US Senators Unveil Their Attempt To Secure The Internet Of Very Broken Things
from the good-luck-with-that dept
Over the last few years we've documented in painstaking detail how the lack of any real security and privacy standards in "internet of things" devices is leading us down a path to some serious trouble. That shouldn't be particularly surprising if you've paid attention to how your refrigerator can now leak your Gmail credentials, your "smart" thermostat is now vulnerable to ransomeware attacks, your smart car could be hacked in order to kill you, your power outlets can be hacked and used to launch DDOS attacks, or how your vibrator is now busy collecting data on your daily behavior.
There's one root cause: companies that prioritized making a quick buck over implementing anything resembling sane security or privacy standards.
And despite this dysfunction now being the butt of endless jokes, things really haven't changed all that much, since actually giving a damn about the problem would erode profit margins for WiFi-enabled widget makers. The end result is the daily introduction of millions of new attack vectors for both homes and businesses on a global scale. As such, there's more than a few security experts that, no hyperbole intended, believe it's inevitable that this problem will impact core infrastructure leading to significant human casualties.
Given this is a global problem, and many of these companies are Chinese, legislating the problem away via U.S. law is likely going to be a steep uphill climb. That apparently doesn't seem to concern Congress, which this week introduced a new bill they hope will help secure the internet of very broken things:
"The new bill would require vendors that provide internet-connected equipment to the U.S. government to ensure their products are patchable and conform to industry security standards. It would also prohibit vendors from supplying devices that have unchangeable passwords or possess known security vulnerabilities. Republicans Cory Gardner and Steve Daines and Democrats Mark Warner and Ron Wyden are sponsoring the legislation, which was drafted with input from technology experts at the Atlantic Council and Harvard University. A Senate aide who helped write the bill said that companion legislation in the House was expected soon."
While IOT legislation may be well-intentioned, many of these devices (like the security cameras and DVRs that contributed to the historically massive DDOS attack on Dyn last year) are made in China, where manufacturers will laugh off foreign legislative band aids. And while there's very legitimate concerns that legislation crafted by a Luddite Congress could stifle innovation and experimentation in the space, this particular proposal does at least apply some standards to the IOT devices purchased and used by the federal government, injecting at least a layer of sanity and reflection to the rapid expansion of poorly-secured IOT devices.
Security researcher Brian Krebs highlights another good part of the bill, namely the portion that expands legal protections for cyber researchers working in "good faith" to hack equipment to find vulnerabilities so manufacturers can patch previously unknown flaws:
"Those advocates were no doubt involved in shaping other aspects of this legislation, including one that exempts cybersecurity researchers engaging in good-faith research from liability under the Computer Fraud and Abuse Act (CFAA), a dated anti-cybercrime law that many critics say has been abused by government prosecutors and companies to intimidate and silence security researchers. Perhaps the most infamous example of prosecutorial overreach under the CFAA comes in Aaron Swartz, a Harvard research fellow who committed suicide after being hounded by multiple CFAA fraud charges by state and federal prosecutors for downloading a large number of academic journals.
All of that said, the legislation isn't going to do enough to prevent major, looming problems. Between 20 billion and 30 billion "IOT" devices are expected to be connected to the internet by 2020 worldwide. And as Bruce Schneier has noted on occasion, the origins of this market failure begin with an apathetic cycle of dysfunction between both hardware vendors and consumers, something that the market alone has shown it's not capable of -- or seriously interested in -- fixing:
"The market can't fix this because neither the buyer nor the seller cares. The owners of the webcams and DVRs used in the denial-of-service attacks don't care. Their devices were cheap to buy, they still work, and they don't know any of the victims of the attacks. The sellers of those devices don't care: They're now selling newer and better models, and the original buyers only cared about price and features. There is no market solution, because the insecurity is what economists call an externality: It's an effect of the purchasing decision that affects other people. Think of it kind of like invisible pollution."
So while this law may be a start, it's going to take a lot more than U.S.-specific legislation to fix this particular market failure, assuming such laws don't actually manage to make the problem worse. Smart networks, smarter engineers, better routers, better code, and better communications between companies, governments, activists, and other stakeholders are all essential to get ahead of this particular threat. Fixing the internet of broken things requires a massive, over-arching, holistic effort, one that doesn't exist yet, and unfortunately isn't likely to gain serious momentum until after the internet of broken things check comes due.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: cfaa, congress, iot, mandates, researchers, security
Reader Comments
Subscribe: RSS
View by: Time | Thread
Congress - pushed to allow ISPs to sell your data
Congress - pushed toy makers to protect kids data
Congress - this will stop the cyber, despite it being pointless
The left hand and the right hand don't seem to know what they are doing until they meet in the pocket of the lobbyist, then fight over who gets to masturbate him faster.
