Comment by avsm
1 day ago
The elephant in the room here is that there are hundreds of millions of embedded devices that cannot be upgraded easily and will be running vulnerable binaries essentially forever. This was a problem before of course, but the ease of chaining vulnerabilities takes the issue to a new level.
The only practical defense is for these frontier models to generate _beneficial_ attacks to innoculate older binaries by remote exploits. I dubbed these 'antibotty' networks in a speculative paper last year, but never thought things would move this fast! https://anil.recoil.org/papers/2025-internet-ecology.pdf
No, the elephant in the room is that even bad actors will now have easier to find vulnerabilities in, maintained or not, widely or in critical places used software. Unmaintained and remotely accessible devices should be discarded as soon as possible, you can't stay waiting till some of the good guys decide to give some time to your niche but critical unmaintained piece of software. Because if there is a possibility of taking profit of it, it will be checked and exploited.
And you can't assume that whatever vulnerability they have will let good guys to do the extra (and legally risky) work of closing the hole.
_SHOULD_ yes sure, but realistically is that going to happen?
As doom and gloom as things are generally, I do think things have gotten better. Due to legislation and commercial pressure things like wifi routers shipping with the same default password and open settings have gotten better. Webhosts and ISPs have implemented many improvements to protecting their residential customers.
I take your point, but think that it's also maybe too far.
And this is precisely why so many of these devices should not be connected to the Internet.
Things like an Internet-connected central heating seem absolutely insane to me, yet people look at me like I'm crazy when I say so. Do you really want your home' heating entirely controller by a publicly accessible device that likely will never be upgraded in case of security issues?
Not to mention embedded systems. In fact, most people's Windows machines hardly get updated. You remember WannaCry, right? I work at a mid-sized e-commerce company making hundreds of millions in annual profit. Our servers run Windows Server 2012 and use PHP 5.3 — never upgraded. Aside from me, the newest developer machines are Windows 10 21H2, then Windows 10 1809, and even Windows 7. I heard there’s also a server running Windows Server 2008. And I don't see any hope for improvement: non-software companies, especially in the current economic climate, cannot invest huge resources to completely refactor everything. The entire tech department is no more than 10 people; doing a refactor would mean halting all business operations, so patching and mending on top of what's already there is the only viable option. Shortly after I joined, I found several SQL injection vulnerabilities and successfully exploited them to register as the root user on the server (on MySQL 5.5) and extract passwords. This is the technical reality for many non-specialist software companies.
You should either implement over-the-air updates or not connect your device to the network at all.
That doesn't help when the company behind the device disappears or stops supporting the device. Or is hacked to convert all the devices they manufactured into a botnet.
The problem of course is that many of these devices are eager to connect to the internet so they can often user hostile updates.
> The only practical defense is for these frontier models
Another practical defence for many of these devices would be to just disconnect them... I feel like an old man yelling at a cloud, but too much is connected to the Internet these days.
Why doesn't this atm tell me my balance anymore? Oh we implemented creata's advice
Why didn't this smartboard tell me my plane was delayed? Oh we implemented creata's advice
ad nauseum
It can be easier to hack the device and patch it than determine which device it is. This is nearly always true for the non-technical, but it is true for most technical people as well. Many of the devices in peoples homes that aren't being actively patched are not that old!