[HN Gopher] 0day Contest for End-of-Life Devices Announced
___________________________________________________________________
0day Contest for End-of-Life Devices Announced
Author : winnona
Score : 190 points
Date : 2024-09-18 14:55 UTC (8 hours ago)
(HTM) web link (www.districtcon.org)
(TXT) w3m dump (www.districtcon.org)
| asabla wrote:
| Ooh, this looks like a lot of fun. Really hope they'll either
| have recordings and/or stream this event.
| computersuck wrote:
| Why would they do this? Knowing that any bugs found won't be
| patched since EOL, and will just be used for mass exploitation
| and harm??
|
| Why is the cyber industry so desperately stupid for attention?
| Aissen wrote:
| To protest stupidly short EOL deadlines.
| schlauerfox wrote:
| Just went to get some BIOS files for the 5th gen Intel NUCs
| and they've purged them from the site. It's like when
| Microsoft purged the KB of everything not in current support.
| Burning of libraries, it's sickening.
| Hackbraten wrote:
| I think this contest is a good thing.
|
| It might put pressure on customers to demand products with
| longer support lifecycles, which in turn forces vendors to
| offer longer support and/or make their software and APIs open
| source once support ends.
| wpm wrote:
| >It might put pressure on customers to demand products with
| longer support lifecycles
|
| It won't. It'll allow vendors to put pressure on customers to
| buy new shit to replace their old shit that still works just
| fine that the vendor would rather not spend the resources
| patching.
| Hikikomori wrote:
| EU might have something to say about it.
| throwaway48476 wrote:
| Possibly but a website that says 'vendor vulnerable' is bad
| PR and readers won't care if it's EOL or not.
| teeray wrote:
| It puts pressure on regulators to realize the shitty
| situation MBAs create when they EOL products that aren't
| reaching revenue targets.
| 1970-01-01 wrote:
| Why do you think the industry is morally obliged to have them
| remain untouched?
| asabla wrote:
| I don't see it like that at all. Some 0-days can (somewhat) be
| mitigated by other hardware/software.
|
| I rather have as many "known" 0-days in the open. Then having
| it the other way. Even if it means I won't see any updates to
| affected devices or software
| 1oooqooq wrote:
| I cannot say if your comment is sarcasm.
|
| Do you think devices are retired because they aren't sold? Why
| would you want that information to be known only by bad actors?
| Just imagine trying to convince someone who mounted a beautiful
| android 4.4 tablet to control their smart home (heh) 5 years
| ago that they will have to redo every thing because they bought
| into a proprietary protocol and the base os isn't receiving
| security updates.
|
| Or do you truly believe you are safe if you hide under your
| bedsheet?
| computersuck wrote:
| It's about the barrier to entry and amount of effort to
| exploit something. When public information comes out about a
| vulnerability that can't be patched in a reasonable amount of
| time (due to EOL or some other reason), the bad actors have
| the upper hand.
|
| Giving ransomware actors free bugs for mass exploitation when
| they are unlikely to be patched is just putting innocent
| users in harms way. It doesn't really make a dent in the shit
| vendors' profits, so the only other motives are 1) to show
| off your cool research or 2) protest ridiculous EOL deadlines
| (which sure, might make a difference).
| mulmen wrote:
| You're assuming bad actors don't already know about these
| zero days. You have to assume any possible vulnerability is
| already being exploited. Publishing zero days in EOL
| devices reduces the information asymmetry.
| computersuck wrote:
| When there's no publicly known bug, someone needs to spend
| the time and effort to research it; when public POCs come out
| every skid cybercrime crew jumps on and starts exploiting it
| for financial gain.
| thomascountz wrote:
| I'm thinking that bugs may not necessarily disappear when the
| device or application where they are discovered is EOL'd. This
| research could discover attack vectors and vulnerabilities that
| will need to be addressed in active implementations.
| freehorse wrote:
| The first best thing for vulnerabilities is fixing them, the
| second best is knowing they exist and what they specifically
| are (so one can either try to mitigate them or make an informed
| choice on replacing equipment).
| amenghra wrote:
| Also great for learning. Vendors learn from their mistakes,
| right?
| hedgehog wrote:
| Without splashy narrative and quantifiable risk the vendors
| won't change and the general public won't perceive the danger
| of unsupported devices. Public bounties are one way to change
| both so this seems like a reasonable project with net benefit.
| IshKebab wrote:
| These devices don't magically become secure just because white
| hats decide not to attack them.
|
| You're advocating security through sticking-your-head-in-the-
| sand.