Public - uninformed, don't care, sound bites means its fixed right?
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
PSA
/s
[ link to this | view in chronology ]
Re: PSA
[ link to this | view in chronology ]
Hmm - let's solve those problems... in the law.
Conform to industry security standards: No standard - check!
No unchangeable password: No password at all - check!
Don't possess known security vulnerabilities: Don't require code from contractor writing the software - check!
Well, we obey the new law to all extents!
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Always Seek a Government Solution
...always amusing how leftists see 'government' laws & coercion as the solution to almost any problem
quite a bit of hedging and evasion in the above discussion, but pretty clear what the political outlook is
U.S. Senators and Congress are totally incompetent and dysfunctional -- they cannot even perform their most basic functions, like enacting an annual budget.
Congress screws up everything it touches.
The IoT problem will ultimately be solved by private individuals and organizations in voluntary cooperation (i.e., the "Market")
{...which government agency built the computers and software that we all are currently viewing this blog with ??}
[ link to this | view in chronology ]
Re: Always Seek a Government Solution
Did you read the article? There is no market incentive for the makers of these devices to make them more secure, because the security vulnerabilities have no adverse effects on the sellers or the buyers.
I'm currently using a Dell, but the ARPAnet was created by the Department of Defense and the infrastructure I'm using to access it, while privately owned, was funded with government subsidies.
[ link to this | view in chronology ]
Re: Re: Always Seek a Government Solution
[ link to this | view in chronology ]
Re: Re: Seek a Government Solution
Which senator or federal bureaucrat now ensures that your PC and business computers are secure ? Obviously, consumers & computer companies care absolutely nothing about security... and buy/sell only the cheapest crap they can get away with. Therefore, only people with government job titles are pure enough & wise enough to selflessly solve the IoT security issues.
[ link to this | view in chronology ]
Re: Re: Re: Seek a Government Solution
Not really their job now is it?
"Obviously, consumers & computer companies care absolutely nothing about security"
Some of them - obviously
"Therefore, only people with government job titles are pure enough & wise enough to selflessly solve the IoT security issues."
The pretzel logic is strong with this one.
[ link to this | view in chronology ]
Re: Always Seek a Government Solution -- really?
You are complaining,(or was that fiddling while rome is burning?), not offering a solution. So here's my proposal:
Basic IOT security is part of FCC certification, just like Radio Frequency Interference is now. As for a standard, it is this: There *must* be an "update settings" button, and settings shall not be updatable unless that button is pressed. Firmware shall not be updateable unless the button is held down for a few seconds.
And here is one counterargument for the "smart" network where the origin of packets is not spoofable and it is to be determined that the target of a packet desires the packets in some sense to be defined...what about the FCC website the night John Oliver did his thing on net neutrality? How *would* such a system respond correctly?
[ link to this | view in chronology ]
Re: Re: Always Seek a Government Solution -- really?
[ link to this | view in chronology ]
Re: Re: Re: Always Seek a Government Solution -- really?
(Not that we don't have ANOTHER article today about how the FCC is broken with respect to net neutrality!)
[ link to this | view in chronology ]
Re: Re: Always Seek a Government Solution -- really?
There are a lot of reasons why requiring a hardware button to be pressed in order to update a device is a bad idea. First and foremost, if security updates aren't automatic, then users don't run them. Second, these are devices that are supposed to be remotely controllable; if I'm out of town and there's a security patch for my home security system, why shouldn't I be able to run that patch remotely?
We definitely need to improve IoT security, but making it more difficult to install updates will make that problem worse, not better.
[ link to this | view in chronology ]
Re: Re: Re: Always Seek a Government Solution -- really?
Allow them to be triggered only via a session on the local network, and you can use your own remote session to a machine on your network to carry out updates, protected by being a VPN or similar secure connection into you network.
As ever convenience is the enemy of real security.
[ link to this | view in chronology ]
Re: Always Seek a Government Solution
[ link to this | view in chronology ]
They have not been able to much of anything lately, what has changed?
[ link to this | view in chronology ]
Fuck "smart networks"
If the network wants to protect its own resources by not allowing huge traffic floods, especially without some indication that the recipient actually wants the data, that's good. If the network wants to start guaranteeing that the source address on a packet bears some relation to where that packet came from, that's also good.
But oddly enough the people pushing "smart networks" don't want to make networks smart when it comes to dealing with their own internal functions, because that's actually hard. Nobody wants to actually redo the routing infrastructure.
