Sign in / up

back to article No vulns. No hardwired passwords. Patchable. Congress dreams of IoT: Impossible Online Tech

After years of warnings about the parlous state of Internet of Sh!t security, the US Senate has finally introduced legislation on the matter. The Internet of Things Cybersecurity Improvement Act would require that IoT devices purchased by the American government must not have any known security vulnerabilities, must have the …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. Brian Miller

    Known vulnerabilities

    This is actually the problem with the bill: when can you stop patching, and ship the product? And let's say that the vulnerability is in some pretty knackered spot, just before release. What then?

    The i.MX7 processor has a certificate vulnerability in its ROM. This means that no product with that part may be shipped under this bill. Whole product lines would have to be scrapped. Way too costly. But what can you, as an OEM, do?

    2 0 Reply
    1. a_yank_lurker
      Reply Icon

      Re: Known vulnerabilities

      This is the type of stupidity Congresscritters are notorious for. The probable intent and actual language used almost certainly do not line up. Also, vulnerabilities will be discovered throughout the lifetime of the device. If a vulnerability was found and patch is being readied can the government still buy it.

      3 2 Reply
    2. Gene Cash Silver badge
      Reply Icon

      Re: Known vulnerabilities

      What kind of stupid question is that? Don't fuckin' use the i.MX7 processor then! Perhaps the idiot supplier will clue up and fix the certificate handling!

      I don't care if entire product lines have to be scrapped! How the hell can you ship shit with known vulnerabilities this bad and still sleep at night?

      Oh man... our new Pinto product explodes if you rear-end it... let's go ahead and ship it though. We'll fix it in Pinto 2.0...

      13 0 Reply
      1. Anonymous Coward
        Reply Icon
        Anonymous Coward

        @Gene Cash

        Suppose you are (hypothetically) deploying something like a rail track signalling system with all the vast coordination of physical construction, track closures, timetable variations, replacement buses etc. etc. that entails. The control board design has been independently verified (taking months) and so has the firmware logic (more months).

        Now suppose you're 60% of the way through this project and this certificate handling bug is discovered. What do you do? You can't procure any more signalling units (the law), you can't substitute an alternate part (the other laws - and the risks) and you can't restart services with the job half done (people die in train crashes).

        What you actually do is ignore the certificate bug because you expected something like that somewhere and architected the system appropriately (air gapping etc). However, if some bass ackwards law is enacted requiring you to treat all theoretical security vulnerabilities the same regardless of materiality in the use context then..... Hmmmm?

        1 1 Reply
        1. Doctor Syntax Silver badge
          Reply Icon

          Re: @Gene Cash

          "Now suppose you're 60% of the way through this project and this certificate handling bug is discovered. What do you do?"

          In the situation you describe the processor wouldn't have made the short-list because it wouldn't have been patchable.

          4 0 Reply
          1. Anonymous Coward
            Reply Icon
            Anonymous Coward

            Re: @Gene Cash

            Then that short-list would actually be an EMPTY list as a field-deployed, embedded system like that CAN'T be patched. Not only would it be deployed too remotely for anyone to see to it after it's installed, but a safety-related system like that REQUIRES that it be untouchable so that it can't be "hacked" to kill people. This is literally a situation where you only get one chance; it MUST be right the first time because now you have conflicting laws.

            0 1 Reply
            1. Doctor Syntax Silver badge
              Reply Icon

              Re: @Gene Cash

              "Then that short-list would actually be an EMPTY list as a field-deployed, embedded system like that CAN'T be patched. Not only would it be deployed too remotely for anyone to see to it after it's installed, but a safety-related system like that REQUIRES that it be untouchable so that it can't be "hacked" to kill people."

              The fault mentioned related to certificates. The only need to handle certificates would be to verify communications. The need to verify communications would only occur if the device could communicate. If it can communicate it isn't too remote to be patched, it isn't untouchable and if hacked can kill people.

              2 0 Reply
              1. Brian Miller
                Reply Icon

                Re: @Gene Cash

                The certificates are used to verify the firmware image, before the processor runs it. If an image does not match the appropriate certs and signing, the board is effectively bricked. Thus, "high assurance boot" chain is established. Then a signed kernel is booted.

                In this case, the ROM code has a vulnerability with a firmware image that has a munged cert. This causes a stack overflow, causing the verification process to be skipped completely. NXP now has to rev the mask and ship a new processor.

                1 0 Reply
        2. ForthIsNotDead
          Reply Icon

          Re: @Gene Cash

          What you're describing isn't an Internet of Things thing. It's a complex, mission-critical control system.

          This law wouldn't apply to your rail track signalling system in the same way it wouldn't apply to a bunch of Petunias.

          2 0 Reply
          1. Charles 9
            Reply Icon

            Re: @Gene Cash

            You speak as if the two are mutually exclusive. What if they're not?

            1 0 Reply
        3. Ian Michael Gumby
          Reply Icon
          Boffin

          @AC ... Re: @Gene Cash

          If you're in the middle of a procurement cycle... meaning that you've already agreed to purchase X units... you can continue that cycle.

          Of course at the same time you expect the vendor to issue a fix and re-certify that they are free from known vuln.

          Yes, its a lawyer trying to understand the SDLC and software development. Its just as bad as when a lawyer wants to play doctor.

          Its their way of answering ... "What do you mean my mail server was hacked because of a security bug that my vendor never patched and had known about it for the past X years!"

          The key here is that the Gov can then go after the vendor and force them to repay $$$ and/or fix the vulns...

