back to article Fix crap Internet of Things security, booms Internet daddy Cerf

Vint Cerf, one of the fathers of the internet, has weighed in on Internet of Things security, warning that a Mirai botnet-style incident could happen again unless vendors start taking responsibility for their goods. “The biggest worry I have is that people building [IoT] devices will grab a piece of open source software or …

  1. Rich 11 Silver badge

    “Let’s just stick with internet enabling of everything, but on the other side of that, let’s make sure that when we do that, we think our way through the security, safety and reliability of the systems.”

    Good luck with that.

    Manufacturers aren't going to pull their finger out until it hits their bottom line. If they can sell unsafe tat to unaware people impressed by the shiny, they will. If a competitor can undercut them by not securing new products, they won't secure theirs either.

    You're going to need a public education campaign equivalent to the ones 40 years demonstrating that car seatbelts were worth paying for, except that this one will have to be global.

    1. Phil O'Sophical Silver badge

      demonstrating that car seatbelts were worth paying for,

      The IoT, unsafe at any speed? Ralph Nader's still around, I think...

    2. LDS Silver badge

      He's employed by Google, it can't bite the hand that feeds him...

    3. Orv Silver badge

      Interesting example, because what moved the needle on seat belts (at least in the US) was a government mandate. Car companies originally offered them as an added-cost feature, while simultaneously dismissing their effectiveness, then used the resulting slow sales as an argument for the folly of providing them. For many years, in fact, the industry line was that crashes over 30 mph were not survivable, and the only solution was teaching drivers to drive better so they wouldn't crash.

      1. bombastic bob Silver badge
        Devil

        I hope "the answer" isn't EVEN MORE gummint...

        "what moved the needle on seat belts (at least in the US) was a government mandate"

        sadly this is true. It also brought the cost down when EVERY car maker had them.

        If it takes a gummint mandate, I suppose that's what we'll end up with. Fortunately, however, we still have some time for a PRIVATE SECTOR solution.

        My own belief is that SOME gummint (i.e. liability laws) coupled with MOSTLY private sector (software that limits risk) would be the best overall solution, and help to prevent "gummint oversight" from literally *KILLING* the technology while it's still an infant.

        1. Steve Davies 3 Silver badge

          Re: I hope "the answer" isn't EVEN MORE gummint...

          and yet people still don't use Seatbelts. I witnessed a crash last year where a car rolled at least three times after losing it on a bend in the wet. The driver was killed yet the three passengers walked away. Guess who was not wearing their seatbelt?

          As for the IoT debacle.

          I won't have any in my home. Even my smart TV is never connected to my network.

          Anyone who does use this load of dung and given the current state of their security, all I can say that

          "Here there be Dragons"

          Just don't do it if you value anything about your private life.

          1. LionelB

            Re: I hope "the answer" isn't EVEN MORE gummint...

            As for the IoT debacle. I won't have any in my home. Even my smart TV is never connected to my network.

            But but but I like my smart telly, and my mobile, they improve the quality of my life. And I've installed seatbelts on my sofa.

          2. Orv Silver badge

            Re: I hope "the answer" isn't EVEN MORE gummint...

            "and yet people still don't use Seatbelts."

            Actually the usage rate is pretty high, at least in the US, and it's improved markedly over time. In 1983 it was 14%; in 2013 it was 87%. In some states it's well over 90%.

            "I won't have any in my home. Even my smart TV is never connected to my network."

            I have a Chromecast on mine, but it's powered by the USB port on the TV, and loses power every time I turn off the television. So its exposure to mischief is limited to when I'm actively watching movies on it. Google made it boot fast enough that it's nearly there by the time the TV's backlight has warmed up.

        2. Anonymous Coward
          Anonymous Coward

          Re: I hope "the answer" isn't EVEN MORE gummint...

          And yet you cling to that belief, despite constant evidence that "free market" solutions fail for entire classes of problems.

          Ladies and gentlemen: Yanks

          1. nijam

            Re: I hope "the answer" isn't EVEN MORE gummint...

            > despite constant evidence that "free market" solutions fail for entire classes of problems...

            Hmm, largely a subset of the classes of problems that government fails for. Oh well...

        3. Vector

          Re: I hope "the answer" isn't EVEN MORE gummint...

          "My own belief is that SOME gummint (i.e. liability laws)..."

          I believe liability is all that's required. Make the producers responsible for the safety and security of their products just like we do with other industries. As mentioned above, you have to affect their bottom line or nothing will happen. Liability laws will do just that.

          Where to draw the line is probably the biggest debate.

          1. bazza Silver badge

            Re: I hope "the answer" isn't EVEN MORE gummint...

            "I believe liability is all that's required. Make the producers responsible for the safety and security of their products just like we do with other industries.

            I don't think that's realistic. There's nothing about IoT devices specifically that would warrant such liability being imposed on the manufactures whilst not imposing the same liability on Microsoft, Apple, Google, the Linux kernel development community, all publishers of Linux distros, etc. All software everywhere throughout time has come with zero guarantees of correctness, suitability, etc, including software on IoT devices.

