The operative difference is that intelligent adversaries are not coming up with new and better methods of making your bumper fall off.

Not yet.

[crankylinuxuser]

Then maybe they shouldn't be able to make a profit on doing society wrong in the medium or long term.

[OJFord]

It drives prices up in equivalence with subscription pricing over the typical lifespan.

(i.e. not obviously better or worse)

[eropple]

Subscriptions are ongoing cash-flow. There's no reward to doing a good job, and there's only a perverse reward to not doing a good job--it keeps people subscribed.

Frankly I think the better option might actually be the reverse: a mandatory payout to every customer for every nontrivial security defect. Not sure how you'd adjudicate it, so it's pie-in-the-sky, but take it out of the realm of the class-action lawsuit and see how serious these manufacturers become about correctness.

Businesses fear only the big stick; it should be swung on the consumer's behalf.

[ghaff]

Right. There are differences in incentives and how easy it is to make receiving updates mandatory or the default. But it's reasonable to assume that, however implemented and legislated, everyone ends up--from a financial perspective--having to pay for an ongoing support subscription.

[eropple]

Can you explain to me how a subscription, for which only subscribers get fixes, is not a perverse incentive to ship broken software?

Normal software has an argument towards subscriptions if it's adding features. But routers shouldn't be adding features. Routers should be fixing bugs.

[ghaff]

Companies seem to be doing a pretty good job of shipping broken software today without the perverse incentive of a subscription.

Companies do buy subscriptions for older software even though they may only be getting security fixes at this point.

That said, I do think bundling longer-term updates into the cost is better insofar as it means buyers don't get a choice to just use the unpatched software. But it does mean that companies can cut costs by just not patching software at all or for a short period (as today).

[anderskaseorg]

Maybe the manufacturers would figure out more efficient solutions given incentives that encouraged them to do so. For example, they might decide it’d be more efficient to use OpenWrt than to do separate security maintenance for N incompatible closed platforms.

[AnthonyMouse]

> But the only other real possibility is to legislate that such updates be made available for N years as part of the purchase conditions.

What would be better is to require that the firmware be replaceable with something like DD-WRT or OpenWRT. One of the biggest issues with hardware like this is that the original manufacturer goes out of business and yet millions of people still have their devices.

You can't require updates from a company that no longer exists, but that's not really a problem if their hardware can run the latest versions of half a dozen different open source router firmwares.

[jdnenej]

There is an even better solution. Simply use open source firmware on these devices and this will not be an issue. It's much less effort to maintain one common firmware rather than a new one for every device.

[ghaff]

Some subset of the code may be common. A lot of code that is specific to a particular device won't be. I'm actually open to the idea that vendors could benefit from working with open source firmware and differentiate in other ways. But "use open source" doesn't magically reduce the effort. They probably already have core software bases that they don't need to change all that much for new devices.

[zanny]

The thing is that for a new device you only need hardware enablement in the kernel - something largely one off that manufacturers can do in the same cadence as device sales so their priorities align.

What should be happening is that the FCC / international communications bodies should be directly funding a project like OpenWRT and using regulation to compel device manufacturers seeking approval by the bureau to submit their requests contingent to providing device specific hardware enablement upstream and to default-ship their devices with this common OS. Then those certification costs fund the ongoing operating system project.

If a company then wanted to implement a new feature to push their hardware, they could... by submitting it upstream.

There have been so many billions of developer hours wasted in the pursuit of profit by reinventing every single damn wheel a trillion times over its disgusting to think about and governments should be recognizing this flaw in US-IP-driven software business models and work to correct it.

[AdieuToLogic]

> What should be happening is that the FCC / international communications bodies should be directly funding a project like OpenWRT ...

The exact opposite is what actually happened. In late 2016, the FCC specifically banned owner-based firmware upgrades[0]. It was ostensibly due to RF configuration, it could also be seen as a concession to the manufacturers.

0 - https://hackaday.com/2016/02/26/fcc-locks-down-router-firmwa...

[wtallis]

Pretty much the only custom code that router vendors write is the web UI, which is sometimes a fully custom job and sometimes a reskin of DD-WRT or OpenWRT's web interface. Otherwise, they're generally shipping whatever code they got from the SoC vendor, which is generally a fork of OpenWRT from around when that SoC taped out.

"Use open source" would make the situation appreciably better, because it would mean not accepting any closed-source or out of tree drivers that lock you in to particular kernel versions and non-standard management APIs. Once those problems are out of the way, frequently rebasing the web interface on current upstream OpenWRT is pretty straightforward.

[jdnenej]

If they used open source the drivers could be mainlined and then you really could just drop one standard OS on it

[chooseaname]

Or increase the initial price enough to cover the N years it is expected to be in service. If you make a 5 year router, charge for that. If you make a 10 year router, charge for that. But don't charge for a 5 year router and drop it after 2.

[TaylorAlexander]

I think consciousness raising is important to. Many have made efforts to explain these downsides, but it is a never ending challenge to keep the public aware of why closed source technology harms them compared to potential open options. Consumer opinion is one of the tools we can use to change this situation, and an important one IMO.

[heavenlyblue]

This all is simply fixed by open-sourcing the outdated software.

[jdnenej]

Open source the in date software as well. All home router software is absolutely horrendous

[archi42]

> Can you provide an "enterprise class embedded OS" to device manufacturers and address post-deployment updates?

There is already vxWorks, they don't have to start from scratch and they're already widely used in the industry. (There are others as well).