| frankharv wrote:
| I think we need a cyber swat team to assassinate anybody
| doing a port scan.
|
| You want to play with something you don't own or have
| permission to play with it.
|
| Assassinate target. You want to make money/fame off others.
| DIE.
|
| If somebody came to you house and started jiggling
| doorhandles what would you do?
|
| Why is cyber different?
|
| NO CONSEQUENCES.
| PhilipRoman wrote:
| Fun idea, although nobody who is serious enough about
| hacking will use their home PC as source, more likely it
| will be some random grandpa's old router. Even putting that
| aside, we can't exactly send a SWAT team to China...
| 0xdeadbeefbabe wrote:
| > Why is the cyber industry so desperately stupid for
| attention?
|
| Burglaries aren't getting enough attention.
| nashashmi wrote:
| Look at what they are saying. They want to document all sorts
| of bugs in past products for future research purposes. And they
| want to draw attention to the product that it be replaced.
|
| I agree putting such burdens on companies with little IT
| resources isn't healthy for the company, its customers or
| anyone else. This is hostile.
| jon-wood wrote:
| If you put a product out in the field which can potentially
| be remotely exploited it's on you to either patch it when
| someone does find an exploit or possibly open source
| everything so others can. If you genuinely can't support it I
| guess you could put a self-destruct mechanism in which
| remotely bricks the device instead, just don't expect your
| customers to be happy about it.
| nashashmi wrote:
| ... or maybe build a foolproof product that cannot be
| hacked or attacked. Maybe products that don't get updated
| loose their access to the internet. And the only way you
| can get access is through some clamped down application.
| stackghost wrote:
| Dunking on Internet of Shit^H^H^H^HThings vendors is always a
| win in my book.
| busterarm wrote:
| Would be cool but "responsible disclosure" is a non-starter for
| me. Full disclosure is the only way to operate, IMO.
| sidewndr46 wrote:
| If the device is explicitly past EOL what is the point anyways?
| Just to wait 60 days and hear they aren't going to do anything?
| winnona wrote:
| not necessarily! If the 0day is bad enough the vendor may
| patch it or release further guidance - most recent case is
| Ivanti this week (https://cyberscoop.com/ivanti-
| vulnerability-cisa-kev/)
| slt2021 wrote:
| likely used by vendor as sales strategy to upgrade device:
|
| we will give you patch for this EOL 0day, but this will be
| the last one. Please buy new version and btw here is 20%
| discount code, you are welcome
| sidewndr46 wrote:
| they could offer to send you a $15 grubhub gift card for
| your trouble
| GTP wrote:
| Still better than leaving devices unpatched. The end user
| still has the final word, can totally refuse to buy a new
| one if he/she doesn't think getting a new one is worth
| it.
| Techbrunch wrote:
| Depending on the target and the severity of the vulnerability
| the vendor might consider fixing the vulnerability even if EOL.
|
| If the target is an IOT device the vulnerability will likely be
| mass exploited to create a botnet.
|
| The U.S. government recently 'took control' of a botnet run by
| Chinese government hackers made of 260,000 Internet of Things
| devices... (Source: https://techcrunch.com/2024/09/18/u-s-
| government-took-contro...)
| Retr0id wrote:
| > 60-90 day disclosure windows with vendor
|
| This is not 0day. (but I think this is a fun initiative
| nonetheless)
| Retr0id wrote:
| I'm also not sure what the point of vendor disclosure is, if
| the product really is EOL
| codetrotter wrote:
| Maybe mainly to avoid legal trouble? Even if you "know" the
| answer from the vendor will be that it's EOL, notifying them
| of your findings and giving them time to fix it shows that
| you have good intentions. That they then do choose to do
| nothing about it, well that's not your fault.
|
| Additionally, it helps you avoid the situation where you
| thought the device was EOL because there hadn't been any
| updates for a long time but then it turns out that they
| actually do still respond to, and fix, security issues. And
| it just happened that there hadn't been updates for a long
| while because no one had reported anything for a while.
| stvltvs wrote:
| The vulnerabilities might still exist in current products
| even if discovered in an EOL product.
| Retr0id wrote:
| That's a very fair point.
| citrin_ru wrote:
| Depending on vulnerability impact and difficulty fixing it,
| some vendors may choose to release a fix even after EOL.
| Generally EOL means that users should not rely on getting an
| update (but it still may be released as an exception).
| krisoft wrote:
| Or the vendor might want to warn users about the
| vulnerability. It is a different story to stay "there might
| be vulnerabilities, consider updating to some other gizmo"
| vs "there is a vulnerability, you have to abandon the
| gizmo".