Instead, what they want to do is to spy on traffic, filter it, "collect intelligence" from it, and sometimes react to it... including with things that you could reasonably call security attacks. In the process they'll introduce a bunch of complexity and create gridlock by making everything depend on everything else. And they'll further blur the lines about what you're allowed to do to somebody else's traffic. Those are actively bad for security.
Not to mention the number of things they'll simply break, because it's crazy hard to look at the traffic between two other parties and intuit what they're actually doing.
They'll also create the machinery for an Internet police state. I'm not saying there's any kind of conspiracy to do that. I'm saying that that's what the technology is actually good for, regardless of anybody's current intentions.
Anybody who suggests "smart networks" as a solution for any kind of privacy problem needs their head examined.
If some piece of shit endpoint misbehaves, then other endpoints need to protect themselves, and the network needs to stay out of it.
[ link to this | view in chronology ]
They aren't trying to legislate China
Note that the legislation is not telling China (or anyone else, really) to do anything. What it is saying is that if you want to sell something to the government (mostly read as: DOD) you need to meet the specs. It becomes cheaper for the vendors to do it that way than have two different product lines (usually; some have milspec vs commercial for their products). If they do it right (and my opinion of Wyden is that he'll try) then most IoT products will eventually conform: a worthy goal.
[ link to this | view in chronology ]
Re: They aren't trying to legislate China
[ link to this | view in chronology ]
Re: They aren't trying to legislate China
No need for due diligence guys, if you screw up and get hacked you can blame the guy you bought it from.
[ link to this | view in chronology ]
Re: Re: They aren't trying to legislate China
That's...an interesting take on product liability. You seem to be suggesting that if a vendor sells me an unsafe product, it's my fault for buying it?
[ link to this | view in chronology ]
Re: Re: They aren't trying to legislate China
I don't think so. It means that when the government puts out a bid request for 10,000 web cams it would now insist those web cams meet the requirements defined by this bill (and others).
No vendor is going to make two versions of a product so that they can sell some of them to the government and the rest to the sheeple; they'll invest in the minimum effort to make the web cams compliant and everyone wins.
Of course "win" only works if the requirements are reasonable and with req's coming from the government one never knows.
[ link to this | view in chronology ]
That apparently doesn't seem to concern Congress, which this week introduced a new bill they hope will help secure the internet of very broken things
This, coming from the same Congress which is halfway to outlawing internet security in its entirety. Color me skeptical.
[ link to this | view in chronology ]
UL certification
Most likely UL would have to set up a new division/department for that, as well as write new standards, but writing standards is what they do. I don't see why it would be a problem to require all devices that connect to the internet to have UL certified software. Certainly for government tenders that would be just a matter of writing it in the specs.
It could slow down innovation a bit because it'll probably take some months to get the approval but seeing the danger here it could be a possible trade-off.
I think it would also be a benefit to have a big knowledge base in one place about how to secure IoT devices. Well meaning companies could use this knowledge to produce safe devices. Yes I know, well meaning companies are rare/unicorns but still...
[ link to this | view in chronology ]
An idea
I have suggested this idea before online numerous times. It specifically addresses this . . .
Make the MANUFACTURER of the broken IoT device liable for all actual damages caused by their IoT device getting hacked. Including third party damages, like DDOS and ransomeware. And by liable, I mean, make it EASY to recover those damages from the manufacturer.
I am specifically NOT proposing any kind of government design standards. Or testing. Or certification. Or registration. Merely putting the costs where they belong, instead of upon the customers who buy broken IoT, or worse, on third parties who had no involvement with the broken IoT devices.
Here is how this fixes the broken perverse incentives that currently exist. Presently, the manufacturer is incentivized to spend nothing on security. To ignore it. Keep the retail price as low as possible. Would my idea cause the cost of IoT devices to rise? Probably. And this is as it should be. Put the costs where they belong instead of on innocent third parties getting DDOSed or ransomeware.
Manufacturers might reconsider whether some devices even should be connected to the clod. Do we really need a clod connected toy teddy bare bear for children?
This would incentivize manufacturers to cooperate on security. They might get together and build a common secure Linux base upon which to create their various products.
Can devices be made completely secure? Maybe, or maybe not. But we could go WAY further than we do now. If you've ever had to look at PCI compliance in order to do credit card processing, you have a good idea of the enormous additional steps that could be taken. And cooperating would help reduce these costs.
While I am not proposing government testing or certification, nothing would prevent the industry from creating voluntary testing and certification, sort of like the UL tirademark that can only be applied if you have the actual certification. Such certification would give consumers assurance that the device meets some significant safety standards.
At times when I have proposed this idea, I get the argument that startups couldn't bear the risk involved. So what? If they can't, then don't build it. If I buy a $1,200.00 "smart" taster connected to the clod, I have the same expectation that it won't burn my house down as I would have of a $12 toaster from Target. If a startup can't build, and certify it with that same assurance of fire safety, then don't build it at all.
