Homeland Security Issues 'Strategic Principles' For Securing The Internet Of Broken Things
from the my-smart-toaster-just-destroyed-the-internet dept
For much of the last year, we've noted how the rush to connect everything from toasters to refrigerators to the internet -- without adequate (ok, any) security safeguards -- has resulted in a security, privacy and public safety crisis. At first, the fact that everything from Barbies to tea kettles were now hackable was kind of funny. But in the wake of the realization that these hacked devices are contributing to massive new DDoS botnet attacks (on top of just leaking your data or exposing you to hacks) the conversation has quickly turned serious.Security researchers have been noting for a while that it's only a matter of time before the internet-of-not-so-smart-things contributes to human fatalities, potentially on a significant scale if necessary infrastructure is attacked. As such, the Department of Homeland Security recently released what they called "strategic principles" for securing the Internet of Things; an apparent attempt to get the conversation started with industry on how best to avoid a dumb device cyber apocalypse.
Most of the principles are simple common sense, such as recommending that companies, oh, actually think about security a little bit during the product design phase. Other principles are a bit ironic given the government's behavior on other fronts, including the recommendation that companies implement encryption at the processor level for devices like the iPhone:
"Use hardware that incorporates security features to strengthen the protection and integrity of the device. For example, use computer chips that integrate security at the transistor level, embedded in the processor, and provide encryption and anonymity."Again though, most of the recommendations are painfully basic, including actually "understanding what consequences could flow from the failure of a device," ensuring devices are more quickly and automatically updated, and engaging in "red teaming exercises" where employees probe devices for vulnerabilities before launch. Still, just getting some of this stuff in writing isn't a bad idea, given that most of the new IoT DDoS malware relies on something as stupid as not changing default login credentials. So there is value in just establishing some kind of core best practices (apparently incompetent) companies can look to.
As such, the DHS is clear that this is just a "first step":
"These non-binding strategic principles are designed to enhance security of the IoT across a range of design, manufacturing, and deployment activities, and include relevant suggested practices for implementation. It is a first step to motivate and frame conversations about positive measures for IoT security among IoT developers, manufacturers, service providers, and the users who purchase and deploy the devices, services and systems. "The problem of course is that voluntary guidelines are no guarantee that the companies involved will actually adhere to them. After all, these are companies (and IoT evangelists) that were so keen on selling hardware that they couldn't be bothered to do the bare minimum to secure their products or acknowledge this rising, obvious problem. As a result, you have hardware like the Jidetech 720p WiFi enabled security camera, which security researcher Rob Graham noted this week can be hijacked by malware and participate in a botnet in all of five minutes after being unboxed:
1/x: So I bought a surveillance camera pic.twitter.com/HbmPzrZgFK
— Rob Graham 🦃 (@ErrataRob) November 18, 2016
"An additional market failure illustrated by the Dyn attack is that neither the seller nor the buyer of those devices cares about fixing the vulnerability. The owners of those devices don't care. They wanted a webcam — or thermostat, or refrigerator — with nice features at a good price. Even after they were recruited into this botnet, they still work fine — you can't even tell they were used in the attack. The sellers of those devices don't care: They've already moved on to selling newer and better models. There is no market solution because the insecurity primarily affects other people. It's a form of invisible pollution."That's certainly not going to be good news for the regulation phobic, but Schneier argues the alternative is, quite literally, chaos:
"Regardless of what you think about regulation vs. market solutions, I believe there is no choice. Governments will get involved in the IoT, because the risks are too great and the stakes are too high. Computers are now able to affect our world in a direct and physical manner."One problem of course is that U.S. regulation certainly won't help deter the rest of the world from creating internet-connected devices that can wreak havoc on vital infrastructure. There's also the very real concern that federal regulations would be crafted poorly, restricting sector innovation or consumers' freedom to tinker with their own device. In fact, many of these devices have such abysmal interfaces and control systems that hacking and modifying them is in some instances the only path to actually securing them and controlling what traffic is being sent over the network.