| myself248 wrote:
| I think the point is to embarrass vendors into extending
| their support periods. Giving them 60 days to think about
| that is a shot across the bow.
| qwery wrote:
| An attempt to avoid unnecessary harm, I'd guess.
|
| To see what they do?
|
| Because it will be more damning if they ignore something
| significant they had explained to them?
| Techbrunch wrote:
| "Although the term "zero-day" initially referred to the time
| since the vendor had become aware of the vulnerability, zero-
| day vulnerabilities can also be defined as the subset of
| vulnerabilities for which no patch or other fix is available."
| - Source: https://en.wikipedia.org/wiki/Zero-day_vulnerability
| londons_explore wrote:
| > - You are not under any restrictions or sanctions from the US.
|
| Can we make this a condition of giving any prizes, rather than of
| entry to the competition? This restriction affects literally 200
| + million people.
| throwaway48476 wrote:
| How likely is it that a sanctioned individual shows up for an
| event in Washington DC?
| dghlsakjg wrote:
| This is likely a restriction that applies whether or not they
| put it in the terms and conditions.
| efields wrote:
| I read this thinking it was a contest for suicide booths.
| myself248 wrote:
| Hack Kevorkian?
| moffkalast wrote:
| You have chosen: slow and horrible.
| jdironman wrote:
| The pod just reopens and lets you back out
| moffkalast wrote:
| Haha lmao, perfect.
| meindnoch wrote:
| EoL devices are a huge liability. We need laws that require
| vendors to equip smart devices with remote hardkill switches, so
| they can be permanently disabled by the vendor when they reach
| EoL. A disabled smart device is better than one that can be
| weaponized by threat actors.
| notfed wrote:
| Yikes -1 to that. Sounds like a vendors dream anyway, I don't
| know if that needs to be incentivized.
| nashashmi wrote:
| The terms of service of the device did not require replacement
| nor issue end of life date. What basis would the law have to
| enforce replacement?
| compootr wrote:
| Right, but do you want these still usable devices to become
| e-waste?
|
| for those that can secure them properly (e,g air-gapping) why
| do we need to make old iot stuff non-functional bricks?
|
| something I'd be more ok with is to disable it, but in the
| device's settings, allow it to be re-enabled
| meindnoch wrote:
| If you truly air-gap the device, then the kill signal
| wouldn't reach it, so all is well.
| Cheetah26 wrote:
| Much better legislation would be requiring that the
| firmware/software source be released at EOL, so that users can
| maintain the hardware they purchased for as long as they like.
| meindnoch wrote:
| Probably we need both. Hardkill all devices, and let
| determined users resurrect their own devices with the open
| source firmware if needed. The point is that millions of
| vulnerable devices won't stay online by default.
| liotier wrote:
| Want to sell a device ? Deposit the software in escrow,
| released one year after the firm stops supporting the device
| !
| mnau wrote:
| How big percentage of customers even logged to their home
| router. It will be way below 10% (I would wager in lower
| single digit percents).
|
| So
|
| * manufactures open source it
|
| * "someone" is going to maintain it, for free
|
| * all these people are going to find non-malware infested
| fork
|
| * upload custom ROM to their devices.
|
| I just don't see it.
|
| Automatic updates/killswitch are the only way forward.
| UniverseHacker wrote:
| That is insane. I mostly buy and use "EOL" devices because
| they're cheaper and have no issues. Recently bought my son an
| old Intel Mac Mini and he loves it.
|
| You can easily still secure an EOL device- with the old Mac I
| just use it with the firewall on, no ports open, and a modern
| secure browser. There is really no attack surface from the OS
| which is EOL, and this old device has aged past being worth
| developing attacks for.
| getcrunk wrote:
| Tell that to the recent windows bug where even if you block
| ipv6 in your device firewall or was it even turn off the
| stack your device is vulnerable to specially crafted ipv6
| packet
| heraldgeezer wrote:
| Go ahead and disable 47% of gaming PCs in 2025 then. lmao ur
| insane.
|
| https://store.steampowered.com/hwsurvey
| jodrellblank wrote:
| PCs aren't "smart devices".
| heraldgeezer wrote:
| Ok. A network switch then?
| aeternum wrote:
| Auto-applying security updates is actually a major threat
| vector. It's often easier to compromise a cloud deployment
| system/key rather than thousands of edge-deployed devices.
|
| An EOL device that has withstood the test of time, and has had
| many security patches but is no longer connected if often one
| of the most secure devices.
