Rule 1) No access without credentials
Rule 2) All devices have different default credentials
European network and infosec agency ENISA has taken a look at Internet of Things security, and doesn't much like what it sees. So it's mulling a vendor's nightmare that the US and UK dared not approach: security regulation - at least the minimal regulation of testing and certification. In a position paper published Monday, …
Rule 1) No access without credentials
Rule 2) All devices have different default credentials
Rule 3) Mandatory bug bounty programs, with rewards inline with risk. So for a car say $50,000,000 for gaining control of a drive by wire system.
That should concentrate minds on both sides :)
All devices have different default credentials The device shall not become operational until the user has set up their own credentials.
Rule 4) Any functionality that depends on a central server, whose status is outside the purchaser's control, must be explicitly stated, and guaranteed (subject to financial penalties) for a specified period.
That would be a disincentive to the current "can't unlock my Smart Front Door because the vendor's server is down" idiocy.
I can do it much more simply.
Customers may return a product for a full refund for up to five years after the purchase date if it has a demonstrated security weakness under "not fit for purpose" regulations.
Nice and easy to determine in a court of law.
Minimal additional legislation required over existing.
Decent amount of comeback on manufacturer's who push out junk.
Decent incentive to actually make things work properly.
Already handled under existing product returns, etc. processes for all involved.
In the same way that a bank vault that doesn't shut would be sent back to the manufacturer, an IoT device that can't be secured from the Internet should be sent back too.
Rule 2) The device shall not become operational until the user has set up their own credentials.
This might be a bit much to expect from Grandma. It might be more user-friendly for every unit to have different default credentials, derived from the serial number, and printed on a card that comes with the device. If they lose the card, they can go to the company web site, enter the serial number, and get the default password. That also means the device can be used out of the box, without any setup that requires a computer they might not have.
Rule 4) Any functionality that depends on a central server...
Must have its protocol documented and at the very least stored in escrow to be published should the company cease to trade or support the product.
3) Security updated must be available for at least ten years
4) Any communication must be properly secured
5) Any user data collection must be explicitly opt-in
(although this will instantly kill the IoT market...)
> Security updated must be available for at least ten years
That's both too long and too short. On one hand, you can have chips in stuff that won't last 5 years in best case conditions of use (toothbrush with internal battery) and then you have stuff that has like 7 years of warranty.
Probably specifying that the updates must be provided for the time the device is under warranty and that the period that the updates will be provided must be specified on a label (like the energy labels or nutritional labels) would make it possible for consumers to actually make informed choices.
"(although this will instantly kill the IoT market...)"
The most essential rule of the lot.
The existing iteration of "The Internet" is not now, never has been, and never will be secure ... at least not without a complete tear-down and redesign. From scratch.
Don't worry, Mayhem is on the case.
Inevitably, the Snooper's Charter, the Digital Economy Act, and blockers for several different things wasn't enough.
The existing iteration of "The Internet" is not now, never has been, and never will be secure
Arguably by design. Security invariably includes an expiration date. Imagine what the Internet would be like if in the '70s DARPA had insisted on the implementation of DES within TCP as the method for providing secure transport. It would have worked fine for a few years, but nobody would be using it today (at least not as a secure transport method).
The Internet might be better with security baked into its fundamental protocols, but obsolescence and software flaws would always nip at its heels.
"Actually by design". FTFY
The existing iteration of "The Internet"
There, FTFY. The truth is, nothing known to man can ever be really secure as long as someone knows about it. Not even a One-Time Pad is proof against Rubber-Hose Cryptanalysis. The only true secret is one known to NO ONE and NO-THING (because the thing can be used by man to access it).
The article refers to 'cites connected cars and factors' , should that be factories?
I agree that rules 1~5 provide a good mandatory starting point though they must be subject to continuous ongoing revue.
Providing that rules 1~5 are implemented, adding or modifying the rules would be straight forward as needs arose.
Rule 6 any device not adopting the current, as amended rules for IOT devices to be bared from all access to or from the internet. This is also required to ensure continuous compliance.
Rule 2 should carry a rider that forces the user to update the even the default unique credentials within three months of installation and meet agreed standards for uniqueness and complexity or be barred from the internet.
Some devices already have buttons to re/connect to the wifi. It might be easier to set (eg) a double-press to allow net-based admin login access for the next 15 minutes, which would cut down the attack window by a considerable fraction. Many users should easily understand "double-click for admin"; whereas many (most?) clearly cannot be bothered with password changing, and mandating stuff will not change that.
Not perfect, but might be more consumer friendly than mandatory ban-hammers. Comments?
"many (most?) clearly cannot be bothered with password changing, and mandating stuff will not change that."
It will if the mandate is that the device will not become operational until the user's own credentials are entered. And any variation on "password" will be spat back at the user after a second, 2 seconds at the next attempt etc.
Um, programming the bloody IoT thingamabob to not connect until the default password has been changed will change that.
... be so annoying that the consumer hates it, they will probably "fix" the perceived problem by buying something off the net which circumvents the mandate.
Especially if "setting up" requires a computer the owner may not possess.
And I hope they will be.
I feel this would be a small but welcome step in the right direction. We require all sorts of basic safety measures before products can be sold in the EU. From preventing people being electrocuted if they insert a plug into a socket to preventing kids from losing fingers if they don't pay attention to how a product is supposed to be used. It can't and won't prevent each and every incident but having a secure base will probably reduce it by 90% or so.
