NGI Pointer Project
Key people: Armijn Hemel
Affiliation: Tjaldur Software Governance Solutions
Home appliances, industry 4.0 and connected cars. What do they have in common?
Most of these devices use software and most of them are connected to the Internet. In fact, we can think of these devices as computers with integrated software which are shaped like a car or a fridge.
Bearing in mind that software has bugs, it must be updated regularly. However, most of the software in these devices (firmware) is not updated for several reasons: users don’t realise the device has software, the updating process suffers a problem or even suppliers may not provide updates since software hasn’t been changed or modified in several years.
The situation can end with the supplier recommending the user to buy a new device, despite the old one working perfectly fine, just in a need of an update.
The bigger picture is especially difficult to navigate for the final users because the supply chain is extremely crowded with intermediaries, which are shielded from view. From the users’ point of view there is just one company making a product, while in reality the real work is done by other companies most people have never heard of. From the sellers to the chipset manufacturer there are many parties involved. Across the supply chain, a lack of quality control can be observed, fuelled by a market that doesn’t value the advantages of a verified software.
Consequently, the software running on our devices should not be considered not safe: it is vulnerable to hacking. Customers are not aware of the importance of having secure software on devices and therefore they don’t put pressure on manufacturers to enhance the quality of the products they sell.
On the other hand, there is also no sign of any serious effort from the policymakers’ level in Europe to tackle this problem.
A strategic choice we have to make what will we value: security more than costs and convenience?
The project right now
Firmware Lib is a project that is building the “European Firmware and App Library” that should make it possible to thoroughly find security issues in Internet connected devices.
The project is about actually trying to shine a light on what is running on our devices. So, it is not about preventing things, but more about discovery. Furthermore, the project will allow to spot similarities between devices since many of these devices are (near-)identical, except for the casing (and even sometimes the casing is identical) and to link vulnerabilities reported for one device to other devices as well.
Currently, there are security databases in the USA, Japan, and China (and some other places), most of them controlled by the local government, who can influence the vulnerability disclosure process. However, can we trust these sources if we know that one of the top priorities for example NSA is industrial espionage? Not disclosing vulnerabilities could give these parties an advantage.
That alone is a good reason to build the European Library for firmware to better secure ourselves, especially now that we are so dependent on other countries. Almost all the European electronics industry was spun out decades ago for the sake of the outsourcing model: cheaper but not necessarily harmless. Nowadays, the European supply chain is vulnerable, which from a security point of view is something we must think of and take a stand for.
In fact, research made by Armijn Hemel highlights a security breach in European quality control system: devices are checked to not catch fire when plugged in though no one seems to care about the software contained and running the devices, as it is not visible: it is essentially a black box.
Politicians must understand that software is important, a security matter
Why NGI pointer? what does it provide?
Armijn Hemel’s project is completely open-source. The project is completing the milestones set at the beginning of the program, like for example an unpacking program that is better than anything that’s in the market right now. With no intention of monetizing the project, the support from NGI Pointer (and other non-profit sources) is essential to develop the project and assure that the code will remain open, which is a relevant goal for the promoter.
Unfortunately, a project like this has no clear end. In fact, it has no end at sight, since more devices are coming to Europe, including new ones whose software has no control or security check. The development of a project like this one demands constant revision to update the code and keep the project alive with the support of the community.
Going fully open-source is the only way to maintain projects like this up and running, Armijn says. That’s why he tries to avoid venture capital and private funding. In fact, the support from the European Community to keep the library updated could also help to communicate and raise awareness on the matter to policymakers.
In the long run Armijn envisions a renewal of Europe as manufacturer of chips, adding high quality standards, based on an open hardware industry model and highly educated populations.