          But then again... what do you do when several congress critters hire a Pakistani con-man to do their IT work where he hires out his family and some ghost employees to do the real work...

          0 0 Reply
          1. Anonymous Coward
            Reply Icon
            Anonymous Coward

            Re: @AC ... @Gene Cash

            Cut to the chase -

            If you can't build your IoT rail signaling system 100.00000% secure, don't build it. Go back to square one.

            0 0 Reply
            1. Charles 9
              Reply Icon

              Re: @AC ... @Gene Cash

              And as long as (inherently error-prone) humans have to interact with it in some way, shape, or form (and humans BUILD the things), security will never be 100%

              Ergo, you can't have a system at all. In economics, it's like the demand being disconnected from the supply: their graphs never intersect, meaning the market cannot be fulfilled.

              0 1 Reply
    3. Ian Michael Gumby
      Reply Icon

      @Brian Miller Re: Known vulnerabilities

      The issue is this...

      Suppose there's a vuln that you know of Aug 1.

      You don't fix and ship your product Aug 2.

      You're in trouble.

      Now suppose there's no known vuln Aug 2 and you ship.

      Aug 3, there's a vuln found.

      You're ok, but you have to be able to push out a patch.

      That's what they are saying.

      So shipping out a Linux distro that has a 10yr old vuln that no one fixed... you need to fix it ASAP.

      Of course... its meaningless because you will be self certifying your kit that you flog.

      1 0 Reply
  2. oldtaku Silver badge
    FAIL

    And the cherry on top...

    ... mandatory backdoors that are only usable by the Good Guys (TM).

    8 0 Reply
  3. a_yank_lurker

    Sort of glaring flaw

    "No, that glaring flaw is: the act only applies to government purchases, so consumers are still screwed for the time being." - Partially true but the fact there is a standard of sorts means the standards (or some derivative) will permeate the industry. It also means consumers can try to buy something meets a (shaky maybe) standard versus none at all.

    11 0 Reply
  4. anonCoward24

    7 mill. I want 7 mill

    says someone [reference needed] that f**k-you money nowadays is 7 M rather than just 1

    2 0 Reply
  5. TheElder

    We all want totally secure gear. And flying cars. And $1m. And...

    to be young again. Youth is wasted on the young.

    5 0 Reply
  6. frank ly

    Wow

    "Information is a form of currency,"

    Just like I can print my own currency anytime I need to go shopping.

    4 1 Reply
  7. Anonymous Coward
    Anonymous Coward

    "must not have any known security vulnerabilities, must have the ability to be patched"

    So..... if no known security vulnerabilities, why, errr, patch?

    Is any software ever free of all potential security vulnerabilities?

    1 1 Reply
    1. Hugh McIntyre
      Reply Icon

      Re: "must not have any known security vulnerabilities, must have the ability to be patched"

      Re: "So..... if no known security vulnerabilities, why, errr, patch?"

      Presumably, no known vulnerabilities when you buy the thing and needs to be patched if/when new bugs are found later.

      Since the lack of patchability is one of the main problems of IoT, mandating the ability to patch seems like a good thing?

      7 0 Reply
      1. Mike 16
        Reply Icon

        Re: "must not have any known security vulnerabilities, must have the ability to be patched"

        --- Presumably, no known vulnerabilities when you buy the thing and needs to be patched if/when new bugs are found later. ---

        Or, you know, new vulnerabilities are introduced by patching. Wouldn't be the first time.

        0 0 Reply
    2. Charles 9
      Reply Icon

      Re: "must not have any known security vulnerabilities, must have the ability to be patched"

      "Is any software ever free of all potential security vulnerabilities?"

      Formally proven software?

      0 0 Reply
  8. Mark 85

    This bill is a bipartisan, common-sense step in the right direction.

    Well the common-sense part pretty much ensures it will not be passed by Congress, doesn't it?

    4 0 Reply
  9. Anonymous Coward
    Anonymous Coward

    Who votes for these numpties?

    Oh wait...

    4 1 Reply
  10. Milton

    Move in the right direction

    It's a reasonable enough first step, despite the politicians' ignorance betrayed in the careless language. I am personally reassured that Bruce Schneier is apparently being listened to on this topic: he knows more about it, and has more realistic, intelligently reasoned views, than both houses of congress put together.

    And as someone pointed out already, standards have a way of raising the bar if they're obviously sensible and properly enforced. I can imagine that savvy consumers would themselves start choosing only those devices which have been certified for government use. The standard will spread if really offers benefits, because companies meeting the government standard will sell better than the laggards and there will then, I hope, be competition to reach the standard.

    In short, this legislation might be what we need to seed the pearl.

    5 0 Reply
    1. Doctor Syntax Silver badge
      Reply Icon

      Re: Move in the right direction

      "Bruce Schneier is apparently being listened to on this topic: he knows more about it, and has more realistic, intelligently reasoned views, than both houses of congress put together."

      If he's any spare time can we borrow him for the HoP?

      0 0 Reply
  11. Doctor Syntax Silver badge

    The Internet of Things Cybersecurity Improvement Act

    I thought it was a rule that all US legislation should have an appropriate acronym. The nearest this gets to that is TITCIA and that's only be dropping the preposition.

    3 0 Reply
  12. EveryTime

    Now you've gone and ruined the acronym

    I won't be able to *not* think of "impossible online tech" the next time I read about a magical IoT device.

    This is why we can't have nice, uhmm, names. Because some bastard comes around and spouts Truth. The emperor has *wonderful* clothes.

    0 0 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like