| technofiend wrote:
| This just underscores the fact (IMHO) we need a "cash for
| clunkers" program for obsolete and unsupported devices. I mean
| I'd love to see more moonshot programs like DARPA's Tractor but
| in the meantime why not create incentives to get insecure
| equipment off the net?
| throwaway48476 wrote:
| A lot of the time the EOL hardware is exactly the same as the
| supported hardware. The software just needs to be supported for
| longer. For example the 2014 and 2015 mac book pro, same CPU,
| same motherboard, etc and yet the 2014 is EOL a year earlier.
| technofiend wrote:
| I'm thinking of the millions of IOT devices like old internet
| firewall appliances that make up modern botnets. Those need
| to die ASAP.
| throwaway48476 wrote:
| There are easier ways to play doom.
| https://youtu.be/aq6mtEciX2c
| bee_rider wrote:
| Reaching the the legal hammer out to be a last resort, but
| IMO, EOL-ing a device should require open sourcing it and
| handing over any info required for administration to the
| users. Or refund for full price.
|
| A device which can not be administered by the end user is
| administered (perhaps negligently) by the company who sold
| it.
| mnau wrote:
| What would be the point of open sourcing it? Serious
| question.
|
| Custom DIY ROM might interesting to some geek out there,
| but it does nothing for security. There is no automatic
| update and some custom ROM is never going to get it anyway.
|
| Security through obscurity is a better option in this case.
| bee_rider wrote:
| It would be nice for the community, so they can at least
| try to fix things.
|
| But mostly, I think it would clarify the responsibility
| and obligations for support. Obviously a device which
| hasn't been opened up can't possibly be the
| responsibility of the user, who is locked out and unable
| to administer it. By default manufacturers should be
| responsible for the things they manufacture and should
| have an obligation to make sure they are reasonably free
| of defects. Devices with known security vulnerabilities
| are defective.
|
| If they want to release themselves of that
| responsibility, they should have to actually make it
| possible for somebody else to pick it up.
| phendrenad2 wrote:
| A cynical person (not me, not I, I'm not a cynical person) might
| think that this is the opening salvo in a campaign to "save" the
| US tech sector by getting rid of old hardware. See the comments
| in this very thread calling for a "cash for clunkers for old
| devices" or a "remote kill-switch" to disable them (!)
|
| Right now you can go to eBay and buy a used PC for $200 that will
| do everything you need to do, including gaming. You can buy a
| 64GB iPhone X for $100, which will do everything a new phone will
| do (basically). Can you imagine the drain on the hardware sector
| in the US due to these old devices piling up? And the trend is
| only going to accelerate. If the powers that be aren't conspiring
| to "fix" this "issue", it's only a matter of time until they do.
| hnuser123456 wrote:
| As soon as they feel like TPM isn't pushing enough HW upgrade
| purchases...
| heraldgeezer wrote:
| Yup Windows 10 EOL will be fun...
|
| Windows 10 is "still" on 47% of PCs with Steam installed.
|
| Windows 11 is at 49%.
|
| https://store.steampowered.com/hwsurvey
| moffkalast wrote:
| > Linux: 1.92% (-0.16%)
|
| > Arch Linux (64-bit): 0.16% (-0.01%)
|
| > Ubuntu 22.04.4 LTS (64-bit): 0.07% (-0.01%)
|
| > Linux Mint 21.3 (64-bit): 0.07% (-0.04%)
|
| > Ubuntu 24.04 LTS (64-bit): 0.07% (0.00%)
|
| > Linux Mint 22 (64-bit): 0.06% (+0.06%)
|
| > Ubuntu Core 22 (64-bit): 0.06% (0.00%)
|
| > Manjaro Linux (64-bit): 0.06% (0.00%)
|
| Year of Linux in gaming, everybody! :(
| isodev wrote:
| I think hardware vendors have been allowed way too much freedom
| in trying to turn hardware into a subscription. The yearly
| release of new phone models isn't helping either.
| winwang wrote:
| What if we turned hardware support into a subscription (kind
| of like JetBrains model I think?) and stopped yearly releases
| in favor of more interesting releases? I wonder how many
| resources are used just to make the next iteration a bit
| shinier to catch the consumer's eye.
| SketchySeaBeast wrote:
| I'm reading this as "Samsung charges a $10 monthly
| subscription fee to keep your phone up to date" and I
| already know how that would turn out.
| qwertycrackers wrote:
| I think what is this ignoring is that "security updates"
| are generally corrections to defects in the original
| product.
|
| In principle, a complete product would ship with no
| defects. You could run it for 1000 years unpatched and it
| would be no less secure than the day it shipped.