Anyway: The devices in question are running some Linux with a custom web interface on top. Patching this specific flaw is just about having one engineer add a few lines to the webif git, trigger a rebuild, flash to a qemu VM (could happen automatically) and test if the interface still works. If that's the case (which is likely), put the firmware as "unsupported"/"alpha" on the company FTP.

This assumes they have proper tooling (e.g. tagged git, automatic&deterministic build server, an efficient test environment,...). If they don't have, they probably wouldn't buy it (or, maybe they would?).

Automatic post-deployment are only the end of the chain, and for cheap embedded consumer systems there are good reasons against it: "My router didn't react, so I powercycled it" is problematic if it was just applying an update (resilience against this costs money, which is tight). And then your 1st level support has to explain your grandma how to use tftp to flash the firmware via the bootloader (this is bad for 1st level support suicide rates). Did I mention all the crap should be cheap? What good is a well maintained IoShit device if it costs 4$ more than the poorly maintained competition? Chances are high you won't sell enough to sustain your company - unless you go into a premium segment and just charge twice as much as the competition, which might still be problematic (consumer expectations change a lot with price - cheap and vs. expensive and nice).

Also, at the other end of the embedded spectrum: Industrial embedded systems should probably only be updated if really necessary, e.g. if something is broken due to bad firmware. Downtime is really expensive for huge manufacturing plants, especially if unscheduled (in addition to the machine[s] not producing value, your 500 workers a fiddling their thumbs), so you want to reduce the number of opportunities for this to happen.

[notyourday]

> I'll point out the enormous opportunity to anyone who can address that problem. Can you provide an "enterprise class embedded OS" to device manufacturers and address post-deployment updates? Can you provide infrastructure device manufacturers can use to manage post-deployment updates themselves? Do you have a better approach to it? There's a burgeoning multi-billion dollar market waiting for a few leaders to take it over.

There's no market for this. The market is for $50 device. Android Phones, nearly flagship, that sell for $500-700 get at best two years updates. People want $50 router that they can throw away when it stops working.

I have a $350 router. I have had it for 3 years by now. It is a tiny passively cooled industrial PC that fits into a VESA mount with an Intel Celeron, 128Gb SSD and 2x wifi modules. Why two? Because i want a guest network to be separate from the real network and i want crap-wifi speaking devices to be isolated via VLAN etc. It is running Debian and even techies marvel at the speed, functionality and all the goodies. They want to know where they can get it... Until they hear that it was $350 at which point they go "I was thinking i would pay about $80". A dinner for two in a Puero Rican chicken shack with a couple of beers will be $35!

[mkhpalm]

Its been the norm for a long time now. I've always wondered why printer manufacturers could get away with universally exempting themselves from security audits. People just admitted they were bad and said: "don't even look at it wrong or it'll dump all its paper and toner on the floor"

[swinglock]

It really does. I had a network connected Xerox printer that would hang until rebooted, only by port scanning it with nmap.

[sniku]

This is exactly why I'm done with consumer router devices. Open Source routers are mature and infinitely more secure. https://teklager.se/en/open-source-routers/

[sounds]

androidauthority.com has been pretty good about tracking this more recently:

Android Oreo: https://www.androidauthority.com/android-oreo-fastest-manufa...

Android Pie: https://www.androidauthority.com/android-pie-fastest-manufac...

Then they put out this weird update: https://www.androidauthority.com/counterpoint-android-update...

[autoexec]

> Today's manufacturers cannot afford to update software for hardware devices they have already moved on from.

Well, they could (D-link has millions), but they won't because it would eat into their obscene profits.

[schainks]

The Nerves Project is positioning itself to address this well.

[bogomipz]

>"Today's manufacturers cannot afford to update software for hardware devices they have already moved on from."

What is this statement based on? None of your links show any kind of unit economics that support the assertion that providing critical security patches for a defined support window is infeasible for manufactures and their business models.

[tonyarkles]

I agree wholeheartedly, and outright reject the premise of the original statement.

This is a choice that they make. Yes, having a legacy support team is going to cost a bit of money, but not a ridiculous amount. Maybe instead of having a ridiculous number of barely-differentiated SKUs, they could lighten the support burden a bit by making a smaller number of solid well-supported models.

Edit: also, basing the models on a common platform would help too. I assume they generally do this already, but if not...

[wmf]

basing the models on a common platform would help too. I assume they generally do this already, but if not...

They don't, because they save a few dollars by re-bidding each product. So each company is shipping a random assortment of Broadcom, Marvell, and Qualcomm reference designs, all running incompatible software stacks.

[tonyarkles]

> random assortment of Broadcom, Marvell, and Qualcomm reference designs, all running incompatible software stacks

How... what... c'mon! You're totally right [1], and even within similar model numbers (e.g. the DIR-300 B-series uses Ralink chips, but the DIR-330 uses Broadcom). Yeesh.

Well... I guess I'll just keep on picking devices supported by OpenWRT and not rely on vendor firmware at all. Yuck.

[1] https://openwrt.org/toh/start?dataflt%5BBrand*~%5D=d-link

[riffic]

>anyone who can address that problem

If no one addresses this problem, regulations will be imposed.

[nomel]

Do you think it’s possible to regulate all of the internet connected consumer devices coming from China? Routers, WiFi lightbulbs, toasters, etc?

[otterley]

Of course it is. Nations regulate lots of imported goods, from foodstuffs to cars. Nations also have the power to impound cargo deliveries if the importer is notorious for not validating that their cargo is compliant with local regulations.