back to article EU security think tank ENISA looks for IoT security, can't find any

European network and infosec agency ENISA has taken a look at Internet of Things security, and doesn't much like what it sees. So it's mulling a vendor's nightmare that the US and UK dared not approach: security regulation - at least the minimal regulation of testing and certification. In a position paper published Monday, …

  1. John H Woods

    please...

    Rule 1) No access without credentials

    Rule 2) All devices have different default credentials

    1. Kinetic

      Re: please...

      Rule 3) Mandatory bug bounty programs, with rewards inline with risk. So for a car say $50,000,000 for gaining control of a drive by wire system.

      That should concentrate minds on both sides :)

    2. Doctor Syntax Silver badge

      Re: please...

      Rule 2) All devices have different default credentials The device shall not become operational until the user has set up their own credentials.

      1. doke

        Re: please...

        Rule 2) The device shall not become operational until the user has set up their own credentials.

        This might be a bit much to expect from Grandma. It might be more user-friendly for every unit to have different default credentials, derived from the serial number, and printed on a card that comes with the device. If they lose the card, they can go to the company web site, enter the serial number, and get the default password. That also means the device can be used out of the box, without any setup that requires a computer they might not have.

    3. sebt

      Re: please...

      Rule 4) Any functionality that depends on a central server, whose status is outside the purchaser's control, must be explicitly stated, and guaranteed (subject to financial penalties) for a specified period.

      That would be a disincentive to the current "can't unlock my Smart Front Door because the vendor's server is down" idiocy.

      1. Lee D Silver badge

        Re: please...

        I can do it much more simply.

        Customers may return a product for a full refund for up to five years after the purchase date if it has a demonstrated security weakness under "not fit for purpose" regulations.

        Nice and easy to determine in a court of law.

        Minimal additional legislation required over existing.

        Decent amount of comeback on manufacturer's who push out junk.

        Decent incentive to actually make things work properly.

        Already handled under existing product returns, etc. processes for all involved.

        In the same way that a bank vault that doesn't shut would be sent back to the manufacturer, an IoT device that can't be secured from the Internet should be sent back too.

      2. Down not across Silver badge

        Re: please...

        Rule 4) Any functionality that depends on a central server...

        Must have its protocol documented and at the very least stored in escrow to be published should the company cease to trade or support the product.

  2. LDS Silver badge

    Rule 3, 4, 5

    3) Security updated must be available for at least ten years

    4) Any communication must be properly secured

    5) Any user data collection must be explicitly opt-in

    (although this will instantly kill the IoT market...)

    1. Tomato42 Silver badge
      Meh

      Re: Rule 3, 4, 5

      > Security updated must be available for at least ten years

      That's both too long and too short. On one hand, you can have chips in stuff that won't last 5 years in best case conditions of use (toothbrush with internal battery) and then you have stuff that has like 7 years of warranty.

      Probably specifying that the updates must be provided for the time the device is under warranty and that the period that the updates will be provided must be specified on a label (like the energy labels or nutritional labels) would make it possible for consumers to actually make informed choices.

    2. Doctor Syntax Silver badge

      Re: Rule 3, 4, 5

      "(although this will instantly kill the IoT market...)"

      The most essential rule of the lot.

  3. jake Silver badge

    Rule zero

    The existing iteration of "The Internet" is not now, never has been, and never will be secure ... at least not without a complete tear-down and redesign. From scratch.

    1. Dan 55 Silver badge

      Re: Rule zero

      Don't worry, Mayhem is on the case.

      Inevitably, the Snooper's Charter, the Digital Economy Act, and blockers for several different things wasn't enough.

    2. Flakk Silver badge

      Re: Rule zero

      The existing iteration of "The Internet" is not now, never has been, and never will be secure

      Arguably by design. Security invariably includes an expiration date. Imagine what the Internet would be like if in the '70s DARPA had insisted on the implementation of DES within TCP as the method for providing secure transport. It would have worked fine for a few years, but nobody would be using it today (at least not as a secure transport method).

      The Internet might be better with security baked into its fundamental protocols, but obsolescence and software flaws would always nip at its heels.

      1. jake Silver badge

        Re: Rule zero

        "Actually by design". FTFY

    3. Charles 9 Silver badge

      Re: Rule zero

      The existing iteration of "The Internet"

      There, FTFY. The truth is, nothing known to man can ever be really secure as long as someone knows about it. Not even a One-Time Pad is proof against Rubber-Hose Cryptanalysis. The only true secret is one known to NO ONE and NO-THING (because the thing can be used by man to access it).

  4. Richard Jones 1
    WTF?

    Correction Required? Plus Rules 1~5

    The article refers to 'cites connected cars and factors' , should that be factories?