|
| Manufacturers ship security updates because the original
| product was defective. So it makes sense that they remain
| on the hook for security updates -- we paid them full price
| up front.
| Wowfunhappy wrote:
| I am extremely sympathetic to this view--but is it
| practical? Like, should Apple be forced to continue
| releasing security fixes for the original iPhone?
| heraldgeezer wrote:
| 200 for gaming might be cutting it close for me but I am using
| a 10 year old PC with an upgraded GPU. I guess thats "bad"
| lmao. Can we end of life the people who will decide and
| implement some shit like that? :)
|
| Also enterprise will buy new and then sell, why Thinkpad etc is
| popular. Should that also be banned?
|
| No used cars too, sound good. No used goods at all. Imagine the
| productivity!!!
| technofiend wrote:
| >Right now you can go to eBay and buy a used PC for $200 that
| will do everything you need to do...
|
| 100%! And the average HN poster presumably has the skills to
| make that work. My suggestion to retire vulnerable devices
| isn't a US jobs or tech sector program; it was born from a
| sincere desire to see vulnerable and most likely already
| compromised devices removed from use.
|
| It seems logical to me if we're going to look for
| vulnerabilities in order to help harden devices you might want
| to address ones with known issues. And frankly the reason so
| many devices still out there are in use because their owners
| simply don't know any better or see no value in upgrading. Cash
| for clunkers creates an incentive to fix a situation that I'm
| guessing many don't even know exists.
| getcrunk wrote:
| I've bought three laptops this year from eBay. The second was
| shortly after the first because I thought it was such a good
| deal.
|
| A few months later the first laptops exhaust started smelling
| like burning plastic and i also discovered that if you move the
| lid/screen a certain way the laptop hard freezes. A few months
| after that same smell from the second laptop (different
| model/seller) that progressed into a proper burning smell. In
| both cases I'm out my purchase price and for the total could
| have bought new.
|
| On a whim after coming across the thinkpad subreddit I bought a
| t480s recently. As soon as I got it paid attention to folding
| the hinges excessively and noticed it creaks sometimes and the
| exhaust also gets a little too toasty. So this one is going
| back.
|
| I'm not against used. I'm a lifelong 2nd hand buyer. No
| problems with phones or even mini pcs.
|
| I don't recommend laptops anymore tho. Too delicate and can
| have hidden issues.
|
| If you read this far. It's not enviornmental cus my bought new
| laptop (4yo) doesn't have any issues. And also I did take off
| the back cover in both laptops and didn't see any obvious blown
| parts. And neither are overheating from sensor data even under
| p95
| rdujdjsjehy wrote:
| This seems like that useless definition of "need" that
| completely discards any real standards for the sake of an
| argument. A 200 dollar computer at best is going to let you
| play low demand indie games and things with garbage mode
| settings for running on potatoes.
| ruthmarx wrote:
| > A 200 dollar computer at best is going to let you play low
| demand indie games and things with garbage mode settings for
| running on potatoes.
|
| That's not true. I still regularly use an old Dell Latitude
| from almost 15 years ago sometimes - it cost under $150. I
| can do everything I need on it, even compile Firefox. I can't
| run most new AAA games, but can play a bunch of FPS games
| from about up until when it came out. It still plays CSGO
| just fine, for example.
|
| The real advances in performance the last decade has been in
| GPU performance, not general performance.
| rdujdjsjehy wrote:
| What settings do you play CSGO on? And is it just CSGO or
| can you play Counterstrike 2?
| dangrossman wrote:
| $200 on eBay will get you a used laptop with a Core i7, 16GB
| RAM and SSD; essentially the same specs as my year-old $1000+
| laptop, other than having a newer generation CPU. It'll play
| many brand new games at 720p or better and acceptable
| framerates.
|
| I still use an original Microsoft Surface Pro pretty often,
| and can barely tell the difference between using it and that
| year-old PC for web browsing, document editing, and tablet-
| style gaming. The Surface Pro came out in 2013.
| rdujdjsjehy wrote:
| Would you say that your laptop can get 120fps on non-
| minimal settings while playing the current Call of Duty?
| What about Grand Theft Auto V or Overwatch?
| dangrossman wrote:
| I don't get 120fps on non-minimal settings with a
| PlayStation or Xbox, yet 150+ million people do all their
| gaming on those consoles (including almost half of
| Overwatch's player base according to some polls). That's
| not the test.
| rdujdjsjehy wrote:
| Would you say you can get 60fps on non-minimal settings
| on the current call of duty then?
| DidYaWipe wrote:
| "oday" contest?
___________________________________________________________________
(page generated 2024-09-18 23:00 UTC)