Schneier on Security

Clive Robinson • January 14, 2026 6:01 PM

@ lurker,

With regards,

“Theo was right, again…”

Not just Theo, several others myself included have made comment on the lack of security mechanisms in “Industrial Control Systems”(ICS) including “Remote Telemetry Units”(RTUs) and “Supervisory Control And Data Acquisition”(SCADA) systems and very importantly the “open and insecure” communications between them, the sensors and actuators and the overall command systems from the SCADA systems and operators.

It worried me greatly when the latter got moved by “accountants” to the Internet. And some Governments actually woke up to this eventually and insisted on higher levels of communications and access systems, but by no means all. As for the lower level comunications some of which got piped across 2G GSM paths again with no security you might want to avoid construction sites and railway yards for the foreseeable future if not indefinitely.

The major issue is the “don’t roll your own” mantra that appears to have become an inviolable rule throughout the ISC and Embedded device design cultures as “no security”. Which is unfortunate as Engineers like “Simple thus easily tested” interfaces and test harnesses which are basically just old fashioned RS232 or RS422 hardware and ASCII characters from the very early 1960’s TTY style data comms,

https://ipc2u.com/articles/knowledge-base/the-main-differences-between-rs-232-rs-422-and-rs-485/

Which might have structured plaintext like XML with occasionally added checksums and error correction, but certainly not secured in any way (not even plaintext logins and passwords…).

But the “Embedded Systems” cover a variety of sins and securty wise just as bad if not worse. You find these in just about everything that is not PC/Mainframe Computer networking. So infrastructure systems including ICS but also Smart Meters etc, Medical implants and much else with an expected 20-50year burried out of sight lifetime. And… because they are “embedded” the old Masked ROM ethos gets carried forward with mostly the software not get upgraded or patched in any way… Which from a security aspect is appalling…

Back last century it was accepted that development would take a year to 18months for simple systems due to the amount of engineering time devoted to “test” because of the vast expense a simple mistake or error would cause. But the introduction of EEPROM and Flash whilst bringing the cost of errors/omissions down significantly ment that Senior Management could push through more complex designs and significantly reduced test time. This was made worse by the notions of the upstream “edge devices” and down stream “Internet of Things”(IoT) devices “just hung on the network”. With in effect Zero Security Testing and actually minimal at best functional test.

I made noises about not letting such crap into the world as it was guarenteed to be a security nightmare (and so it has been with “Distributed Denial of Service”(DDoS) attacks being the most obvious.

I even argued that NIST should stop doing what had in effect become “vanity crypto competitions” and do something usefull like “security frameworks” for infrastructure, embedded, implanted and IoT and Edge Device systems such that security updates would be part of standard operating thus making us all safer. You should have heard some of the vilifying comments… Basically manufacturing managment saw “mistakes” as a way to sell more product…

However when challenged they would get quite nasty and attack not on technical and security merit but by using “cancel culture” style techniques.

But ask yourself a question,

“If I have a medical device that could kill me implanted, say a pacemaker, how secure do I want it to be?”

And,

“Do I want them cracking my chest open just to put in a software upgrade?”

Like a bunch of psychopaths running an asylum they did not want such questions being asked because of the issues of profit and liability…

So your pacemaker has a more than reasonable chance of being “less secure” than this wheelchair…

Clive Robinson • January 14, 2026 9:09 PM

@ lurker, ALL,

With Regards,

“Bluetooth has unfixable security risks baked into the protocol, it’s ideal for OpenBSD to ignore it.”

It’s not just Bluetooth with “unfixable security risks baked [in]”

In fact nearly all comms protocols have issue from the physical wires all the way up.

For instance take data diodes and the like they are supposed to be “one way” to “isolate and segregate”…

BUT, many include “errors and exceptions” in oh so many ways and nearly all can thus be used as a “back flow channel” of one form or another… That often can reach back right into the core of a security system. Some HSMs suffer from this “little issue”. That few others will admit let alone talk about.

I could go on and on and… but lets be honest I don’t want to wear out “my typing pinky” 😉

Clive Robinson • January 15, 2026 4:23 AM

@ KC, lurker

With regards,

“Depending on the model, looks like the max speed is 3.7 to 5 mph.”

In many places electric wheel chairs are deliberately limited to 4 mph and or 8mph depending on the type of wheel chair.

1, 4mph for where other people walk.
2, 8mph for where other people drive…

Due to the down sides of,

“There are civilised markets around the globe where such a device could not be sold.”

(They even “take the micky” out of them in Futurama where they are used in the “Central Bureaucracy”. See,

https://futurama.fandom.com/wiki/How_Hermes_Requisitioned_His_Groove_Back )

Many with a little work with a soldering iron and a change from lead acid to LiPo batteries can do almost double the mph or have around 5 times the range. Change the motors to those efficient “wheel hub” 1hp ones you find in EV bikes that come from China and well over 40mph is fairly easy to do before you die of fright (see Andy Kirby’s YouTube channel for why,
https://m.youtube.com/watch?v=EjhhPXNhLOw ).

In the UK long before these speed limit laws came in, for electric wheelchairs / mobility scooters. There was gentleman who dressed like a “Hells Angel” that travelled a busy road on the Wimbledon – Tooting border in South West London called Haydons Road. He had a vehicle that was a type of wheel chair / chopper bike he had “modified himself” that easily did 70mph.

It was not “licensed or taxed or Approved” for on the road use, yet the Police nolonger stopped him… Because he had found a legal loop hole… Back around then a company in Thames Ditton just south of Hampton Court Station that had once made AC Cars was now called 20th Century Fiberglass and was going out of or had gone out of business. Because they made these truly terrible blue fiber glass disability cars “on government contract” that we used to joke were,

“The unfortunate love child of a plastic pig[1] and a milk float, for homicidal racing grannies to kill pedestrians with.”

Called the “Invacar”,

https://en.wikipedia.org/wiki/Invacar

They had a legal exemption as they were once “Government Provided” for the disabled the infirm, and the children who’s mothers had taken Thalidomide whilst pregnant of which there were large numbers. But in true bureaucratic legislative fashion as the were leased by the Government to the disabled as part of their disability benefits and the company employed disabled people to build them, there was a legal exemption. Which was worded such that other “disability vehicles” below a certain weight could claim the exemption. Importantly though it did not exclude “self builds” as “prototypes” etc…

So he claimed it was an exempt vehicle, and though actually a really friendly and approachable person was one of those that just naturally looked scary…

[1] A “Plastic Pig” was an insulting name for a “Robin Reliant” three wheel car or “Reliant Regal” “small trader van”. that although “road legal” had some unfortunate issues like turning on there side when going around corners down hill… The most famous one of which was the yellow one used in the BBC sitcom “Only Fools and Horses”, you can see a photo of it in a museum in,

https://en.wikipedia.org/wiki/Only_Fools_and_Horses