back to article Infosec guru Schneier: Govts will intervene to regulate Internet of Sh!t

Governments are poised to intervene over the security of IoT devices, as the industry has so far failed to self-regulate, infosec guru Bruce Schneier has said. In his keynote speech at Infosecurity Europe 2017, Schneier told delegates that the correct way to think about IoT is as if we are building a world-sized distributed …

  1. Christian Berger

    That could become even worse than the original problem... if done badly

    Potentially governments could mandate "security theatre" like "secure boot", enabling manufacturers to lock you out of the devices you bought.... while in the meantime they still ship their insecure shit, and patch months to late.

    It's a problem requiring more technical knownledge than governments usually want to have, plus it has the potential for more surveillance, which governments like.

    What we need are mandatory evidence based minimal security standards. Slowly, but surely those standards get more and more strict, allowing for software manufacturers to adapt to them. Essentially those standards would try to weed out the idiots. If you don't adhere to the standards, you will be accountable for the full damage occuring.

    This worked fine for electrical engineering.

    1. Anonymous Coward
      Anonymous Coward

      "enabling manufacturers to lock you out of the devices you bought...."

      When a device presents physical threats to others, it may be the right thing to do. Because people messing up with devices may make them even less secure and more dangerous than the OEM - and would they adhere to standards? Who would inspect and approve user-modified devices?

      Just like governments, anarchists and tinfoil hat wearers are not good at writing regulations.

      1. Christian Berger

        Re: "enabling manufacturers to lock you out of the devices you bought...."

        Of course, but that shows the problem is rather complex. It's a purely academic problem though, since you can already manipulate safety devices on lots of machines. If you did that, the manufacturer obviously isn't at fault. That's not a real problem. So far virtually all customer modifications of IoT devices made them more secure.

        BTW user-modified devices are commonly inspected and approved in the car industry. Many countries have some sort of "approval" process by which your car needs to be checked every few years. It it fails, you need to fix those problems or remove it from traffic.

        1. Yet Another Anonymous coward Silver badge

          Re: "enabling manufacturers to lock you out of the devices you bought...."

          There was almost an Eu ban on using after-market motorbikes parts in europe, even proposing you could only fit manufacture's own tires. All in the name of safety. It only fell apart when it turned out to have been written with very close assistance of a certain Bavarian Motor Works company

          But you can't imagine the new friendly non-monopolist Microsoft/Apple wanting a ban on Linux outside their own carefully billed data centers

        2. Anonymous Coward
          Anonymous Coward

          "So far virtually all customer modifications of IoT devices made them more secure"

          Are you sure, or this is just wishful thinking? Do you have actually real, verifiable data about that? Mirai is a "customer modificatiion" of devices as well - and it didn't made them more secure <G>. Do you believe any sorcerer's apprentice has an extensive knowledge of proper and secure programming? While a webcam may not be a big issue, even an automatic gate can kill people - it's not just like messing with an Internet router firmware.

          Do you also advocate a check of all IoT devices by an expert technician every few years, as in the car industry? Also, here any custom modification of a car which is not purely esthetic (and even then, within limits), means it has to undergo re-certification. Even mounting a towing hook requires it. And if you're caught with a car modified without authorization, here there are fines, vehicle license is retired, and your insurance (here mandatory, you can't circulate without one) will go after you if anything bad happens (because the car was not certified).

          My heating system also requires a mandatory yearly check by an approved technician - and I wouldn't like some idiots mess with its firmware, given what it burns.

          1. Brewster's Angle Grinder Silver badge
            Mushroom

            Re: "So far virtually all customer modifications of IoT devices made them more secure"

            "My heating system also requires a mandatory yearly check by an approved technician - and I wouldn't like some idiots mess with its firmware, given what it burns."

            WTF?! You're using a nuclear reactor to heat your home? God, you're brave.

            1. Anonymous Coward
              Anonymous Coward

              Re: "So far virtually all customer modifications of IoT devices made them more secure"

              Have you ever saw a home destroyed by a gas explosion?