            I do not see there being any realistic solution to this problem. The manufacturers don't care because their sales are OK. The sales are OK because the customers don't care either. The customers don't care because when the hackers take over a device they normally take care to ensure that the customer rarely notices anything happening; once in control, some of them even apply patches to stop other hackers getting in. How thoughtful!

            The problem may get solved if a truly big player (e.g. Apple, Google, etc) manages to get a decent ecosystem running that solves the problems of patching, updates, access control, etc. Trouble is that so far both Apple and Google have failed to enthuse the market with their offerings. They're probably charging silly money for access.

            1. Doctor Syntax Silver badge

              Re: I hope "the answer" isn't EVEN MORE gummint...

              "The manufacturers don't care because their sales are OK. The sales are OK because the customers don't care either. The customers don't care because when the hackers take over a device they normally take care to ensure that the customer rarely notices anything happening; once in control, some of them even apply patches to stop other hackers getting in."

              Seat belts are an example of how this can be made to work. One factor mentioned was that governments mandated fitting (Charles 9 will be along any second to mumble about grey markets). The other factor was the governments mandated using them if you were on the public roads. And we now have the situation where cars are not only fitted with them, in many cases they'll bleep at you if you go at more than a snail's pace without doing them up.

              How could we apply such thinking to IoT?

              First, we'll need to mandate some requirements such as any default passwords must require a reset at initial startup or after a factory reset and something like type approval for devices which meet the current standards.

              Now we can make it illegal to connect such a device to the internet* (you can have as many as you like on your intranet, just don't let them leak out).

              Alongside that we make the ISPs responsible for their nets: they become accessories to anyone exposing a rogue device.

              The consequences?

              ISPs care so they'll deal with customers, cutting them off the net if required.

              Customers care because they lose their internet if they expose a rogue device so they'll take care to buy type-approved devices.

              Manufacturers care because sales of un-approved devices are falling (even in the grey market) because the intranet market won't be big enough to sustain them and, if everyone is having to manufacture to the same standard, there's no price advantage.

              *Shodan has demonstrated that these devices can be located.

        4. dlmetcalf

          Re: I hope "the answer" isn't EVEN MORE gummint...

          Oh right... I'm sure the private sector is going to magically start respecting clean air etc too, just like the "innovation" with VW's ECU emissions. Without some basic regulation, EVERYONE loses. It's called "Tragedy of the Commons" - please get some elementary economics education and learn about it. The Internet is a shared resource, like there's FCC regulation on radio spectrum, there needs to be some minimum security standards, to prevent unscrupulous operators harming other enterprises, individuals, critical infrastructure and enabling cyber-criminals.

        5. DougS Silver badge

          Being "anti-gummint" is not the solution

          Just like too many liberals think the solution to any problem is more regulation, too many conservatives think the solution to any problem is less regulation. Both sides have forgot the point of regulation - or more likely have no idea there is one. Regulation is required to correct market failures. Not to enforce ethics, or help people be "better" (like stupid bans on selling large sodas) The classic example is pollution - if a company makes products that have toxic waste as a byproduct, and they can just dump it into the river or let it escape their smoke stack for free, they impose a cost on society that they don't bear. That's where regulation is needed.

          If companies are selling IoT devices that get hacked and they're used to attack internet commerce and cost the economy billions of dollars, the companies selling those insecure IoT devices are imposing a cost on society that they don't bear. I'm not sure exactly what sort of regulation could properly fix that, but if they don't clean it up themselves eventually government will be forced into action. Often they don't do all that well in hitting the right target with their action, so companies would be advised to address the issue before we reach that point!

        6. Jim 68
          Pirate

          Re: I hope "the answer" isn't EVEN MORE gummint...

          A significant issue is the prevailing social problem of complete lack of ethics that has overtaken nearly everything. When the people in control of doing things have no interest in quality or potential risks, it really doesn't matter. Private sector or public, big or small, if there's no intent to do good to begin with, neither regulations nor market selection pressure will matter.

      2. This post has been deleted by its author

    4. Anonymous Coward
      Anonymous Coward

      Don't think government is going to save the day

      All fun and games until you have to rely on a legislator from Alaska who thought the internet was tubes or a legislator from Utah that thought mega corporates should be able to arbitrary destroy your hardware if their business model is threatened.

    5. Doctor Syntax Silver badge

      "You're going to need a public education campaign equivalent to the ones 40 years demonstrating that car seatbelts were worth paying for, except that this one will have to be global."

      Public education reinforced by fines for not using them.

  2. frank ly Silver badge

    Vint Cerf

    He's also one of the 'elders of the internet'.

    1. Gordon Pryra

      'elders of the internet'

      Pfft what rubbish!!

      If he was one of the "'elders of the internet'" he would have the same password for everything and also claim to have beaten Jet Set Willy because "the Specky was way better than the C64"

      Also he would have dropped inot the conversation the fact that he remembers having to chose between 4 or 5 different disk controller technologies unlike these "kids today with their SATA"

      grumble MFM grumble RLL grumble IDE? pfft "duck on your head"

      1. Anonymous Coward
        Anonymous Coward

        Re: 'elders of the internet'

        "If he was one of the "'elders of the internet'" he would have the same password for everything and also claim to have beaten Jet Set Willy because "the Specky was way better than the C64""

        Tosh, yer whippersnapper!

