FOREVERDAYS

0-days are not of much interest.

If they are not abused by attackers before there is a patch available, and that patch can be installed quickly and easily, there is a rather limited time window of opportunity to exploit the vulnerability, especially at scale.

If the 0-day is abused before a patch becomes available, widespread use of it will eventually set off alarms, triggering investigations, patch development & public announcement encouraging updates to be installed ASAP.

FOREVERDAYS on the other hand, are of both high interest & great concern. Foreverdays are vulnerabilities that just cannot be fixed in a short period of time, and may very well take years and decades to fix, at massive costs.

On October 19, 2023, I attended an AFSecurity seminar at the university of Oslo, Norway. Arranged by Professor Audun J?sang , the topic was "Advanced Metering Infrastructures Security", with Professor Sujeet Shenoi presenting from the University of Tulsa, Oklahoma.

His presentation was truly fascinating, scary and eye-opening at a very complex level. Instead of looking at 0-days as we usually do in our world of software, he talked about Foreverdays in a much bigger context. As he explained:

The attacker targets a single smart meter installed somewhere. The smart meter can be a very simple little SoC computer, running an outdated & vulnerable Linux operating system. Gaining access can happen locally because the box itself has little to no tampering protection, as it keeps production costs down. With access to a single box, the attackers discovers the box is part of a network with millions of boxes that are exactly the same. With access to one, the attacker gains administrative access to all of them very quickly. Through efficient automation the attacker can shut off, change, disable or possibly even destroy all the smart meters. They will need physical access, or even physical replacement, to get up and running again.

Here comes the Foreverday problem into play: the time needed for physically visiting a couple of million physical locations to hard reset or replace those boxes comes with a hefty price tag.

But that's not all. These boxes are produced in another country. The factory can produce 10,000 units per week. They can increase their production to 20,000 units per week in 3-6 months. That would leave hundreds of thousands - millions - of households, factories, offices and more without electricity for looong time. And to repeat: the cost of replacing all those units?

Hence Professor Sujeet Shenoi's use of FOREVERDAYS to describe the problem.

Most definitely a word I've been missing from my vocabulary.

Now I think there are quite a few of us who may know of, or who will now realize the existence of Foreverdays in some of the work we do. The question is: what can we do about them?