              1. Christian Berger

                Re: "So far virtually all customer modifications of IoT devices made them more secure"

                That's why there are additional security measures. For example in most civilised countries they add a special smell to the gas and if you think you smell something, you have a special hotline which sends you a technician to check it out within an hour or less... no matter if it's day or night.

                1. Anonymous Coward
                  Anonymous Coward

                  "they add a special smell to the gas"

                  There are also gas detectors. And still houses blow up... because of failures, or idiots doing the wrong thing. And not always the technician comes and can fix the issue in time, especially for major failures (I have a reminder on my daily trip to work, the ruins of a house blown up when a gas pipe was punctured while laying down fiber. One woman died and the two technicians called to look for the issue were wounded).

                  There are also people dying from heaters burning incorrectly and delivering CO inside the house.

                  Would you like people messing with a burner software to "improve efficiency" (which will mean pay less for gas) when they have no clue about what they're doing, maybe bypassing safety checks because they don't understand them?

          2. Christian Berger

            Re: "So far virtually all customer modifications of IoT devices made them more secure"

            "Are you sure, or this is just wishful thinking? Do you have actually real, verifiable data about that? Mirai is a "customer modificatiion" of devices as well - and it didn't made them more secure <G>."

            No, Mirai was a 3rd party modification, done through actual security bugs, and not via the way a normal customer would modify it. It's not like the people installing Mirai actually bought those devices. They are not customers, so obviously it's not a customer modification.

            So far OpenWRT didn't seem to suffer from any of the security problems manufacturers ship their devices with, because they smooth out the attack surface (no TR069, web interface is optional, etc...) and have regular updates. OpenWRT is in most, if not all, cases much more secure than the firmware the manufacturers shipped with their devices.

    2. c1ue

      Re: That could become even worse than the original problem... if done badly

      Electrical engineering is largely confined to infrastructure or sub components within larger systems.

      Bruce Schneier is totally right that IT infrastructure is everywhere doing everything, and more all the time.

      The systemic risk this represents is incalculable.

      Criminals ate slowly starting to understand that DoIT (Denial of IT Infra, and the data/controls in it) is far more lucrative than credits cards, PII or even ransoms.

      The last time this type of dynamic existed, we got royalty out of it (feudalism).

    3. AnoniMouse

      Re: That could become even worse than the original problem... if done badly

      >> This worked fine for electrical engineering.

      Yes, but I really can't see Trading Standards having the first clue about the end-to-end security of the ludicrously cheap devices, manfactured and (not) supported well outside our jurisdiction, that will predominate the Internet of Trojans.

      Bruce is right to observe that market forces will do little to mitigate the impending threats that will arise.

      But it's also very far from clear how any kind of government intervention might operate to be effective, especially since the IoT is a global phenomenon, with participants spread across the globe and hence spanning multiple jurisdictions.

  2. Ketlan
    Happy

    Threats R'Us

    "The real physical threat from the Internet of Things..." is that it's a load of outrageously expensive, insecure crap!

  3. P. Lee

    Good, fast, cheap. Pick two

    Good, cheap.

    We are past the point where "fast" is a problem for consumers, especially for IoT. Fast is usually relevant only to over-consolidated vendors.

    1. Christian Berger

      Re: Good, fast, cheap. Pick two

      Actually we're getting to a point where we neither have good or cheap or fast products. Just look at the FreeDesktop/SystemD people which add buggy feature after buggy feature. The same goes for IoT devices. Just look at a "modern" "connected TV". They get harder and harder to use, more slow and all that because of marketing driven development. Essentially you get devices which are build bad, slow and expensive on purpose.

      Compared from our current state, we could easily go into all three directions at the same time. We'd just need people who know their limits and work within them.

      1. Bronek Kozicki

        Re: Good, fast, cheap. Pick two

        I am all for government regulation of IoT product development cycle. Anything to get the marketing off the engineers back.