As such, IoT regulation is going to be a debate that rages for several years, when it's not entirely clear we have several years to waste. In the interim, the only recourse left to consumers continues to be to establish smart security in your own home and business, and continue to name and shame IoT vendors that clearly prioritized profits over human lives and the health of the internet at large.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: cybersecurity, devices, dhs, hacking, homeland security, internet of things, iot
Reader Comments
Subscribe: RSS
View by: Time | Thread
https://youtu.be/BvId5-0295U?t=1h10m11s
[ link to this | view in chronology ]
Schneier luvs Feds
Bruce Schneier often has excellent technical insights & info --- but he is a political leftist with great trust /faith in government solutions to security problems.
He blocks commenters on his website who politely point out his unwarranted trust in big government.
[ link to this | view in chronology ]
Re: Schneier luvs Feds
Lefties have no freedoms and therefore should be forced into allowing comments while righties should be allowed to express their god given freedoms by blocking comments they do not like.
[ link to this | view in chronology ]
Re: Schneier luvs Feds
What solution do you believe is possible, to broken IoT security, without any government regulation?
The free market isn't going to fix this one, because it doesn't affect the companies that make these products and it doesn't affect the customers who buy them; it affects third parties who are completely outside the supply chain. How do you propose to fix that dilemma?
[ link to this | view in chronology ]
Schneier luvs Feds
...do tell us exactly where the government recruits all these brilliant & selfless "Regulators" who can readily solve this IoT problem ?? Are they bred in some secret government nursery?
How is it that government regulators are so much smarter than private citizens/businessmen, and totally immune to self-interest, bias, error, or incompetence?
Solutions always come from the private sector, even if funneled through government bureaucrats.
As an apparent leftist, you do not understand the complex mechanisms of voluntary cooperation in mass production/exchange and its inherent problem solving capabilities. Not enough space here to educate you.
[ link to this | view in chronology ]
Re: Schneier luvs Feds
Also, you appear to be arrogant and ignorant - bad combo bro.
[ link to this | view in chronology ]
Re: Re: Schneier luvs Feds
Your entire comment here was a personal attack upon me.
I did not attack @Thad personally. He posed a highly loaded/biased question to reinforce his point of view. I chose to respond indirectly to subtly highlight the faulty assumptions in Thad's viewpoint/loaded-question.
[ link to this | view in chronology ]
Re: Re: Re: Schneier luvs Feds
Your comment was not entirely nice, now was it?
I thought "personal" attacks involved something personal, oh well.
[ link to this | view in chronology ]
Re: Re: Re: Schneier luvs Feds
Well, yes, dude, you totally did. Here's what you said:
"You're an ignorant, uneducated leftist. Nothing personal."
(Aside: what, precisely, do you mean by "not enough space here to educate you"? Do you think the Internet is going to run out of pages?)
I did no such thing. I repeat my question now:
There is nothing biased about that question. It is certainly informed by my point of view, but it is not rhetorical; I am not begging the question. I believe that there is no free-market solution to the problem of IoT security, for reasons which I have explained. You disagree, which you're entitled to do.
But you have given no factual basis for your disagreement; rather than answer the question I posed, you have -- repeatedly, now -- chosen to criticize my viewpoint, my motives, and my education, and suggested that the question itself is somehow biased. (How, exactly, you believe the question is biased is one more thing you have chosen not to explain.)
I asked a simple question. You did not have an answer. You had the option of saying "I don't know, but I have deep misgivings about increased regulations, because legislators and enforcers are often ignorant of technology, and subject to their own biases and self-interest." That's what an adult would have done.
You did not do that. You thought that, if you blustered and insulted me and, inexplicably, claimed that there was "not enough space" on the Internet to "educate" me, maybe nobody would notice that you didn't have an answer.
You were mistaken.
There's nothing wrong with being suspicious of regulators. But I asked you a question. And if you don't know the answer, have the guts to say so.
[ link to this | view in chronology ]
Re: Schneier luvs Feds
I asked you first, jackass.
[ link to this | view in chronology ]
Re: Schneier luvs Feds
You are assuming that reasonable people run and finance industry, and you are wrong. The majority of the captains of industry are intensely competitive, and will do in any of their peers, with whom they socialize, given a chance to increase the size of their empire. Essentially governments is a means by which society tries to use the more reasonably sociopaths to reign in the rapacious nature of the extreme sociopaths.
