Fix crap Internet of Things security, booms Internet daddy Cerf Vint Cerf, one of the fathers of the internet, has weighed in on Internet of Things security, warning that a Mirai botnet-style incident could happen again unless vendors start taking responsibility for their goods. “The biggest worry I have is that people building [IoT] devices will grab a piece of open source software or …
“Let’s just stick with internet enabling of everything, but on the other side of that, let’s make sure that when we do that, we think our way through the security, safety and reliability of the systems.”
Good luck with that.
Manufacturers aren't going to pull their finger out until it hits their bottom line. If they can sell unsafe tat to unaware people impressed by the shiny, they will. If a competitor can undercut them by not securing new products, they won't secure theirs either.
You're going to need a public education campaign equivalent to the ones 40 years demonstrating that car seatbelts were worth paying for, except that this one will have to be global.
Interesting example, because what moved the needle on seat belts (at least in the US) was a government mandate. Car companies originally offered them as an added-cost feature, while simultaneously dismissing their effectiveness, then used the resulting slow sales as an argument for the folly of providing them. For many years, in fact, the industry line was that crashes over 30 mph were not survivable, and the only solution was teaching drivers to drive better so they wouldn't crash.
"what moved the needle on seat belts (at least in the US) was a government mandate"
sadly this is true. It also brought the cost down when EVERY car maker had them.
If it takes a gummint mandate, I suppose that's what we'll end up with. Fortunately, however, we still have some time for a PRIVATE SECTOR solution.
My own belief is that SOME gummint (i.e. liability laws) coupled with MOSTLY private sector (software that limits risk) would be the best overall solution, and help to prevent "gummint oversight" from literally *KILLING* the technology while it's still an infant.
and yet people still don't use Seatbelts. I witnessed a crash last year where a car rolled at least three times after losing it on a bend in the wet. The driver was killed yet the three passengers walked away. Guess who was not wearing their seatbelt?
As for the IoT debacle.
I won't have any in my home. Even my smart TV is never connected to my network.
Anyone who does use this load of dung and given the current state of their security, all I can say that
"Here there be Dragons"
Just don't do it if you value anything about your private life.
"and yet people still don't use Seatbelts."
Actually the usage rate is pretty high, at least in the US, and it's improved markedly over time. In 1983 it was 14%; in 2013 it was 87%. In some states it's well over 90%.
"I won't have any in my home. Even my smart TV is never connected to my network."
I have a Chromecast on mine, but it's powered by the USB port on the TV, and loses power every time I turn off the television. So its exposure to mischief is limited to when I'm actively watching movies on it. Google made it boot fast enough that it's nearly there by the time the TV's backlight has warmed up.
"My own belief is that SOME gummint (i.e. liability laws)..."
I believe liability is all that's required. Make the producers responsible for the safety and security of their products just like we do with other industries. As mentioned above, you have to affect their bottom line or nothing will happen. Liability laws will do just that.
Where to draw the line is probably the biggest debate.
"I believe liability is all that's required. Make the producers responsible for the safety and security of their products just like we do with other industries.
I don't think that's realistic. There's nothing about IoT devices specifically that would warrant such liability being imposed on the manufactures whilst not imposing the same liability on Microsoft, Apple, Google, the Linux kernel development community, all publishers of Linux distros, etc. All software everywhere throughout time has come with zero guarantees of correctness, suitability, etc, including software on IoT devices.
I do not see there being any realistic solution to this problem. The manufacturers don't care because their sales are OK. The sales are OK because the customers don't care either. The customers don't care because when the hackers take over a device they normally take care to ensure that the customer rarely notices anything happening; once in control, some of them even apply patches to stop other hackers getting in. How thoughtful!
The problem may get solved if a truly big player (e.g. Apple, Google, etc) manages to get a decent ecosystem running that solves the problems of patching, updates, access control, etc. Trouble is that so far both Apple and Google have failed to enthuse the market with their offerings. They're probably charging silly money for access.
"The manufacturers don't care because their sales are OK. The sales are OK because the customers don't care either. The customers don't care because when the hackers take over a device they normally take care to ensure that the customer rarely notices anything happening; once in control, some of them even apply patches to stop other hackers getting in."
Seat belts are an example of how this can be made to work. One factor mentioned was that governments mandated fitting (Charles 9 will be along any second to mumble about grey markets). The other factor was the governments mandated using them if you were on the public roads. And we now have the situation where cars are not only fitted with them, in many cases they'll bleep at you if you go at more than a snail's pace without doing them up.
How could we apply such thinking to IoT?
First, we'll need to mandate some requirements such as any default passwords must require a reset at initial startup or after a factory reset and something like type approval for devices which meet the current standards.
Now we can make it illegal to connect such a device to the internet* (you can have as many as you like on your intranet, just don't let them leak out).
Alongside that we make the ISPs responsible for their nets: they become accessories to anyone exposing a rogue device.
The consequences?
ISPs care so they'll deal with customers, cutting them off the net if required.
Customers care because they lose their internet if they expose a rogue device so they'll take care to buy type-approved devices.