      2. chivo243 Silver badge
        Paris Hilton

        Re: Good, fast, cheap. Pick two

        "modern" "connected TV" ?!?

        I might just be on my last TV, I don't need\want\care for an internet connected TV. I only watch one show on TV, and it can be easily had via different avenues. I may be opting for a projector and a simple computer to drive it for other viewing options.

        Paris as this seems to be a no brainer ;-}

        1. Christian Berger

          Re: Good, fast, cheap. Pick two

          Yeah, that's what TVs in modern households are like, basically just big monitors optimized for moving pictures. As for watching actual broadcast TV, that's what external tuners are for. In my case that's a dedicated computer running VDR connected to a satellite dish. It records shows without any form of DRM, and if I want to stream I can do so easily.

          Back in the 1980s, Sony actually marketed the concept of a "modular TV". You could get individual components (Tuner, VCR, amplifier, etc) and put them together any way you want.

          1. Steve Kerr

            Re: Good, fast, cheap. Pick two

            Yup, had one of those as a hand me down.

            Had separate tuner (though I used a VCR), teletext box and speakers.

            Was a really goof TV, shame it died, took me months to find something comparable which turned out to be a plasma screen.

  4. Pat 11
    Black Helicopters

    Offline mode

    I like the sound of an offline mode. I'll start to worry when these things have their own network provision that I can't block. Won't be long before your fridge has a Vodafone logo and you have to snip the antenna to disable the snooping.

    1. Anonymous Coward
      Anonymous Coward

      Re: Offline mode

      "Won't be long before your fridge has a Vodafone logo and you have to snip the antenna to disable the snooping."

      Won't be long before your fridge has a Vodafone logo and you have to snip the antenna to think that you've disabled the snooping.

    2. Anonymous Coward
      Anonymous Coward

      Re: Offline mode

      wherein you'll have voided the warranty and it'll turn off the refrigerant flow.

      They won't make stopping snooping easy.

  5. Khaptain Silver badge

    Others problems first

    When people happily give their lives details on a daily basis what's the urgency to secure anything.

    IOT will simply provide further adjectives to an already quite complete biography.

    Gouvernements don't seem to care that people's lives are being recorded to a level that is damned frightening. Security is not being applied to individuals it is being reinforced only where their is a threat to the government itself.

    What the internet needs is a true campaign about what is really going on behind the scenes with all the data. The data slurping monsters, Facebook, Google are the true security risks. By providing so called services whilst at the same time ensuring that the snare is being tightened further around the necks.

    IOT security is definitely a major upcoming problem but I see it as only a small part of a he he problem. I do agree that something needs to be done but not by the governments , it needs to be done by the people themselves, they need educated by professionals not by marketeers.

    1. Captain Hogwash

      Re: Others problems first

      "Gouvernements don'tseem to carerelish that people's lives are being recorded to a level that is damned frightening."

      FTFY

    2. Brewster's Angle Grinder Silver badge

      Re: Others problems first

      "I do agree that something needs to be done but not by the governments , it needs to be done by the people themselves, they need educated by professionals not by marketeers."

      If people were going to educate themselves they would have done it by now. And anyway, how does an uneducated person separate a "professional" from a snake oil saleman "marketeer"?

      The government is us. Today, of all days, that should be apparent. We nominate our representative. They talk to the experts and make decisions on our behalf.

      1. Rich 11

        Re: Others problems first

        The government is us. Today, of all days, that should be apparent. We nominate our representative. They talk to the experts and make decisions on our behalf.

        Such charming naïveté...

        1. DropBear

          Re: Others problems first

          "Such charming naïveté..."

          Indeed. Actually, I propose we should just admit what voting really is, and make it openly about voting AGAINST the candidate(s) you hate most. It's what we already do anyway but it would sure give me a heck of an extra incentive to vote to know it fully gets interpreted as intended. Especially if there would be the option to vote against every single one of them, which currently you can only do by fouling your vote, completely losing the message to be sent in the process.

