SecureMac, Inc.

The Checklist Podcast

SecureMac presents The Checklist. Each week, Nicholas Raba, Nicholas Ptacek, and Ken Ray hit security topics for your Mac and iOS devices. From getting an old iPhone, iPad, iPod, Mac, and other Apple gear ready to sell to the first steps to take to secure new hardware, each show contains a set of easy to follow steps meant to keep you safe from identity thieves, hackers, malware, and other digital downfalls. Check in each Thursday for a new Checklist!

The Checklist 78: The Perils and Pitfalls of Old Software and Hardware

Posted on March 1, 2018

In the time since we started The Checklist, we’ve reported on and discussed a variety of stories that, time and time again, come back to the same foundation: hackers breaking into the computers in our homes and businesses by exploiting weaknesses in old hardware or software. While not everyone can always afford to keep their computers upgraded to the latest, greatest hardware, there are many reasons users may want to or need to run old programs on old machines.

On today’s episode of The Checklist, we’re looking at the risks inherent in running old stuff, why you might need to use it all in the first place, and how to mitigate some of the risks when you do interact with these systems. On our list today:

  • Old hardware versus old software
  • The dangers of running old hardware or software
  • Using a virtual machine to protect yourself
  • Employing isolation to continue using old systems

First, let’s begin with sorting out what exactly we’re talking about when we say old hardware and software. Is it from last year? Last decade? What qualifies?

Old hardware versus old software

Let’s look at old hardware first — not everyone, or even most people, purchase a brand-new computer every year or every few years. They aren’t purchased often like phones in that regard, especially given that they are often much more expensive. So, it’s not unusual to have older machines around, but when do they become a security risk? Generally, if you’re still able to run the latest version of the most secure operating system supported by the hardware, you won’t be exposed to too much risk. There isn’t a whole lot of malware out there that relies on directly exploiting hardware flaws — barring any forthcoming hacks based on Spectre and Meltdown, of course. Those flaws affect systems going back decades, and in the future when newer CPUs are not susceptible to those attacks, old hardware will become even more undesirable.

However, if you can’t upgrade the operating system anymore, the hardware is probably too old to use safely. A computer that can only run Windows XP, as we all know, is no longer secure from the latest threats — last year’s major ransomware attacks such as WannaCry made that fact abundantly clear. At a certain point when you can no longer receive new security upgrades, the hardware can become a liability. That said, there are occasions when these old systems must remain in use. For example, perhaps you need to use software that simply won’t run on newer hardware due to the difference in age. It could be a program fundamental to operating a business reliant on legacy systems.

Older telephony systems and special hardware you may have could be incompatible with modern machines, too. Many old PCI cards no longer fit in the slots present on today’s motherboards and therefore can’t interact with new operating systems either. If this hardware is essential, or even if you’re just a hobbyist exploring and tinkering, you may not have many options for upgrading without sacrificing the functionality.

Similar issues occur with old software. As long as programs can receive updates to protect against new flaws and discoveries, you’re generally safe so long as you keep up with the latest version. However, that’s not always the case — and sometimes you can’t upgrade your operating system without giving up features you use every day. It could be from last year, or it might be from the previous decade, but it’s a difficult balancing act you’ll face when your software doesn’t function on the latest operating system.

One significant example that some Mac users encounter on a regular basis is the software suite ProTools, an industry standard package for professional audio engineering and editing. ProTools has a reputation for being closely linked to highly specific versions of macOS; otherwise, its features break and the software won’t always work as expected. It often takes quite some time for ProTools to certify new versions of macOS and release updates accordingly. As a result, users must use older and potentially insecure versions of macOS while waiting for an update.

In situations such as these, your best option is to find an alternative. Choosing different software that achieves the same goal can help make your machine more secure without disrupting your personal life or the operations of your business. With something like ProTools, though, that isn’t always a viable choice. If you choose to run old systems — or if you have no other choice — it’s essential to understand the potential risks you face. Once you know that, we can spend some time focusing on how to make using these systems and programs safer.

The risks of running old hardware or software

Running unsupported software, especially using older machines, can be an inconvenience, particularly if you must deal with a slow computer or software that does not always respond as you’d like. However, beyond mere annoyances, some real risks come with using these systems. Let’s go over a quick breakdown of what they are.

Old software may contain all kinds of bugs that went unpatched during its original operational life and now remain open to exploitation in perpetuity. Old operating systems, for example, those which no longer receive security support, will always remain open books to hackers who find new and unpatched ways to exploit them. Running older versions of Windows is often so strongly discouraged, and even the older Mac systems can be prone to severe attacks if left connected to the Internet and unprotected. Even consumer programs can become vulnerable, though.

Consider Adobe Flash — once one of the most prevalent tools for Web development ever, not only was it plagued by security problems throughout its lifespan, but even now it continues to be a source of exploitation. Older websites that use Flash, and even computers that have a Flash Player installed, are often at risk of exploitation.

Bad actors looking for ways to pry into your machine using these flaws will hunt for sensitive personal information on your machine or devices connected to your home network. Perhaps they could turn your computer into a slave for a botnet, or use it as a conduit for sending spam or dropping malware to other users via infected emails. The potential for damage is pretty broad in these situations.

These are fundamental reasons why it’s important to abandon deprecated software whenever possible; sometimes, the problems only get worse, rather than dropping into obscurity. Often, when support for a product ends, you’re truly on your own — whether you face a security problem or an issue with basic functionality, there’s no one left working to fix the issue. Perhaps you might not even be able to obtain the software anymore, as is the case with many old downloaded programs where the author and website have disappeared.

