New Open Source Standard Hopes To Cure The Internet Of Broken Things Of Some Awful Security Practices

from the come-together,-right-now dept

Mon, Mar 26th 2018 7:40pm — Karl Bode

As we've pretty well documented, the internet of things is a security and privacy shitshow. Millions of poorly-secured internet-connected devices are now being sold annually, introducing massive new attack vectors and vulnerabilities into home and business networks nationwide. Thanks to IOT companies and evangelists that prioritize gee-whizzery and profits over privacy and security, your refrigerator can now leak your gmail credentials, your kids' Barbie doll can now be used as a surveillance tool, and your "smart" tea kettle can now open your wireless network to attack.

Security analysts like Bruce Schneier have been warning for a while that the check is about to come due for this mammoth dumpster fire, potentially resulting in human fatalities at scale -- especially if these flaws are allowed to impact integral infrastructure systems. But Schneier has also done a good job noting how nobody in the production or consumer cycle has any incentive to take responsibility for what's happening:

"The market can't fix this because neither the buyer nor the seller cares. Think of all the CCTV cameras and DVRs used in the attack against Brian Krebs. The owners of those devices don't care. Their devices were cheap to buy, they still work, and they don't even know Brian. The sellers of those devices don't care: they're now selling newer and better models, and the original buyers only cared about price and features. There is no market solution because the insecurity is what economists call an externality: it's an effect of the purchasing decision that affects other people. Think of it kind of like invisible pollution."

There's no quick fix for this problem. And as Schneier notes it's going to take the cooperation of companies, governments, consumers and independent groups to craft a solution, something that was already difficult enough during decidedly more sane times.

Consumer Reports has been one of the few organizations to try and tackle this problem with plans to incorporate some open source security and privacy testing standards into its product reviews, to name and shame companies that turn a blind eye to this problem. Just about a year ago the organization noted it was working with privacy software firm Disconnect, non-profit privacy research firm Ranking Digital Rights (RDR), and nonprofit software security-testing organization Cyber Independent Testing Lab (CITL) on the new effort, which it acknowledged was early and requires public and expert assistance.

This week these groups shed a little more detail on the new effort, which it claims is the first step in reinstilling some degree of trust in the internet of very broken things. The standard is still very much under development, and the groups are looking for your help in spreading the word:

"We are focused on ensuring the Standard’s maximum impact by working across many constituencies to use and refine this tool as a metric for evaluating consumer software and hardware. Our goals are to educate companies on how they can use the Standard to improve their products, help consumer and digital rights advocates to leverage the Standard in their advocacy, and solicit feedback from the full range of stakeholders on how the Standard can be improved."

The emerging standard would incorporate 35 different security and privacy testing standards into product reviews, with a heavy emphasis on the obvious need for quality encryption, non-default usernames and passwords, transparency as to what data is collected and who it's being sold to, more easily understood terms of service, and better government mechanisms to handle consumer complaints and enforcement against bad actors.

Traditionally, IOT companies have disregarded these issues in both their business models and product design, creating Schneier's unaccountable "invisible pollution" (for example when your cheap ass Chinese security camera gets hacked minutes after being connected online, then contributes to historically massive DDOS attacks without your knowledge or consent). Convincing companies (especially when they're overseas and outside of regulatory authority) that contributing to the greater good benefits everybody in the long run hasn't been easy.

As such, the OTI tries to make the case that over the long term, respecting privacy and embracing security standards should save everybody money, noting that firms like the Ponemon Institute have estimated that the average data breach in 2017 cost "responsible" businesses $3.5 million. Not to mention the costs of downtime from massive DDOS attacks like the one that targeted Dyn last year, or the costs of having to deal with regulatory action because of the lack of common security sense we've seen applied to everything from smart TVs to in-car infortainment systems.

Still, the temptation to disregard security and privacy and just move on to marketing the next IOT product in the pipeline is a siren song that will be hard to compensate for (especially for overseas Chinese vendors), and it's going to take a massive, collective push to avoid some of the doomsday scenarios many security researchers have been warning about.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: iot, open standards, security

17 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Anonymous Coward, 26 Mar 2018 @ 8:59pm

but will this even make much of a difference?
Back in the early days of the Internet, there were more than a few activists loudly complaining that the vast majority of email servers were doing unencrypted plain text logins. A decade later, the situation had barely improved, despite the fact that all the tools needed to fix the problem had been available for many years.

The problem is that the vast majority of people don't care one bit about security, and tend to brand anyone who does as some kind of paranoid conspiracy kook. That's just about as true today as it was 25 years ago, when the few people who taught themselves how to use PGP discovered it was a complete waste of time because everyone else they ever knew with an email address thought PGP was too silly to bother with.