    3. Chronos
      Alert

      Re: Others problems first

      I'd start with consumer routers, personally. Once your edge gateway is secure it can police everything else. Forget shiny boxes and wireless range, make the damned things fit for purpose first. Step one: make forwarding packets either way to ports 137-139 and 445 blackhole routes by default. Not reject or ICMP unreachable, blackhole. While it's wondering where its packet has gone, it's leaving someone else alone.

      And can we please stop enabling uPNP out of the box? It makes setting up C&C links trivial for any slightly clueful villain.

      1. Version 1.0 Silver badge

        Re: Others problems first

        You can hope that consumer routers will fix the problem but that's not going to happen - it could happen at the ISP level but that would require a policy that strictly limits the consumer traffic to only permitted packets and destinations. And that requires inspection... and you can guess how popular that will be.

        Basically, the problem's not solvable with the current state of networking. At some point in the future we will need to rip everything up and start again.

      2. Yet Another Anonymous coward Silver badge

        Re: Others problems first

        So ISP supply routers which by default don't let things connect to the internet.

        So when granny buys that new gadget that lets her video talk to the grandkids, or lets a service monitor that she hasn't fallen - all she needs is a CCNA to enable the features in the router?

        1. John Robson Silver badge

          Re: Others problems first

          "So when granny buys that new gadget that lets her video talk to the grandkids, or lets a service monitor that she hasn't fallen - all she needs is a CCNA to enable the features in the router?"

          Actually it doesn't need to be that bad.

          UPnP with a physical button on the router might be an option... It's still ugly, but it's less so.

  6. Mage Silver badge

    Regulation

    We need FCC, CSA, CE marks that actually mean something more than an licence to import and retail, with proactive regulator sampling of the market. There is not just security, but also every kind of safety (not just electrical), RFI and RF susceptibility, ability to repair, and ability to sensibly recycle, rather than built in 18month to 28 month life due to sealed in batteries or poor component quality.

    We need to look at the big picture.

    Also there has to be SEPARATE security and functional updates. I received a forced automatic update in a Kobo eBook reader while making annotations. It did add one "security" feature, a PIN to unlock, but dramatically reduced functionality of the home screen to almost useless.

    So Microsoft is not the only bad guy. If people get "Security" updates that interrupt their work or remove or downgrade features, they will block updates.

    Also MS lack of security patches on some older products is pure marketing to force people to upgrade, as they continue often to develop and release the patches to specific users or products using same code rather than in public. MS is quite entitled to charge specific customers for support, but it's sheer bloody mindedness to turn off patches to the ordinary public when in reality they are still AUTOMATICALLY distributing them.

    1. Version 1.0 Silver badge

      Re: Regulation

      And the IoT manufacturers will just print the FCC, CSA, CE marks on the equipment to sell them, and once sold they will run. Go look at cheap network gear and other electronics - a good 20% doesn't even try to comply with the regulations these days.

      1. DropBear
        Trollface

        Re: Regulation

        I think you accidentally left an extra "doesn't" in there somewhere...

  7. smudge

    Which governments?

    As a general point, I don't see any government having enough knowledge of the problems, and of how to address them, to enable them to introduce meaningful, effective regulations.

    But specifically, which governments? Doesn't sound to me like the sort of thing that the Trump administration would do, unless there is a "make America great again" angle. I am assuming that the UK will have a Conservative government again after today, and they have already shown uncharted depths of ignorance about infosec. Anyway, whoever the UK government is, they will be pre-occupied - overwhelmed perhaps - with Brexit for the next couple of years.

    It seems to me as though it's the sort of thing that the EU could do, perhaps with Germany's leadership - although that's just my instinct, and I have nothing to back that up. In which case, we could expect the UK to reject it as more unnecessary regulation from Brussels!

  8. Christopher Reeve's Horse

    Local Network Security

    I think there's a lot more improvement that can be made to general domestic router / firewalls to help with this... Most contract supplied kit (BT Homehub etc.) is too locked down, or where control exists it's too complex for most people to grapple with.

