The security world is all abuzz with the news (as reported on C/NET) that Chinese researchers have found flaws in the standard security algorithms used in a number of Internet protocols. The concern expressed in the story is the sheer scale of the problem, given the size of the Internet today and the difficulty in convincing the majority of people to upgrade their software on a regular basis.

As much of a problem as it is for that crowd, it is a much more serious concern for many embedded systems. Any device that depends on IPSEC or SSH could suddenly find itself vulnerable unless a new executable can be distributed to devices already in the field. The necessary conditions for this are a device that is designed with this type of upgradeability and the awareness that upgrades are necessary. I suspect that the first condition is more common today than the second one, given that most embedded developers are users of security protocols rather than security specialists.

The typical pattern of upgrades like these is that not much is done about them until a headline-quality event takes place and raises public awareness. The trick is to be among those reading the headline rather than being the subject of them.

Larry Mittag