Manufacturers care because sales of un-approved devices are falling (even in the grey market) because the intranet market won't be big enough to sustain them and, if everyone is having to manufacture to the same standard, there's no price advantage.
*Shodan has demonstrated that these devices can be located.
Oh right... I'm sure the private sector is going to magically start respecting clean air etc too, just like the "innovation" with VW's ECU emissions. Without some basic regulation, EVERYONE loses. It's called "Tragedy of the Commons" - please get some elementary economics education and learn about it. The Internet is a shared resource, like there's FCC regulation on radio spectrum, there needs to be some minimum security standards, to prevent unscrupulous operators harming other enterprises, individuals, critical infrastructure and enabling cyber-criminals.
Just like too many liberals think the solution to any problem is more regulation, too many conservatives think the solution to any problem is less regulation. Both sides have forgot the point of regulation - or more likely have no idea there is one. Regulation is required to correct market failures. Not to enforce ethics, or help people be "better" (like stupid bans on selling large sodas) The classic example is pollution - if a company makes products that have toxic waste as a byproduct, and they can just dump it into the river or let it escape their smoke stack for free, they impose a cost on society that they don't bear. That's where regulation is needed.
If companies are selling IoT devices that get hacked and they're used to attack internet commerce and cost the economy billions of dollars, the companies selling those insecure IoT devices are imposing a cost on society that they don't bear. I'm not sure exactly what sort of regulation could properly fix that, but if they don't clean it up themselves eventually government will be forced into action. Often they don't do all that well in hitting the right target with their action, so companies would be advised to address the issue before we reach that point!
A significant issue is the prevailing social problem of complete lack of ethics that has overtaken nearly everything. When the people in control of doing things have no interest in quality or potential risks, it really doesn't matter. Private sector or public, big or small, if there's no intent to do good to begin with, neither regulations nor market selection pressure will matter.
This post has been deleted by its author
All fun and games until you have to rely on a legislator from Alaska who thought the internet was tubes or a legislator from Utah that thought mega corporates should be able to arbitrary destroy your hardware if their business model is threatened.
Pfft what rubbish!!
If he was one of the "'elders of the internet'" he would have the same password for everything and also claim to have beaten Jet Set Willy because "the Specky was way better than the C64"
Also he would have dropped inot the conversation the fact that he remembers having to chose between 4 or 5 different disk controller technologies unlike these "kids today with their SATA"
grumble MFM grumble RLL grumble IDE? pfft "duck on your head"
"If he was one of the "'elders of the internet'" he would have the same password for everything and also claim to have beaten Jet Set Willy because "the Specky was way better than the C64""
Tosh, yer whippersnapper!
Vint Cerf got his PhD a decade before the C64 or the Specky came out.
Not speaking about Vint obviously but not everything the elders of the internet did was all that secure either. In fact that IoT attack relied on IMHO the biggest vulnerability of the Internet with perhaps the exception of BGP and that is DNS which was never designed assuming mortal enemies might both be using (a lot of the elders were idealist long hairs). Also in the same ballpark is the complete circle jerk of trust that is x.509 but that is a whole other can of worms.
Don't just fling unsecured open source OSes at world+dog, father of the Internet begs
No you can fling unsecure closed source OSes at the at world+dog as well, Windows 10 IoT is available.
Nothing is secure, see the excellent edge browser>windows kernel>VMware hack at pwn2own
https://www.zerodayinitiative.com/blog/2017/3/17/the-results-pwn2own-2017-day-three
Normally I prefer lite government regulation, but "venders" aren't going to solve this. There has to be some kind of product validation or security certification (to start with).
The other problem is many small companies will just change their name rather than provide proper maintenance. There needs to be some kind of system put in place to make the public aware of issues with products, and if there are actions that they need to do to keep themselves safe.
Originally you'd register a product with the manufacturer and they'd inform you of issues. These days it's all marketing crap to let you know their is a new model available (rather than inform about a critical patch).
"There has to be some kind of product validation or security certification (to start with)."
if it's inexpensive [such that it doesn't crowd independent engineers from selling their wares on the intarwebs] it _MIGHT_ work... but consider the cost of F.C.C. and CE marks, ALREADY a road block for startup businesses to get a product into the market. It's bad enough that Micro-shaft, Apple, and others are INSISTENT on some kind of "approval" or paid-for certification for software, which helps to *KILL* open source (and independent developers).
Do you REALLY want "these kinds of roadblocks" IN THE WAY of TECHNOLOGY? I don't.
If the liability laws are such that the manufacturer of a device can be held liable for flaws that RESULT in a DDoS, you can bet those flaws will be PROPERLY FIXED. If that means (for their insurance, for example) that they MUST have some kind of cert, they'll get it. At the same time, a PUBLIC project for an open source OS for IoT stuff (let's say) would NOT be hampered, but would need to "self certify" (through proper testing and documentation during development, let's say) in order to get people to use it.
So yeah, gummint would have to be involved a little bit, legislating the liability laws that would basically put some pressure on IoT makers to make sure their devices have some basic protection in place to prevent being "negligent" and therefore liable for damages.
This post has been deleted by its author
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