    I shouldn't take a networking wizard to be able to set any connected device to local communication only, or to separate devices into groups with differing access to each other or the internet. Or better still, firewall individual devices to only be able to connect to certain update IP's. I'm sure all of this must be possible, it's just complicated to set up AND maintain.

    Which brings me to the next problem. Someone (even if it's google!) need to provide a secure centralised service for firmware / software updates that's completely agnostic to manufacturer's own support commitments. Imagine if there was one single URN that all devices, could reliably get the latest patches. Firewalling other random connections would be a whole lot easier, and it would be a lot more obvious who and what was a security risk.

    If I could guarantee that my internet connected 'whateverthehellitis' could only talk to one approved update channel and also only to my smartphone app then I'd be more inclined to allow them onto my network.

    Similarly, if you could guarantee a smart TV could only talk to BBC iplayer (and whichever other services you want to use) it would be a happier world. Unfortunately these things are just not built for users to have any control of. Until they improve the 'smart' functionality remains firmly off. It's worse than the wild west out there.

    1. nijam Silver badge

      Re: Local Network Security

      > ... Most contract supplied kit (BT Homehub etc.) is too locked down...

      But remember it's locked down to protect the ISP (BT etc) from the consumer, not the consumer from hacking attacks.

    2. Charles 9

      Re: Local Network Security

      "Which brings me to the next problem. Someone (even if it's google!) need to provide a secure centralised service for firmware / software updates that's completely agnostic to manufacturer's own support commitments."

      HAH! ANYONE who tried would just be painting a big, fat bullseye on their backs!

  9. Missing Semicolon Silver badge
    Happy

    Liability

    That's all you need.

    If the importer/local manufacturer gets dinged when an IoT device is insecure, you bet your bottom dollar that the flow of cheap nasty webcams would dry up.

    And- for grins - designate "eBay" as the importer :-)

    1. Version 1.0 Silver badge

      Re: Liability

      We have met the enemy and it's us - we're the ones demanding cheap webcams, we're the ones buying the cheapest and not bothering to look at the standards that it is supposed to comply.

    2. Charles 9

      Re: Liability

      Ever heard of Whack-a-MWhack-a-Manufacturer-Mole? Fly-by-Nights? Bribes at the highest levels?

  10. Adam 1

    simple (in theory)

    Specify that remotely exploitable vulnerabilities that could lead to data being exposed, devices being bricked, local networks being accessed, the device being reprogrammed, etc as being a "major fault", triggering consumer protection laws.

    So when [iot vendor] sells [new and shiny] and then 6 months later fails to provide a security patch, products can be returned for a refund/repair/substitution. Actually this for mobile phones too please.

    1. Mike 16

      Re: simple (in theory)

      Liability would at _best_ be a full-employment act for lawyers (Hmmm, may keep them busy enough to cut down on some of their usual mischief). Getting a judgment would be the first (and only marginally useful) step.

      It's especially hard to get blood from a turnip when you cannot find the turnip, or the farmer.

  11. John Smith 19 Gold badge
    Unhappy

    The realy depressing thing is.

    The same vulns keep coming up.

    Over and over and over again.

    Partly it's because 50 odd web cams/thermometers/whatever are in fact the same (grossly insecure) piece of hardware with a different badge.

    But also it's like there no apparent reference software which is coded in a safe way that the code monkeys (they damm sure ain't developers. I'm not sure they can do much above cut n paste code) can literally just drop in.

    As other have noticed the problem is that (like a successful parasite) their s**t code does not harm the host (hardware) enough for the owner to do something about it.

    It's everyone else problem when the (whatever) gets pwnd and starts launching DDoS's, spam and other assorted s**t round the internet.

  12. W4YBO

    Let's be honest about this...

    "Regulation is coming and is coming in a big way. There is a lot of worry that regulation will stifle innovation, but if you look at history that is not the case."

