GE Gave Up Building its Own Cloud

Reuters has a detailed article about a strategy shift in General Electric’s digital business. GE invested early and heavily into IoT. They want to connect every GE device with the cloud with their Industrial Cloud-Based Platform (PaaS) called Predix.

[GE] Engineers initially advised building data centers that would house the “Predix Cloud.” But after Amazon.com Inc and Microsoft Corp spent tens of billions of dollars on data centers for their cloud services, AWS and Azure, GE changed course.

However, GE could not compete with these investments and now rely on AWS and Azure instead of its own cloud services.

GE abandoned its go-it-alone cloud strategy a year ago. It now relies on AWS and expects to be using Azure by late October, four months behind schedule, the executives said.

This should be a warning to smaller companies who try to run their own cloud. It doesn’t seem to be well-invested money.

The Reuters article contains a second warning although a bit more hidden.

GE will now emphasize sales to existing customers in its energy, aviation and oil-and-gas businesses, and scale back efforts to sell to new customers in other sectors, three senior GE executives told Reuters.

Originally, GE followed a horizontal strategy, where it wanted to reach customers in all possible sectors. Now, GE changed to a vertical strategy, where it focuses on three core sectors. The lesson here is: What works well in one sector need not work well in another sector. Sectors are too different and require different solutions.

These two lessons also apply when you select a provider of cloud services. Be very careful if they offer you to host your cloud. This is simple if you only have a few dozens or hundreds of devices. It is a totally different story if you have thousands of devices – and growing quickly.

Also be careful, if they haven’t built a solution in your sector. If they have a good solution for fleet management, this doesn’t mean that they are good in processing the data coming from combined or forage harvesters. It is a totally different story.

CAN Standard Helps Attackers to Switch Off Brakes, Steering and Engine

Security researchers from TrendMicro and the Technical University of Milano explain in a blog post “The Crisis of Connected Cars: When Vulnerabilities Affect the CAN Standard” and a video how to switch off any electronic control unit (ECU) attached to the CAN bus. An attacker could switch off the brakes, engine or steering of your car. The researchers exploit a feature defined in the CAN standard. Every vehicle using CAN bus – so, basically every car, truck, harvester, tractor and construction machine – is open to the attack.

Let us assume that the attacker wants to switch off the brakes. If the attacker has local access to the vehicle, he only needs to attach a CAN device with a malicious version of the CAN stack to the CAN bus. It is as simple as connecting the two wires of the CAN device to the respective wires of the CAN bus anywhere in the vehicle. Such a CAN device costs not more than 15 Euros and the CAN stack software is freely available.

If the attacker only has remote access, he must hack into the infotainment system, the terminal or the telematics box of the vehicle. The famous jeep hack shows how to do this. It is much simpler for agricultural and construction vehicles than for cars, because security is often neglected. Once hacked, the CAN driver is replaced with a malicious version.

The malicious version of the CAN stack abuses a feature of the CAN standard to deal with bus contention. Whenever the ECU of the brake writes a frame to the CAN bus, the malicious CAN stack immediately sends a frame where a bit of the original frame is flipped. The brake recognises a bus contention and sends a highest-priority error frame to recall its original frame. This error frame tells the other bus participants to ignore the original frame. After the malicious stack has killed 32 frames from the brake in this way, the CAN bus takes the brake ECU from the bus. The brake is switched off.

A full fix for this security flaw would require a change of the CAN standard. This will take some time, probably a couple of years. There is no easy way to mitigate the risk of a local attack. This is especially a problem for tractors, harvesters and construction machines, which can easily be accessed locally. You can make a remote attack harder by signing the CAN stack cryptographically.

Proposed IoT Security Bill Could Be Boon to LGPLv3 Software

US senators proposed bipartisan (yes, it’s still possible!) legislation to improve cyber security of IoT devices, the Internet of Things Cyber Security Improvement Act of 2017. Vendors selling Internet-connected devices to the federal goverment must ensure that their devices are patchable, rely on standard network protocols, do not use hard-coded passwords, and do not contain any known security vulnerabilities.

Paragraph (C) on page 8 spells out that every contract between federal agencies and vendors must contain a

[…] clause that requires such Internet-connected device software or firmware component to be updated or replaced […] in a manner that allows for any future security vulnerability or defect in any part of the software to be patched in order to fix or remove a vulnerability or defect in the software or firmware component in a properly authenticated and secure manner.

Every software under LGPLv3 license would satisfy this patchability requirement by default. LGPLv3 requires that software under LGPLv3 can be replaced by a modified version of the software on this device.

The proposed bill falls short of requiring patchability for all Internet-connected devices, not just the ones sold to federal agencies. This would include smart home devices, toys, set-top boxes, TVs, cars and all other consumer devices.