[ link to this | view in chronology ]
Boycott
[ link to this | view in chronology ]
DHS really needs to stop fapping to Orwell's 1984.
I'm relaxed to know they are on the case. I mean god forbid anyone with industry specific knowledge actually regulate the thousands of categories of commodities that will eventually be IOT enabled.
Re: "There is no market solution because the insecurity primarily affects other people"
That is why god invented litigation and criminal prosecution. What DHS is actually saying, is that there is no solution that _they_ like.
Or more to the point, DHS is looking to jump on the bandwagon and leverage the same failures in architecture the ISP's are leveraging to violate peoples 4th amendment rights. And while they (and ISP's) could contribute to increasing consumer security, they will not litigate or prosecute if it reduces their own unconsensual voyuerism into citizen homes. Third amendment be damned.
Solutions DO exist. The biggest threat to their adoption, is the revenue stream being generated by the consumer surveillance market. The Fed being the biggest customer therein.
So these guys are wailing about systemic failures, for which there are solutions. They just don't like the fact that the solutions protect consumers against state intrusion, as much as criminal intrusion. So it is essentially the same issue as the cryptographic back door argument.
They want their access, and they will let everything burn until somebody offers something that endows them with additional power, and fucks everybody else. At which point they will glorify this new raping of the Constitution as the greatest security technology since underwear. And in the mean time they will use their propaganda infrastructure to delay any public shift in view related to digital civil rights.
SSDD.
[ link to this | view in chronology ]
Re: DHS really needs to stop fapping to Orwell's 1984.
[ link to this | view in chronology ]
Re: Re: DHS really needs to stop fapping to Orwell's 1984.
[ link to this | view in chronology ]
Re: DHS really needs to stop fapping to Orwell's 1984.
Hahahhahaha - they will say anything, I'm amazed at how many believe it.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
There's a definite element of Catch-22 to all this, unfortunately.
[ link to this | view in chronology ]
encrypted processors conspiracy
Or, as the conspiracy-theorists believe, they already have a hardcoded backdoor into encrypted processors and want everybody on them (for ease of access).
[ link to this | view in chronology ]
Re: encrypted processors conspiracy
Video streams are serial and digital. Which means all they technically need for hardware, is two pins to transmit and maybe two pins for hardware signaling. HDMI has 29 pins. As soon as I saw the cable, (maybe 10 years ago) I knew the jig was up.
Initially you look at that and you say: "hey, fine, no biggy, people have a right to contract as they please".
Where the problem comes in, is that in digital systems you can encapsulate anything inside of anything without too much work. So yes, you CAN put a full TCP/IP tunnel inside an MP4 stream.
So what is being billed as an encrypted video stream, could really be any kind of data stream. And it is being pumped through a box in your living room that has a mic that is listening 24 hours a day (how else does the box know it's own name, if it isn't digitally processing 100% of its audio input?). So these services aren't limited to just streaming movies, and they aren't constrained to simplex transmission. Anyone suggesting otherwise is lying.
Which is why I've kept all my old monitors, and will not be buying a new one, until somebody starts doing some auditing of this shit.
The economic impetus for these problems, are primarily driven by constraint of trade in the telecom sector. The monopolies have created market dynamics that are preventing product evolution at the lower layers. And so the newer more liberty preserving technologies aren't flowing into the market as fast as the douchebag ones.
The only way to fix that is to break up the telecoms Content||Carrier. There is NO technical regulation that the fed can write, that can't be engineered around in less time than it took to write the initial regulation. There are more of them, than there are of the Fed.
So these issues, are technological and sociological symptoms of bad economic management. Period. Full Stop. CRLF, pagefeed. Fix problem A, and problem B will eventually go away on its own.
In the mean time DHS babbles: "The economics DON'T WORK, we need a committee on committees!". When in fact the economics CAN work. The fed is just regulating the economy wrong.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
Just to be clear and make sure I'm understanding you correctly: did you just suggest that attempting to intentionally block entire countries from accessing the Internet would be a good idea?