Old hardware can contain serious bugs, too. Spectre and Meltdown are just two of the most prominent examples. In other cases, the bugs can be more subtle, yet still provide many opportunities for exploitation. Old Internet of Things devices, for example, which haven’t seen updates in years, often feature hardware vulnerable to exploitation. The same is often true for old modems, routers, and other networking devices. These items carry risks beyond security loopholes, too. If your old hardware breaks, there may not be parts left around to fix it, or individuals who understand how to approach a repair. As operating systems receive new upgrades, you may not even be able to find drivers to run the hardware — rendering it useless in the end anyway.

Sometimes, you have no choice but to accept these risks and run with the old hardware/software that can get the job done. Knowing the risks first, though, means you can look for alternatives or at least prepare to limit your exposure to the bad guys.

Using a virtual machine to protect yourself

In many cases, especially when you need a particular environment in which to run some software, a virtual machine will be one of the best options out there. This method allows you to continue using the software you need while also retaining the modern security protections of a recent device with an up to date operating system. If you’ve never heard of a virtual machine before, though, the concept can seem foreign. What is it? In simplest terms, it’s just a type of emulator — software that mimics a particular hardware setup.

Think of it as a program that acts as its own computer. While it uses your resources and computer hardware to make it happen, inside the program, everything works as if it’s the machine you want to emulate — down to the hardware involved. Using a virtual machine also means that you can run software that you wouldn’t be able to install and run on your actual operating system, such as macOS High Sierra. For all intents and purposes, the software will think the virtual machine is a real, physical computer with hardware and peripherals that it understands how to communicate with; in this way, you can continue to use even obsolete programs.

There are a variety of programs and services out there that allow users to run virtual machines for such purposes. VMWare is one of the most popular programs out there, and in fact, it has a free version for users who only need to run a single virtual machine. That’s as opposed to a security researcher or a big corporation which might need to run a large number of VMs at once. Not only does a system such as VMWare allow you to run older software in a way that often works relatively well, but it will enable you to isolate the potentially vulnerable software and VM operating system from attackers.

Since all these things run at a software level, it’s not exactly easy, or sometimes even possible, for the bad guys to break in. By virtue of its isolation from the network, you gain a degree of safety. Virtual machines are also far easier to maintain than a hot room filled with a wide variety of computer hardware sucking down tons of power every day!

A few words of warning about trying to rely on virtual machines, though. First, while it’s often easy to get basic peripherals such as mice, keyboards, and printers to work with a VM, more specialized hardware devices may not function correctly as you expect. Driver difficulties, software issues, or problems of hardware emulation can all pose a problem. Proceed with caution if the software you want to run also requires some special equipment.

Virtual machines also require some technical know-how to navigate; unfortunately, they aren’t as simple to use as running a program setup installer and then launching the software when it’s finished. It can be fiddly, and it can even be frustrating as you figure out the combinations of settings that work the best. With that said, running a virtual machine, even with VMWare, has become much easier than it was in days past. In fact, you can even benefit from the vibrant community that’s sprung up online around VMs.

There are big communities on forums, and sites such as Reddit centered around making VMs work appropriately and extending their functionality to support more software. If you choose to go down this road, we suggest getting in touch with these groups of people. You can learn the ropes and get help from them as well as the companies that create the VM software in the first place. However, a VM solution isn’t always going to work. What if you have no other option but to run the old system?

Employing isolation to continue using old systems

The simplest way to protect yourself from the security risks, at least, is to avoid connecting the machine to your home network or the Internet at all. Keep it “air gapped,” or entirely disconnected from the web. Without network access, there’s no way for the bad guys even to have a shot at attacking the machine. If you can continue to access the functionalities you need without Web access, then great! You don’t have much else to worry about in this case. For those whose software needs to connect to the Web, or when you must continue using an old machine for another reason, take some other common-sense steps to prevent problems.

Make sure the machine sits behind a robust firewall, and consider installing dedicated firewall software on the machine itself. While sometimes this can be tricky to set up, restricting and locking down access to the device as much as possible is the ideal solution. You should also limit which machines on your network can access the computer. If it becomes infected, this will limit potential attack vectors and mitigate any additional damage that malware could cause. Try to maintain as much separation between your old machine and other hardware as you can.

In addition to the firewall, install a good antivirus and anti-malware solution on the machine as well. Keep it updated with the latest malware definitions to hopefully reduce the chance that anything can wreak havoc with your data. If you do suffer an infection, these utilities should make it simple to contain the problem and rectify it without too much stress.

Don’t simply set your old hardware up and forget about it, though. Just as we’ve seen happen with old IoT devices that have vulnerabilities discovered, it is all too easy for some systems to become points of attack. If you set things up once but never run updates or re-evaluate your security setup, you’re exposing yourself to unnecessary risk. Overall, when running older systems, your focus should be on safety first. Take your usual good security habits and amplify them; assume your system is at risk even if that risk isn’t apparent.

Eventually, all good things must come to an end. If what you need to rely on today is already out of date, where will that leave you in five years, or ten? While the software of today will age and you may encounter similar situations in the future, consider having a contingency plan in place for when your old hardware or software won’t pass muster anymore. As mentioned earlier, look for alternative software that can replicate the functions you need, or figure out if VMs are a real option. Ultimately, it may be time to move on to something else.

That covers everything we have for you today. Are you running any old and vulnerable systems in your home or business? It’s worth taking a closer look to see if you’re at risk, and considering changes if you can identify a safer way to continue using the necessary machines or software. While new malware emerges all the time, old versions still stick around — so it’s always wise to continue to think about your potential security risks.

For more episodes of The Checklist, visit our archives where you can find every episode from #1 all the way to today, alongside complete notes. We also love hearing from our listeners, especially if you’ve got a topical idea or some questions you’d like answered. Send your emails to and let us know what you’d like to hear us discuss next.

Join our mailing list for the latest security news and deals