    If you look at history, that statement is untrue. Until the (US) National Firearms Act of 1934, nearly all firearms were designed by individual private citizens. One particularly notable instance was "Carbine" Williams, who invented the short stroke, gas operated, floating chamber action while incarcerated in a North Carolina prison for the murder of a deputy sheriff. Firearms since NFA have all been designed by corporate interests.

    Hush-a-Phone - a "a voice silencer designed for confidential conversation, clear transmission and office quiet. Not a permanent attachment. Slips right on and off the mouthpiece of any phone" (from their advertisement). AT&T repairmen in the late forties began telling subscribers that they risked disconnection if they didn't remove their Hush-a-Phone, and were backed by regulation.

    Remember acoustic modem couplers? Because Ma Bell didn't want you to connect your electronics directly to theirs, and had the FCC to enforce their position.

    Like your cell phone? The best we'd have in the US is trunking systems if not for telephone deregulation and the Bell System breakup.

    So, yes, regulation does stifle innovation and competition, and is often used to that end.

    1. bazza Silver badge

      Re: Let's be honest about this...

      "So, yes, regulation does stifle innovation and competition, and is often used to that end."

      That's because you let the wrong people write the regs.

      Like it or loathe it, the one thing the EU has been quite good at is imposing sensible technical standards for the benefit of all. The SIM card is part of that, and it's a tremendous boon for the consumer. Here in the UK (and I think most of the rest of Europe) you own your mobile phone number, and the network have to let you take it to another network.

      In fact the whole GSM / UMTS thing came about against a back ground of regulatory interest, ensuring that there was open compeition between network equipment providers. The irony of course is that it took a Chinese company - Huawei - to make the big innovation in that by changing the internals of a GSM network whilst keeping the external interfaces (base station, SS7 connection) the same.

      If there is one thing that really needs sorting out, it's the walled gardens that are the OTT networks, comms apps, etc. Having spent decades setting standard for interoperable communications and services (e.g. MS being forced to publish docs for Windows Domain protocols), governments all over are ignoring the erossion of interoperability by Facebook, Google, Apple, WhatsApp, etc, and the harm it ultimately does to all consumers.

  13. Stevie

    Bah!

    OUR govt is gonna fix the Internet of Bots? Seriously? That bunch understand the problem less than the consumer does.

    The way this gets fixed is by a clandestine program to infiltrate and bork insecure kit. Read Amazon reviews for the real driver of consumer choice. They buy cheapest, it breaks, they cry and do it again. It breaks, they repeat. It breaks and they finally go upmarket a bit. They repeat the whole saga until kit is reliable.

    Legislation to fix the internet of tat? You are living in a cheap chinese knockoff of AR.

  14. John Smith 19 Gold badge
    Unhappy

    Legislation --> certification.

    Test the hardware for basic security. No creds logins, what ports are open, scan software for hardwired login creds etc. The HW version handed over has to be the design that's going to ship and actual products should be periodically bought and compared to confirm they are still the same.

    IOW all the usual, painfully repetitious s**t that keeps coming up.

    Here's the thing.

    If the hardware fails all "badge engineered" versions fail. It's on the HW mfg to fix this.

    Don't pull them from the market. Just refuse to certify they have any basic level of security. You buy it. It f**ks up, it's on you.

    Everyone has "free will" in this scenario. The mfg can use a bunch of code monkeys (I refuse to call them developers, because they clearly are not) and fail the proof mark. The resellers can buy them, but now this product is s**t. The customer can buy s**t.

    But if anything happens the customer has no recourse. I think the word will get round on Amazon, eBay and anywhere else should products are sold what's rubbish and what is at least scrapping a pass mark.

    1. Charles 9

      Re: Legislation --> certification.

      Don't be so sure. One, the whack-a-mole game means for every manufacturer black-marked, another will take its place. Two, free will is exactly how we got here. Buyers don't know better and sellers know to take advantage.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon