back to article IoT insecurity: US govt summons tech bosses, bashes heads together

There are two things that everyone agrees on when it comes to the internet of things (IoT). First, security is a problem. And second, their approach is the best one. The US government held a one-day meeting in Austin, Texas, today with the sole focus on a specific issue: the ability to upgrade and patch internet-connected …

  1. Anonymous Coward
    Go

    A security warning label would be an easy and good start.

    Something that lets buyers know that the device is internet-connected, and will therefore require occasional security updates.

    Additionally, clear disclosures on what information the device gathers, a kill switch for the internet connection and some interface that allows updates to be made.

    Also a law requiring landlords to arrange for updates of products they own (things like refrigerators and washers in apartment complexes) within a timely period.

    1. Anonymous Coward
      Anonymous Coward

      "law requiring landlords to arrange for updates of products they own"

      ...."things like refrigerators and washers in apartment complexes)".....

      WTF?

      + Look at Samsung Washers & Phones right now, the new shinny are exploding!!!

      + Can't wait till Smart devices get hacked, and we have even more explosions!

      + What we need instead is a law ensuring basic electrical devices continue to be sold as part of a healthy market.

      + Then enact legislation to make sure landlord driven properties use past-proven basic models that are net-free.

      + Samsung don't even sell a range of basic non-Smart TV's any more. That's deliberate and its wrong!!

      1. bep

        Re: "law requiring landlords to arrange for updates of products they own"

        I bought a new TV just last weekend and was surprised and delighted to find one that had no smarts whatsoever. It was not a name brand, however, and it sure wasn't UHD. Still, if it lasts as long as the previous one (9 years) then I've kicked the problem down the road a bit.

        Basically, I want one (1) non-mobile internet-connected device in my house. One question that needs to be addressed before the others is, if I buy a 'smart' device and don't connected it to the internet, will it still work? That may need to be legislated in due course.

    2. Old Used Programmer

      Re: A security warning label would be an easy and good start.

      Plus...if the kill switch is used, the basic function of the device (e.g. a "smart" light bulb is still a light bulb) continues to work "off line". Even better, as *everybody* starts sticking this stuff into rather ordinary objects that don't actually need it, would be a physical disable of the IoT functions so one could use a supposedly "smart" device as a dumb one by just sliding a switch when you first use it.

    3. Anonymous Coward
      Anonymous Coward

      Re: A security warning label would be an easy and good start.

      "Also a law requiring landlords to arrange for updates of products they own (things like refrigerators and washers in apartment complexes) within a timely period."

      Oh give over, some landlords don't provide tennants with a working boiler.. Or their homes have damp all up the walls.. Or there are 20 people crammed into a house designed for four..

      The suggestions have got to be realistic! You can imagine landlords running around all their properties updating firmware?!

  2. Youngone Silver badge

    Walled Gardens?

    I wonder if the problem is because everyone has seen the success Apple has had with their control of the whole ecosystem, and want to have some of that action.

    I would rather buy a device that uses open protocols so when the manufacturer loses interest, someone else can develop updates, but I'm not going to hold my breath.

    1. Ole Juul

      Re: Walled Gardens?

      "I would rather buy a device that uses open protocols"

      I'm with you there. And I would like to see IoT labelled in that regard. If it isn't open source it should say:

      WARNING, this device contains CLOSED software and will need future repairs from the manufacturer.

    2. Dan 55 Silver badge

      Re: Walled Gardens?

      Would now would be a good time to resurrect the 80's BT green circle/red triangle sticker for I-o-Tat?

      Green circle means that the manufacturer has followed a suitable set of standards when developing it and will supply five years' worth of updates at no extra charge. Red triangle says there are no security guarantees and may compromise every device in your house.

      1. Adrian 4

        Re: Walled Gardens?

        Like the widely-faked CE marking, perhaps ?

  3. Anonymous Coward
    Anonymous Coward

    Up to ISP's to block

    The only way I can see it being fixed is ISP's blocking the traffic.

    Cue discussion about how to ID the traffic, how to implement blocks etc.. No idea - beyond the scope of this comment at the moment.

    Yes, there'd be cost for the ISP's.. but there's cost for them too if this issue balloons.

    What other way is there?

    We can't expect manufacturers to do much - they may not be around long.

    Responsible manufacturers who're in the game for the long haul will make patches available promptly, and for a reasonable time after the device has been sold. Irresponsible manufacturers will soon see their devices blocked, and word will spread to avoid them like the plague.

    Joe Public (i.e., your grandfather and mine, people who just want stuff to work) aren't bothered about things needing updates, so long as they happen automatically, or can be triggered with the minimum of fuss. Bleating on about "if you putting a server on the Internet you should damn well know how to patch it blah blah" is useless. Like the roads - the Internet has some tools/clueless individuals on it - but it'd be a pretty lonely place to be if it were filled with just us geeks.

    Consumers should be able to use this stuff, and it should "just work". If it doesn't, us geeks who think we're all clever are pretty much proving we aren't.

    You shouldn't need a computer science degree to plug in a webcam and check your dog is alright at home, or to switch your heating on before you get in. And the argument isn't about who'd want to do said useless tasks - it's about making it work for the people who do want to do it. The Internet is theirs too.

    1. edge_e
      Boffin

      Re: Up to ISP's to block

      Like the roads - the Internet has some tools/clueless individuals on it - but it'd be a pretty lonely place to be if it were filled with just us geeks.

      I'm pretty sure the roads would be much safer place without those who don't understand momentum and braking distances.

      While you are right that it is down to us geeks to make it "just work", the trouble is, just like cars, the safer you make it, the more idiotic the driver becomes.

  4. Anonymous Coward
    Anonymous Coward

    "The issue is urgent and it is complex," noted NTIA

    ~ You never get that sense from their meetings. It feels more like a treaty negotiation or land-grab, with lots of back patting for a job well done!

    ~ Even the original submission process was messy. It was just diverse views accepted without any structure or priority or importance placed on anything. AKA an exercise in box ticking!

    ~ So what did the corporations do? They sent lawyers with docs full of fluffy legalese...

    ~ What's really going on at NTIA? They have to be seen to be doing something, but there's no responsibility or leadership here, and only a little understanding of the issues....

    ~ Like with other oversight agencies or regulators, there's no real will to fix overpriced cable boxes or unlimited-data-plans, never mind Wells-Fargo type fake-accounts....

  5. Red Bren
    Big Brother

    Neo-luddite

    I don't want an internet of things. I don't need every objec in my house to be able to talk to me or each other and most importantly to people who don't have my best interests at heart. They may be legitimate businesses, nefarious hackers, or state snoopers but my attitude is the same. If I'm given a choice between an IoT device and a dumb one, I'll take the dumb one. If there is no choice, I'll DOS attack it myself.

    1. Nunyabiznes

      Re: Neo-luddite

      Exactly. I want energy efficient, easy to use, and robust devices.

      I can open the fridge door and see what I need to pick up at the store. I can set my thermostat down when I leave. I remember to turn off lights/lock doors/close the garage door.

      A bunch of marketing numpties have managed to convince a bunch of punters that IOT is a great idea. Well and a decent sized subset of geekdom has bought them out of the need to have the latest tech tat, to be fair. Let's not forget to kick the corporate world for slinging this crap out there knowing the consequences as they certainly did.

      Ark B for the lot of them I say.

      1. Anonymous Coward
        Anonymous Coward

        Re: Neo-luddite

        "A bunch of marketing numpties"

        Sounds like my kind of people!!

        (Unless they are trying to hawk me an internet-connected waffle iron.)

  6. David Roberts
    Mushroom

    Legislation? Enforcement?

    Back in the good old days you had Trading Standards who could track and sieze unsafe products, bogus foreign imports and the like.

    Where are they now?

    Just when their workload has increased exponentially they have been cut to the bone and much of their work has been offloaded to the Citizens Advice Bureau.

    Legislate that devices must be secure and updated for 5 years? Who is going to enforce this and block the import of non-conforming products?

    We don't even have a police force to enforce most of the current criminal law.

    Customs has been cut to the bone as well (fine if you only have to worry about non-EU imports, but.....).

    Who is going to enforce and police?

  7. Tom 7

    Certificates are what we need

    you cant buy an IOT thingy unless you have a certificate to prove you can configure it and your network safely.

    1. You aint sin me, roit

      Re: Certificates are what we need

      Certificates are what IoT objects need.

      They need to be instance specific (no defaults here) and verified before the object is allowed to connect to the internet.

      The associated private keys need to be held and used securely in a suitable tamperproof environment, and an object's private key needs to be used to secure (authorize and authenticate) any updates.

      Each item needs to implement appropriate security - built into the provision of services, not bolted on as an after thought with default passwords.

      The whole system needs a Public Key Infrastructure and a Certification Authority(ies).

      And all of that costs money.

  8. Cuddles

    the ability to upgrade and patch internet-connected devices

    For some reason I can't help reading that as "the ability for random people to remotely access your devices and install whatever they like without you knowing about it".

  9. Tatsky

    The problem I see is that companies are knocking out these devices and security isn't even a thought, let alone an after thought.

    And it's not small, inexperienced, new to IoT companies which are doing this. Even Nissan fell foul of this by having their Leaf control app completely open and anonymously accessed via a simple web API, with the only identification you needed being the VIN number of the car you wanted to interact with.

    But what do we do? A lot of these devices use standard HTTP to interact with a web service, so ISPs can't block port HTTP traffic. Maybe there would be some way to identify based on HTTP content and headers, but it's all getting a bit wishy washy.

    It's not hard to implement some basic authorisation and authentication schemes into these things.

  10. pigdog234

    Some are proposing solutions

    While maybe nobody in the room in Texas proposed solutions, there have been plenty of solutions proposed. For instance, in the IETF we are discussing an approach in the Ops Area Working Group known as Manufacturer Usage Descriptions that give manufacturers the opportunity to express what communication pattern a device is supposed to have, and then gives networks the opportunity to block other communication patterns. draft-ietf-opsawg-mud-01.txt goes into some detail about this.

    These are not the only approaches being discussed. A government meeting such as the one that occurred in Texas may cause industry players to be wary of premature government mandates. It's important to sort IoT security correctly, and in a timely fashion, but no sooner than solutions are ready.

  11. YetAnotherLocksmith Silver badge

    A simple solution?

    Perhaps this is just too obvious, but couldn't we agree that all IoT traffic has to use Port 666 to 669 (or whatever) so that there is an option to block it easily?

    Obviously, with attackers able to root & flash devices they can swap to whatever port(s) they want, and shape traffic as they see fit, but it would be a start for people trying to solve issues.

    Truth is though, there's simply no good answer. Security costs time and money, & trust me, most people are cheap.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like