    I agree that rules 1~5 provide a good mandatory starting point though they must be subject to continuous ongoing revue.

    Providing that rules 1~5 are implemented, adding or modifying the rules would be straight forward as needs arose.

    Add

    Rule 6 any device not adopting the current, as amended rules for IOT devices to be bared from all access to or from the internet. This is also required to ensure continuous compliance.

    Rule 2 should carry a rider that forces the user to update the even the default unique credentials within three months of installation and meet agreed standards for uniqueness and complexity or be barred from the internet.

    1. Paul Kinsler

      Re: force the user to update the even the default unique credentials

      Some devices already have buttons to re/connect to the wifi. It might be easier to set (eg) a double-press to allow net-based admin login access for the next 15 minutes, which would cut down the attack window by a considerable fraction. Many users should easily understand "double-click for admin"; whereas many (most?) clearly cannot be bothered with password changing, and mandating stuff will not change that.

      Not perfect, but might be more consumer friendly than mandatory ban-hammers. Comments?

      1. Doctor Syntax Silver badge

        Re: force the user to update the even the default unique credentials

        "many (most?) clearly cannot be bothered with password changing, and mandating stuff will not change that."

        It will if the mandate is that the device will not become operational until the user's own credentials are entered. And any variation on "password" will be spat back at the user after a second, 2 seconds at the next attempt etc.

        1. Anonymous Coward
          Anonymous Coward

          Re: if the mandate is that the device will ...

          ... be so annoying that the consumer hates it, they will probably "fix" the perceived problem by buying something off the net which circumvents the mandate.

          1. Charles 9 Silver badge

            Re: if the mandate is that the device will ...

            Especially if "setting up" requires a computer the owner may not possess.

      2. Pascal Monett Silver badge

        Re: "many [..] cannot be bothered with password changing, and mandating stuff will not change that"

        Um, programming the bloody IoT thingamabob to not connect until the default password has been changed will change that.

  5. Dan 55 Silver badge

    It won't really gain traction unless venders are liable for selling insecure tat.

    And I hope they will be.

  6. Len Silver badge

    A step in the right direction

    I feel this would be a small but welcome step in the right direction. We require all sorts of basic safety measures before products can be sold in the EU. From preventing people being electrocuted if they insert a plug into a socket to preventing kids from losing fingers if they don't pay attention to how a product is supposed to be used. It can't and won't prevent each and every incident but having a secure base will probably reduce it by 90% or so.

    The same could be done for IoT devices. A couple of basic guidelines (some good ones already mentioned above) to prevent the worst disasters from happening. Perhaps revisited the guidelines every five years to update it with new insights and technologies. It won't prevent each and every breach or botnet but it can surely bring it down considerably.

  7. allthecoolshortnamesweretaken

    "EU security think tank ENISA looks for IoT security, can't find any"

    How can this be?

    After all, the 'S' in 'IoT' stands for 'Security', doesn't it?

    1. handleoclast
      Coat

      After all, the 'S' in 'IoT' stands for 'Security', doesn't it?

      Actually, "IoT" really stands for "Insecurity of Tat."

      So if ENISA looks hard enough (or uses the correct regex), they will find the security in IoT.

  8. John Smith 19 Gold badge
    Trollface

    Pheeeh. The UK has really dodged a bullet on this one with Brexit, eh?

    Not letting those pesky furriners dictate their absurdist Socialist fantasists to plucky Brits.

    I see the headline "Brexit Takes Back Control (c) of the Internet (of Things)" (C Rabid Xenophobia Publications T/A The Daily Heil)

    "tacking back control" "Take back control" and all variants thereof in terms of font and capitalization copyright 2016 Lynton Crosby

    1. Len Silver badge

      Re: Pheeeh. The UK has really dodged a bullet on this one with Brexit, eh?

      Brexit or not, in effect any EU requirements will apply to most or all of the products in British shops. The British market is too small to create a separate version for so suppliers will probably just sell the EU product to UK consumers.

      1. John Smith 19 Gold badge
        Unhappy

        "The British market is too small....suppliers..just sell the EU product to UK consumers."

        IRL that's exactly what I expect to happen.

        Without the UK the EU population is 678m Vs UK population 65m (Google listed 743m but I took off the UK figure), roughly 10.5x bigger.

        IRL the UK could have easier qualification standards than the EU but so what? You've put in the effort and got access to a market 1/10.5 that of the EU. Why bother?

        Unless an EU standard is massively stupid the UK will harmonize with EU standards anyway, without any say (hard Brexit, as promised by the Great & Glorious Leader herself) in how it's set.

        Good to know the UK is "Taking back control (c)" is it not?