The same could be done for IoT devices. A couple of basic guidelines (some good ones already mentioned above) to prevent the worst disasters from happening. Perhaps revisited the guidelines every five years to update it with new insights and technologies. It won't prevent each and every breach or botnet but it can surely bring it down considerably.
"EU security think tank ENISA looks for IoT security, can't find any"
How can this be?
After all, the 'S' in 'IoT' stands for 'Security', doesn't it?
Actually, "IoT" really stands for "Insecurity of Tat."
So if ENISA looks hard enough (or uses the correct regex), they will find the security in IoT.
Not letting those pesky furriners dictate their absurdist Socialist fantasists to plucky Brits.
I see the headline "Brexit Takes Back Control (c) of the Internet (of Things)" (C Rabid Xenophobia Publications T/A The Daily Heil)
"tacking back control" "Take back control" and all variants thereof in terms of font and capitalization copyright 2016 Lynton Crosby
Brexit or not, in effect any EU requirements will apply to most or all of the products in British shops. The British market is too small to create a separate version for so suppliers will probably just sell the EU product to UK consumers.
IRL that's exactly what I expect to happen.
Without the UK the EU population is 678m Vs UK population 65m (Google listed 743m but I took off the UK figure), roughly 10.5x bigger.
IRL the UK could have easier qualification standards than the EU but so what? You've put in the effort and got access to a market 1/10.5 that of the EU. Why bother?
Unless an EU standard is massively stupid the UK will harmonize with EU standards anyway, without any say (hard Brexit, as promised by the Great & Glorious Leader herself) in how it's set.
Good to know the UK is "Taking back control (c)" is it not?
Please no. So government regulation on security to ensure total failure. Awesome. Is this going to be mandatory back doors or something like the US restrictions of how strong the encryption is ment to be? Even if they manage to put together semi-decent proposals (we are talking politicians here) how long until some genius comes up with a stupid idea or that the technology changes too quick for them to cope with.
Well at the moment, there is no front door, no back door, no walls and no windows, oh and no roof either; are you so sure you like that situation?
Oh ah is that a government spook I see looking through your missing everything or just some local tramp?
At least he can see you have nothing to hide.so no real need to even bother looking.
"Well at the moment, there is no front door, no back door, no walls and no windows, oh and no roof either; are you so sure you like that situation?"
Yes. If the IoT somehow succeeds this time we will have people wanting security and it will become a priority. If people dont care then nothing will change. If politicians get involved we have wonderfully out of date tech even the companies dont want to deploy such as the smart meter project.
I want products to be available and affordable. I want them to try things out and find the best way of doing things and solving problems. Not lobbying to get the rules changed to their favour, falsifying results to bypass regulation or blocking new products by pushing the cost of complying with regulation up.
"At least he can see you have nothing to hide.so no real need to even bother looking."
I am sure the rules will meet NSA specs as long as Germany is still on speaking terms with them. If not the NSA is probably just on listening in terms with Merkel.
Are you also going to roll back the thousands of existing regulations, which make your life a lot safer than you have any right to expect?
For every 'daft regulation' reported (or invented) by the Daily Mail or equivalents, there are thousands of well-considered, argued and agreed, sensible and proportionate regulations - which make our lives safer and more predictable, usually without us ever noticing.
" Is this going to be mandatory back doors"
The UK govt has already issued the Statutory Instrument describing as much, reported by El Reg previously.
"Are you also going to roll back the thousands of existing regulations, which make your life a lot safer than you have any right to expect?"
IoT fad lack of security is life threatening? is the smart TV gonna pick up a knife and kill its owner (I dont have one but my understanding is they cant even get the apps maintained).
"For every 'daft regulation' reported (or invented) by the Daily Mail or equivalents, there are thousands of well-considered, argued and agreed, sensible and proportionate regulations"
Wouldnt know what is in the daily mail. However stating that there are some good and bad regulations doesnt improve the bad ones.
@ John Smith 19
"The UK govt has already issued the Statutory Instrument describing as much, reported by El Reg previously."
My point exactly. Politicians exist to get re-elected including by sucking up to voters with knee jerk or excessive interference and trading favours with lobbyists. How long until a muppet gets influence and proposes some stupid rule they dont understand as the tories are doing? Look at the effect of anti-terror laws by labour. Germany was helping the NSA until the NSA bugged Merkel.
is the smart TV gonna pick up a knife and kill its owner
No, you'll just be browsing on your Tizen TV, the ancient WebKit browser will get owned via a 3rd party ad, and from there the malware will rummage round your LAN.
IoT fad lack of security is life threatening?
First you're behind the times. This is not a proposal. In IT language this is a plug-in for RIPA to spell out exactly what they want, where the original paragraph basically said "To be to determined."
Second is the fact you seem to think this is being driven by politicians. Did it not seem strange to you that 9 Home Secretaries from Labour and Conservative parties have spouted the same line?
"Tend, a Boston-based startup, introduced its hardware-agnostic smart cloud robotics software that allows manufacturers to remotely control, monitor and analyze the performance of any robot from mobile devices. The software, called Tend in.control (intelligent control), allows users to securely interact with robots tending to production lines using a simple mobile interface. Dashboards provide a real-time view into the status of machines and specific jobs. And, if you need to stop or start a robot, that can be done remotely from any location via the smartphone."
Since smartphone interfaces are *intrinsically secure* (TM!!) then shirley nothing can go wrong with controlling your industrial IOT from your effing Android, right? Oh, wait, the ad-blurb has the magic keyword "securely" in it, so that's all right then.
Biting the hand that feeds IT © 1998–2017