[ link to this | view in chronology ]
Re: Re:
So, to answer your question: no, it's not a good idea but it will happen.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
ISPs left out of Recommendations
There are recent whitepapers out on it. The one I read managed to leave out ISPs and WiFi routers.
However, my ISP (Centurylink in VA) recently sent me a broadband router which allowed inbound connections on my home network by default. That's a HUGE problem.
Yes, a certain amount of stuff is going to break when that is turned off...but it's not stuff used by "normal", non-technical consumers. It does mean my insecurity camera won't talk to my smartphone from afar before the router allows it, but, like WPS, that's an addressable usability issue.
Likewise, my home network is largely invisible to me -- and I'm a programmer and design electronic hardware, so how can an average consumer have a chance?
[ link to this | view in chronology ]
Re: ISPs left out of Recommendations
Oh, that is nothing. Has anyone checked whether the transcievers in the WiFi nodes that are remote managed by ISP's can reach down to the 900Mhz spectrum? If so they can snoop most ANALOG home phones with it from remote. Even those carried by other carriers POTS networks.
And don't get me started on teredo.
If there are regs coming down, what you can guarantee is that they protect the monopolies, and fuck new developers. Typically it is the high volume players that are responsible for the problem, since they are the ones who are more concerned about cutting support costs. That is _why_ they implement consumer-stupid level security. They engineer to reduce call load, and RMA count. Not to actually make good products. And that isn't going to change because of regulation.
The nitch market players make their bones on having better support. So they tend to have better security, because their customers EXPECT it.
So you've got the Internet using more crypto because ISP's and the fed are douchebags. In response the fed will mandate insecure architectures, and refer to a bunch of experts, who are anything but experts. And then they will take a victory lap, with one hand behind their back to collect cash as they circle the room. The worst companies will get more market leverage, and responsible network architecture will become a crime.
How about this. Take the number of nodes botted, find the respective vendors with the largest count, and SUE them. That WILL fix the problem. There is no need for regulation. Criminal negligence and bench law is what is required here. And it doesn't even matter if the fed wins. The point will be made.
There is no reg the fed can pass that won't make the situation worse. This is not an area where compromise and cronyism wins the day. You can't build a dyke with half sandbags and half a baloney sandwiches. There are certain things that just require integrity to function AT ALL.
Which is why this is an issue the state will fuck up, and continue to fuck up worse, and worse until there is a crisis. The engineers KNOW HOW TO FIX THIS. It is the frathouse circle jerk at the executive level that is preventing them from doing it. The fed needs to look left, look right, take off the rubber gloves, and LEAVE THE ROOM.
There is no "yes but!". Just take responsibility. This is the result of failing to take punitive action, against acts of digital pollution. Botnets are the superfund sites of the Internet. The taxpayers shouldn't be paying for the cleanup. The guys doing to polluting should be.
[ link to this | view in chronology ]
Re: Re: ISPs left out of Recommendations
****
Your mission, Mr Phelps, should you choose to accept it, will be to use my broadband modem to capture my repsonse to a phone spam on my v-tech wireless phone handset and to repeat the exchange for the amusement of the Techdirt readership. This paragraph will self-destruct in 10 seconds.
***
Personally, I don't think the liability approach is going to work. The courts simply take too long, the big ISP boys are all really good at avoiding liability (arbitration, anyone? Section 230?), consumers can plead ignorance, and the companies that contracted the factories and the programmers will be gone before you can sue them. Had any luck sueing anyone in China lately?
The best hope I can see is Elon Musk and SpaceX bringing true competition to the broadband market with their proposed low-orbit internet satellites.
[ link to this | view in chronology ]
D(ad) H(as) S(poken)
[ link to this | view in chronology ]
Re: D(ad) H(as) S(poken)
What a scary thought, though those indoctrinated actually think it might be true. What drugs do they do?
Unfortunately firewalls are complicated. They tend to come with unsafe settings. When one without IT know-how, that gobbledygook looks like...well gobbledygook. What to leave open, what to close, how to do either, on which system. Either a bunch of open source programs designed to impact the firewall you have that will safe your system, and tell you how to open only what your game/program that is really needed and leave everything else closed, or some ruling that firewalls come with everything closed and instructions easy enough for Joe Sixpack to open only what he needs, and no AI that will allow for back doors that poor Joe won't recognize (looking at you Windows).