        Vint Cerf got his PhD a decade before the C64 or the Specky came out.

        More detailed info

      2. Doctor Syntax Silver badge

        Re: 'elders of the internet'

        "Pfft what rubbish!!"

        You picked up a few whooshes there, Gordon.

      3. CrazyOldCatMan Silver badge

        Re: 'elders of the internet'

        grumble MFM grumble RLL grumble IDE? pfft "duck on your head"

        Oi! You forgot ESDI *and* SCSI

        Who can forget them? I still wake up covered in cold sweat from dreams remembering SCSI terminations..

    2. Anonymous Coward
      Anonymous Coward

      Re: Vint Cerf

      Not speaking about Vint obviously but not everything the elders of the internet did was all that secure either. In fact that IoT attack relied on IMHO the biggest vulnerability of the Internet with perhaps the exception of BGP and that is DNS which was never designed assuming mortal enemies might both be using (a lot of the elders were idealist long hairs). Also in the same ballpark is the complete circle jerk of trust that is x.509 but that is a whole other can of worms.

  3. Anonymous Coward
    Anonymous Coward

    Don't just fling unsecured open source OSes at world+dog, father of the Internet begs

    No you can fling unsecure closed source OSes at the at world+dog as well, Windows 10 IoT is available.

    Nothing is secure, see the excellent edge browser>windows kernel>VMware hack at pwn2own

    https://www.zerodayinitiative.com/blog/2017/3/17/the-results-pwn2own-2017-day-three

    1. Anonymous Coward
      Anonymous Coward

      To avoid the landmine of closed vs open source if you print the root/admin password on the device and its the same for all customers what OS is chosen is not all that relevant.

  4. Boohoo4u

    Normally I prefer lite government regulation, but "venders" aren't going to solve this. There has to be some kind of product validation or security certification (to start with).

    The other problem is many small companies will just change their name rather than provide proper maintenance. There needs to be some kind of system put in place to make the public aware of issues with products, and if there are actions that they need to do to keep themselves safe.

    Originally you'd register a product with the manufacturer and they'd inform you of issues. These days it's all marketing crap to let you know their is a new model available (rather than inform about a critical patch).

    1. bombastic bob Silver badge
      Devil

      "There has to be some kind of product validation or security certification (to start with)."

      if it's inexpensive [such that it doesn't crowd independent engineers from selling their wares on the intarwebs] it _MIGHT_ work... but consider the cost of F.C.C. and CE marks, ALREADY a road block for startup businesses to get a product into the market. It's bad enough that Micro-shaft, Apple, and others are INSISTENT on some kind of "approval" or paid-for certification for software, which helps to *KILL* open source (and independent developers).

      Do you REALLY want "these kinds of roadblocks" IN THE WAY of TECHNOLOGY? I don't.

      If the liability laws are such that the manufacturer of a device can be held liable for flaws that RESULT in a DDoS, you can bet those flaws will be PROPERLY FIXED. If that means (for their insurance, for example) that they MUST have some kind of cert, they'll get it. At the same time, a PUBLIC project for an open source OS for IoT stuff (let's say) would NOT be hampered, but would need to "self certify" (through proper testing and documentation during development, let's say) in order to get people to use it.

      So yeah, gummint would have to be involved a little bit, legislating the liability laws that would basically put some pressure on IoT makers to make sure their devices have some basic protection in place to prevent being "negligent" and therefore liable for damages.

  5. Mage Silver badge

    Balked at ridiculing?

    No, the IoT can't be ridiculed enough.

    It's inherent with low margin etc that security isn't addressed and inherent with desire to make the real money monetising private information that servers with your private info will be hacked, or at least deliberately sold on.

    1. This post has been deleted by its author

  6. Anonymous Coward
    Anonymous Coward

    IoT is just there to allow spying on your private life

    There is ZERO merit in connecting any device to the internet to make it work.

    IoT = Internet of Tat

  7. Anonymous Coward
    Anonymous Coward

    _

    "...taking the mickey out of the fad ..."

    Lived in England for several years, but never heard of this one before.

    What does this mean in Colonial English?

    1. Anonymous Coward
      Anonymous Coward

      Re: _

      Guess the minor version of taking the piss out of?

    2. Anonymous Coward
      Anonymous Coward

      Re: _

      It's rhyming slang for taking the piss; taking the Mickey Bliss.

      1. Doctor Syntax Silver badge

        Re: _

        "It's rhyming slang"

        You learn something every day. But who was Mickey Bliss?

  8. Colin Tree

    linux android

    A lot of these things are based on Linux or Android.

    Easier if the security is hard wired into the OS,

    the os devs have much better security knowledge than some small startup toothbrush maker.

  9. Anonymous Coward
    Anonymous Coward

    I forget who it was who originally pointed this out, but...

    Insecurely Designed Internet of Things = IDIoT.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019