Yesterday, I watched a video by Louis Rossmann in which he talked about vulnerabilities that have been present in the website, apps and APIs developed by John Deere. Mostly farmers and other parties active in agricultural industry, need to register their equipment and software with John Deere to, for instance, unlock their tractor in order to be able to use it; as I understand, a tractor refuses to operate if there’s no valid subscription for the device. The presence and validity of the subscription is checked through an online system developed by John Deere.
This is a good example of two issues. The first issue is not owning the software, device, appliance or vehicle you’ve bought. You’ve bought it, but actually you’re just renting it. Monthly, quarterly or yearly, you’ve got to pay a subscription in order for the device to keep working. Our grievance is not that you’re paying for something you need. It’s with how this puts the manufacturer in a position of master, and you, the customer, in the position of slave. Before the whole “software as a service” and software and hardware requiring subscriptions to remain working, you were in control. If you invested in, lets say, an embroidery machine, you owned it, plain and simple. You could decide that either this machine would be used intensively for a couple of years, or you could decide it was a nice extra something you used once in a while, over the next couple of decades. Now, you need a subscription in order for the machine to operate. This subscription is tailored to the business model of their ‘best’ customers. While you could justify a one-time € 12,500.00 investment for years to come. With the current trend of subscriptions you no longer can. It would still be a € 12,000.00 initial investment, but in order to use the machine once in a while, you also need to pay a monthly € 150.00 basic subscription, which only includes single spool, single color functionality. Adding an extra € 5.00 per spool, and the machine has eight of them. Coming to a € 2,200.00 extra in cost a year. There are three solutions: 1) stop this extra service, 2) make embroidery your core business, 3) buy a second hand 20 year old machine and hire us to adapt the machine to be able to use it with a modern computer. Even if the subscription based model can be justified, you still have other issues. After for instance 5 years the machine will become useless, because the machine is no longer compatible with the new website and apps of the manufacturer. The only options: hack the machine or buy a new one, whilst your current machine was not yet depreciated in your books and has no resell value left, because no one is able to use it anymore. Also, the manufacturer can suddenly adjust the subscription fee or moves features you need to a separate subscription. And finally, quite often you’re not even the owner of the documents, pictures or designs you’ve created. Either the cheaper subscription leads to the manufacturer not only having copies, but even have the legal rights over your creative work. Even with a very expensive subscription, the manufacturer will be the owner of the original and you can download a copy. Although you’re the legal owner, due to vulnerabilities at the manufacturer, other parties may gain access to your creative works. The chance of this happening is far greater due to the fact the the manufacturer is a far greater and bigger point of attack. A single succesfull breaking and entering will result in thousands to millions of creative works and client private data.
Any system, whether is is physical, digital, online or offline, will have vulnerabilities. That's a clear fact. Its impossible to control each and every aspect of a system, ruling out every possible situation, present and future. But there’s often a very important factor: who designed and implemented the system.
With about 30 years of interest and experience in IT security, starting my first job at the age of 15: pioneering antivirus heuristic scanning algorithms. And having worked as a security expert in an undisclosed number and types of places, one thing sticks out. There are roughly two groups of people that design, implement and maintain IT solutions: a) engineers in fields such as electronics and mechatronics, and b) scientists of a mathematics discipline.
The first group are highly motivated people, working hard and being very knowledgeable. However, programming is more like a hobby to them. They are quite capable of using math to solve problems. They have been programming for a long time, but for instance avoid using threads, are used to write the whole program in a single file, use libraries and modules downloaded from the internet, without a real understanding where these libraries come form, how old they are, how new they are and what their intent was. It just provides some functionality they need to move the project along. They have never heard about modular design techniques or unit testing. They often think that Rapid Application Development (RAD) is a piece of software to graphically drag and drop your application together. They don't know about, or find OMT/UML, data and object models too complicated or don't grasp their necessity. And they're right, their skill is with electronic, PCB or chip design or writing 80C552 machine code.
The other group are people that have a completely different skill set. They see the world as data and algorithms. They know Rapid Application Development is a problem solving and implementation technique, such as Extreme Programming or Agile. That is something you do, rules you apply to your workflow and how you organize your team and tools you utilize. This group of people design an IT solution by creating a description of the problem to solve and the world this system has to interact with. These people don't program, but define data models and create a functional specification before having computer code programmed. They understand, and can create algorithms and can provide mathematical proof of their correctness.
It almost doesn’t matter whether you're talking about BMW, Lada or Ford, whether you’re talking about Keysight, Rode and Schwartz or Owon. All these companies employ people from the first group: engineers. These engineers roll into the development of the software tools they need in their job, and therefore also roll into the task of implementing their companies' cloud based solutions, apps and externally used software.
The last group is largely employed by big tech giants like Google, IT security firms, financial institutions, professional services ICT secondment agency, banks and government. The latter in particular at the three letter agencies.
It’s almost ironic that the companies that are shouting the hardest about protecting customers’ security and therefor having to stop independent repair, are the same companies that internally often know little to none about developing secure systems in the first place. Such as, in this case of John Deere, who advocated not too long ago about protecting farmers by not allowing access to the tools needed for maintaining farm equipment. By releasing the tools with which it would be possible to clear engine error codes, and program the replacement pressure sensor into the system, critical customer data could fall into the wrong hands. Making your tuned crop spray settings, fall into the hands of your competitor. Well, it turns out that the manufacturer itself is the most likely place for such information to leak. As these tools and systems are designed by the people that they have employed for years to decades. Engineers that are often brilliant in their field of electronics, thermodynamics or hydraulics, but lack the skills needed to design secure and maintainable IT solutions.