  9. codejunky Silver badge

    Oh no

    Please no. So government regulation on security to ensure total failure. Awesome. Is this going to be mandatory back doors or something like the US restrictions of how strong the encryption is ment to be? Even if they manage to put together semi-decent proposals (we are talking politicians here) how long until some genius comes up with a stupid idea or that the technology changes too quick for them to cope with.

    1. Richard Jones 1
      FAIL

      Re: Oh no

      Well at the moment, there is no front door, no back door, no walls and no windows, oh and no roof either; are you so sure you like that situation?

      Oh ah is that a government spook I see looking through your missing everything or just some local tramp?

      At least he can see you have nothing to hide.so no real need to even bother looking.

      1. codejunky Silver badge

        Re: Oh no

        "Well at the moment, there is no front door, no back door, no walls and no windows, oh and no roof either; are you so sure you like that situation?"

        Yes. If the IoT somehow succeeds this time we will have people wanting security and it will become a priority. If people dont care then nothing will change. If politicians get involved we have wonderfully out of date tech even the companies dont want to deploy such as the smart meter project.

        I want products to be available and affordable. I want them to try things out and find the best way of doing things and solving problems. Not lobbying to get the rules changed to their favour, falsifying results to bypass regulation or blocking new products by pushing the cost of complying with regulation up.

        "At least he can see you have nothing to hide.so no real need to even bother looking."

        I am sure the rules will meet NSA specs as long as Germany is still on speaking terms with them. If not the NSA is probably just on listening in terms with Merkel.

    2. strum Silver badge

      Re: Oh no

      >Please no.

      Are you also going to roll back the thousands of existing regulations, which make your life a lot safer than you have any right to expect?

      For every 'daft regulation' reported (or invented) by the Daily Mail or equivalents, there are thousands of well-considered, argued and agreed, sensible and proportionate regulations - which make our lives safer and more predictable, usually without us ever noticing.

      1. codejunky Silver badge

        Re: Oh no

        @ strum

        "Are you also going to roll back the thousands of existing regulations, which make your life a lot safer than you have any right to expect?"

        IoT fad lack of security is life threatening? is the smart TV gonna pick up a knife and kill its owner (I dont have one but my understanding is they cant even get the apps maintained).

        "For every 'daft regulation' reported (or invented) by the Daily Mail or equivalents, there are thousands of well-considered, argued and agreed, sensible and proportionate regulations"

        Wouldnt know what is in the daily mail. However stating that there are some good and bad regulations doesnt improve the bad ones.

        @ John Smith 19

        "The UK govt has already issued the Statutory Instrument describing as much, reported by El Reg previously."

        My point exactly. Politicians exist to get re-elected including by sucking up to voters with knee jerk or excessive interference and trading favours with lobbyists. How long until a muppet gets influence and proposes some stupid rule they dont understand as the tories are doing? Look at the effect of anti-terror laws by labour. Germany was helping the NSA until the NSA bugged Merkel.

        1. Dan 55 Silver badge

          Re: Oh no

          is the smart TV gonna pick up a knife and kill its owner

          No, you'll just be browsing on your Tizen TV, the ancient WebKit browser will get owned via a 3rd party ad, and from there the malware will rummage round your LAN.

        2. doke

          Re: Oh no

          IoT fad lack of security is life threatening?

          It can be. Pacemaker hack can deliver deadly 830-volt jolt

        3. John Smith 19 Gold badge
          Gimp

          " How long until a muppet gets influence and proposes some stupid rule they dont understand "

          First you're behind the times. This is not a proposal. In IT language this is a plug-in for RIPA to spell out exactly what they want, where the original paragraph basically said "To be to determined."

          Second is the fact you seem to think this is being driven by politicians. Did it not seem strange to you that 9 Home Secretaries from Labour and Conservative parties have spouted the same line?

    3. John Smith 19 Gold badge
      Unhappy

      Re: Oh no

      " Is this going to be mandatory back doors"

      The UK govt has already issued the Statutory Instrument describing as much, reported by El Reg previously.

  10. Palpy

    Yay! We haz clowd cntrol of we IOT!!

    "Tend, a Boston-based startup, introduced its hardware-agnostic smart cloud robotics software that allows manufacturers to remotely control, monitor and analyze the performance of any robot from mobile devices. The software, called Tend in.control (intelligent control), allows users to securely interact with robots tending to production lines using a simple mobile interface. Dashboards provide a real-time view into the status of machines and specific jobs. And, if you need to stop or start a robot, that can be done remotely from any location via the smartphone."

    Since smartphone interfaces are *intrinsically secure* (TM!!) then shirley nothing can go wrong with controlling your industrial IOT from your effing Android, right? Oh, wait, the ad-blurb has the magic keyword "securely" in it, so that's all right then.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019