On 13/03/2024 17:02, Peter wrote:

May I ask a stupid question?

I have developed a product which uses MbedTLS 2.16. I am on this
mailing list so I get to see the various updates since.

And I wonder: is there any point in upgrading?

If your embedded product is a client, and usually behind NAT (or an
equivalent firewall) and accessing some private server (or a trusted
public server) on a schedule of its own choosing, then the whole
attack surface is minimal.

Sorry, that's just not true. IoT devices are massively used as relays to attack local networks. Mirai (https://en.wikipedia.org/wiki/Mirai_(malware)) was a famous example recently, having infected millions of IP cameras. And this keeps happening and happening.

(…)

Basically, as you can see, I see the only valid applications for
MbedTLS in scenarios where a) the box is a client and b) you control
the other end's server (or, if you don't control it, you are prepared
to periodically revisit your code and fix it whenever the server's
owner has changed the crypto suite or whatever).

A lot of devices running Mbed TLS are small servers to which even smaller devices connect to (e.g. a WRT or similar linux server that acts as a gateway for a bunch of microcontrollers).

ISTM that the general drift in the IoT sphere is indeed along the
lines I describe. It "incidentally" also delivers a revenue stream
because you can charge the customer for that server ;) Whereas if you
just sell a box, you have no business model for funding long term
functionality.

Well, I'm an Arm employee and our revenue is basically from the sales of boxes. Upgradability is a thing we're throwing in for free. Mbed TLS is part of Arm's Platform Security Architecture (PSA) reference implementation. The reason firmware update is part of PSA is that we don't want our customers/users to be the next Mirai victims.

Best regards,

--
Gilles Peskine
Mbed TLS developer