In other words, this cannot be left in the hands of the end users. The effort must be system wide, connection to program to device, and in such a way that the end user is safe first, and manufacturers a far, far distant second.
Therein lies the issue. The question remains, how to get it implemented market wide, with or without government regulation.
[ link to this | view in chronology ]
Facebook, Google, Amazon, Apple collect it all
[ link to this | view in chronology ]
Actually, you know, there's a lot of regulations that work
[ link to this | view in chronology ]
Re: Actually, you know, there's a lot of regulations that work
Rule #1: Outbound connections only by default on routers and broadband modems, especially the consumer variety. There's only one IP address for my modem, so it doesn't "route" any IP addresses except its own, and its primary purpose is simple web browsing and possibly streaming video. If I want it to do more, I have to enable it. My broadband modem is an important firewall.
Rule #2: Nothing inside my default consumer router is visible to anything else.
Rule #3: My router will need to enable IOT connections outside my house, so it will provide a simple way with perfect forward secrecy to enable my phone to authenticate and communicate from away from home.
Rule #4: My router is an IOT, so all rules below also apply.
Rule #5: My IOT is an endpoint, not a router, and does not respond to anything that attempts to make it into a router.
Rule #6: My IOT firmware is fixed unless someone presses a button and is using the local, hardwired LAN port on an authenticated connection.
Rule #7: My IOT settings are fixed and my IOT does not accept inbound connections without an authenticated connection. A true random password on the label is sufficient.
Rule #8: All password attempts are rate limited and take 2.9 to 3.2 seconds each, randomly. [Tries to minimize data leakage; knows his solution isn't perfect]
And a few more I have missed...in my flameproof, silver llame tinfoil hat!
If we want to make this happen, we'll nerd a little bit and see some really good graphical UIs demo'd on common hardware that everyone can get behind and copy. My *mother* needs to understand the UI, as does my congresscritter if he's so inclined.
Building user interfaces for the computer OWNER is the new research frontier. It's 80% of the computer security problem.
[ link to this | view in chronology ]
Re: Re: Actually, you know, there's a lot of regulations that work
There is a point where the carriers responsibility ends, and where citizens civil rights begin. The most conservative demarcation point to split the two is between OSI layer 3, and OSI layer 4.
What needs to happen is TCP and UDP need to be replaced universally with an open protocol stack that conceals service type, and transmits using public key crypto by default. Then the whole DNS system needs to be replaced with a peer to peer block chained resource registry system, that runs at layer 4, instead of at layer 7 where DNS currently is today.
Most of the problem stems from the assumption that the OSI model was correct. It wasn't. Layers 4 and 5 are transposed. The reason we can say that, is that the first piece of meta data that isn't required for delivery, exists at layer 4.
This meta data (port numbers, sequence numbers, window size etc.) requires no evaluation by the carrier in order to complete delivery. And therefore evaluation of it by carriers constitutes an unnecessary intrusion into the citizens communications. Yet carriers evaluate, log, and modify in transit, this part of consumer communications regularly.
If we consider crypto as a session layer function (layer 5) then we can say that transposing layer 4 and 5, solves that problem. All meta data other than that required for delivery would be encrypted and concealed from the carrier. Which it should be. But more importantly it makes the need for defining legal regulations obsolete, since the technical demarcation point (between carrier delivery requirement and citizen civil rights), would preclude regulatory demarcation points. The digital implementation, would be in direct conformance with Constitutional principles.
The problem isn't with the software. And really it isn't even with the fundamental protocols that make up the Internet. (though that is what must be re-engineered) The problem is that the technology conceals the actual disposition of interpersonal communications, from reasoned debate. People feel enamored or threatened by the technology, and it blurs their focus.
This isn't a technical problem that needs to be solved legally. It is a legal problem that needs to be solved technically. We can not expect to always act honorably. We can only engineer a network that compels us to do nothing else. In that way our challenge as network engineers, is very similar to the legal challenge debated by a bunch of terrorists in Philadelphia, in 1776.
[ link to this | view in chronology ]