The only way for the user to "fix" the problem is to, "unplug all the devices, throw them in the dumpster and install all new ones," he said.
And that, of course, won't fix it either, because the new ones are, "likely to have the same vulnerability spectrum that made this possible in the first place. So this is not quick trip to big box store, but rather flushing the entire design space and pipeline inventory of every maker of home routers," he said.
Geer said one way to deal with the problem is "a very important work now appearing under the title of 'Language Theoretic Security,' or LangSec," which posits that for software to be trustworthy, it needs to be able to recognize valid inputs "as a formal language," and reject the rest.
But, he said, "for complex input languages, the problem of full recognition of valid and expected inputs may be, in the formal sense, undecidable, in which case no amount of input checking or testing will suffice to secure the program. Many popular protocols and formats fell into this trap."
And the bottom line, he said, is that the monoculture, as convenient and relatively low-maintenance as it is, may not be sustainable. "Is it time to say that software per device has to be as unique as possible?" he said.
That time may already be here, he said, noting the Moon worm, "that is now working its way through the world's Linksys routers. It may not be that the forest might burn -—it may be that it is already afire. It may be that we are one event away from being unable to distinguish a hostile action from an industrial accident, and that matters a lot, at least in Washington."
Which means, he said, it may become mandatory, "to distribute software to endpoint devices based on diversity compiling on a 'onesies' basis."
Otherwise, "in a world of rising interdependence, APTs will not be about the big-ass machines," he said. "It will be about the little ones. It will not be about devices that have a host name and a console. It will go against the ones you didn't even know about."
And the only answer, he said, is to reduce the interdependence of billions of devices. "It cannot and will not be damped by any laying on of supply chain regulations," he said.
Sign up for CIO Asia eNewsletters.