[ link to this | view in chronology ]
Re: An idea
tirademark
This typo is so full of win.
And yeah, this seems reasonable, except maybe to a government which seems to be trying to remove laws and regulations which cover problems with externalities wholesale.
[ link to this | view in chronology ]
Re: Re: An idea
[ link to this | view in chronology ]
Re: An idea
However, the devil is in the details and the unintended consequences, and, if Prenda Law is any indication (or even Sheriff Larpenter, from today's post above, or the libel suit against Techdirt), legal liability is very broken right now. It distracts everyone involved and takes forever, allowing it to be used as a heckler's veto, and there are folks ready to abuse it even to the point of ransom.
I think there's going to have to be a tax on the devices themselves and a quasi-governmental authority to make it happen. UL isn't it, because in its own ways, it is also broken.
I also think home routers have to be part of the technical solution...my IOT thingy really shouldn't be connecting to the wider internet without additional security.
Finally, I've said this before and I'll say it again: I can't even trust my PC, and THAT is also a problem, in fact, much the same problem. It's just too complicated to actually control and get reasonable bounds on its behavior.
[ link to this | view in chronology ]
Re: Re: An idea
Definitely, but I'm not even sure where to begin on that. I've spent entire days securing my router, and most people don't share my technical expertise. Balancing simplicity with security is a hard problem, compounded by routers themselves being a common victim of shoddy default security configurations.
Yes and no. There are free/open-source OS's that are fully-featured and easy enough for typical end users. I've just helped my grandfather switch over to Linux Mint; the initial setup wasn't any harder than a clean install of Windows, there's an option for configuring system updates at install time that allows a conservative option for accepting security updates but avoiding feature updates, and I trust the software in the default Mint repos a lot more than I trust what's in the Windows Store, let alone third-party software sources.
It's not perfect, of course; browser vulnerabilities are often multi-platform, distro owners sometimes make very foolish decisions (remember Ubuntu setting its program launcher to send your searches to Amazon by default), and there have been some major vulnerabilities in widely-deployed open-source packages. But it's comparatively easy to install an OS that doesn't pull Windows 10-style shenanigans and serves users' basic needs (web browsing, document editing, e-mail).
Course, there are worse problems below the surface. Virtually all PCs, whether Intel-compatible or ARM-based, have proprietary firmware that owners can't audit or control, and sometimes that firmware has major vulnerabilities. Worse, all modern AMD and Intel processors have coprocessors that are basically black boxes.
This, too, is a hard problem to solve. There are options, but they're not great. You can use an outdated Lenovo computer running Libreboot (tech-savvy users can flash the firmware themselves, less-savvy ones can buy already-flashed machines from third parties at significant markup). Or an old PPC Mac with OpenFirmware. Those are really the only options at the consumer level to get a system that's completely open and auditable, down to the firmware level. (There are other options in the business space, from "buy an old Sparc" to the Talos II, if you've got that kind of money.)
There are other possibilities on the horizon. The EOMA68 Libre Tea Computer Card has some hardware components with proprietary firmware but disables them. The RISC-V is a fully-open processor spec. Whether either of those computer models becomes viable going forward is anybody's guess, but at least there are people working on the problem.
[ link to this | view in chronology ]
Re: An idea
Make the MANUFACTURER of the broken IoT device liable for all actual damages caused by their IoT device getting hacked.
The only logical outcome of this I can see would be the triumph of completely walled gardens. Device manufacturers, especially the largest ones, wouldn't be able to afford even a few major hacks (Sony, DNC, Yahoo etc.) combined with damages from PC botnets, combined with ransomware and other small viruses. Net income for the largest PC manufacturers is only around ~$5 billion after all, and the yahoo hack had damages of $350 million on its own (based on just the discounted purchase price from Verizon, not any additional damages to its users). The only reasonable solution to keep themselves in business would be to wall off their PCs from connecting to any IP address they haven't explicitly vetted, as even if they had a magically perfectly secured device there are enough stupid people doing stupid things with their computers that it likely wouldn't matter.
On the plus side, net neutrality would no longer be an issue, as the hardware manufacturers themselves would prohibit connections to non-certified addresses. The ISPs will just go to them instead of doing it themselves. Piracy would fall back a few decades as well, without being able to make new connections outside of your manufacturer's little garden.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
I don't actually see any problem with any of that.
Let them. Respond with, "OK fine then. You're free to make devices in China that don't meet these basic standards, but they can't be imported into the USA."
Deny them access to their most important market, and they'll stop laughing real fast.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]