On Wed, Oct 15, 2014 at 9:50 AM, Harald Alvestrand <harald@xxxxxxxxxxxxx> wrote: > For extra entertainment, consider that SIM cards have an independent OS and > writable flash. And being constrained devices, almost certain to be coded in raw C with little reuse of common libraries and thus most likely to be exposed to buffer overrun bugs. Anyone want to do a pool bar BOF in Hawaii? One of my life ambitions is to have a cocktail served in a baby pineapple. I think there are several dimensions to the problem here. At one level, just knowing what we have, what binaries are running on the devices would be a good start. It might be cheaper to dispose of the device or to isolate it in the network. Knowing what there is would be the first step to managing updates. Without management the update process becomes an attack in itself. Until recently I was playing Minion Rush on my iPhone. Then they 'upgraded' to the Jelly lab edition and I suddenly lost all my achievements just as I was about to complete the set. I don't want my light bulb provider to Jelly-lab me. Any and all updates have to be controlled by the network operator or their proxy.