Hopefully this new OTI standard will not just be taken seriously, but will be widely if not universally adopted. But based on the history of internet security (non)adoptions, that's likely to be another pipe dream.
[ link to this | view in chronology ]
- Anonymous Coward, 26 Mar 2018 @ 10:09pm
  
  Re: but will this even make much of a difference?
  The sad thing is this has lead to a situation where it can be hard for those of us who care about security to avoid becoming so paranoid we don't get anything done.
  [ link to this | view in chronology ]
Anonymous Coward, 26 Mar 2018 @ 9:55pm

People don't care. I know very few who even understand the stakes. I am derided at every corner for adhering to, admittedly, modest security practices.
[ link to this | view in chronology ]
DNY (profile), 27 Mar 2018 @ 5:34am

The problem in a nutshell
When the assertion, "I think my refrigerator is spying on me," represents a sound, rationally held belief, rather than evidence of paranoid schizophrenia, something is definitely wrong.
[ link to this | view in chronology ]
Anonymous Coward, 27 Mar 2018 @ 7:15am

Maybe that microwave really was spying on donald
[ link to this | view in chronology ]
Anonymous Anonymous Coward (profile), 27 Mar 2018 @ 8:03am

The next step is marketing
The way I see it is that this is a good start. There may be other things that need to be added to the standard, as we grow and learn and new vulnerabilities are discovered. But much more important is adoption. This comes in two parts, the first is getting consumers to know about and understand the issues created by the lack of security and privacy in IoT devices. This could become a reality by getting more mainstream press to cover the story, and that might be accomplished by exposing some of the more popular devices, and what that lack of security and privacy might mean to the average, or less than average, users.

The next step would be to show the importance of the evaluations by third party tech organizations. Consumer Reports is a good start, but since it is paywalled it should not be the only source of such information. Getting consumers to value ratings by such organizations, and getting those ratings to be freely available to consumers is very, very important. Once consumers begin to value those ratings, they will become important to the manufacturers.
[ link to this | view in chronology ]
Rich Kulawiec, 27 Mar 2018 @ 8:52am

"Security analysts like Bruce Schneier have been warning for a while that the check is about to come due for this mammoth dumpster fire, potentially resulting in human fatalities at scale -- especially if these flaws are allowed to impact integral infrastructure systems."

Like driverless vehicles. The cheerleaders for these like to pretend that they're exempt from the dumpster fire, but in fact they may be the worst part of it.

Last week's Uber incident was only the beginning.
[ link to this | view in chronology ]
- Ninja (profile), 27 Mar 2018 @ 9:52am
  
  Re:
  Hmm, as far as I could understand the incident was caused by lousy programming, not because of some hacking. While I agree with you that it is something to worry, driverless cars will be subjected to much more scrutiny and regulations than your standard camera or dvr exactly because it's much easier to see the problem. DDoS attacks are abstract, possibly alien concept to most of the population.
  [ link to this | view in chronology ]
Ninja (profile), 27 Mar 2018 @ 10:10am

Maybe we should start harnessing the power of the compromised IoT and start using them to attack companies that build them, people who use them and other critical infra structure randomly and in a sustained way just to cause as much damage as possible and force this discussion to be had and solutions to be implemented.
[ link to this | view in chronology ]
- Michael, 27 Mar 2018 @ 10:38am
  
  Re:
  I'm pretty sure that is the Department of Homeland Security at your door.
  [ link to this | view in chronology ]
  - Ninja (profile), 27 Mar 2018 @ 12:58pm
    
    Re: Re:
    That would be a very long shot! Over 8000 km actually. But I don't have to do it. I'm sure ill-intended people all around will eventually pull something destructive enough to force people to address the IoT mess.
    [ link to this | view in chronology ]
  - Uriel-238 (profile), 27 Mar 2018 @ 12:59pm
    
    Three Layers of Fictionalization
    Dear Boss:
    
    Last night, when Nunzio and I were finishing up the special task you sent us on, a movie idea came to my head. On my off time, I jotted down a script and thought, y'know, this ain't half bad. So I send it to you, hoping one of your studio lots might make use of it. Let me know.
    
    Regards,
    
    Joe.
    
    --- SCRIPT FOLLOWS ---
    
    SETTING: Classy office in a publishing company. BURTON is behind the desk looking at a manuscript. DANIELS the author is in front of the desk nervously sitting in a chair.
    
    DANIELS: This is, of course, an early draft. I can change names, circumstances. Whatever you need.
    
    BURTON: The premise sounds a big wonky. Let's take a look
    
    (Voice over as Burton reads the story.)
    
    Little sue was all good and tucked into bed. "Daddy, I'm ready for bed. Is it story time?"
    
    Daddy sat down at the side of the bed "It sure is, pumpkin. Do you want to hear a particular story?"
    
    Sue giggled. "Surprise me," she said.
    
    Daddy began "Long ago there were two princesses Avril and Clara who spent their days in the royal garden laughing and playing. One day while running through the daffodil thickets, Clara tripped and fell into the fountain. She got her clothes all wet and had to take them all off..."
    
    Sue's little face soured. "You told me that one, yesterday." she said.
    
    "Whoops!" Daddy said. "Okay, let me start again." He breathed. "Once upon a time there was a land where devices were connected to the internet. It was really nifty, because someone could take pictures remotely, or adjust their thermostat before they got home, or check their email on their refrigerator as they were getting breakfast. Only these devices were not built with locks, so mischieveous little boys could find them on the internet and repurpose them to obey a supreme master computer. With enough devices they could force large portions of the internet to malfunction, in what was called a Distributed Denial of Service attack, or DDOS.
    
    Only the camera owners didn't care, because the cameras still worked. And the camera makers didn't care, because it wasn't making their customers unhappy. So a man in a hat came up with an idea: Lets make our own botnet out of all these devices and DDOS the camera manufacturers. That way it WILL be their problem.
    
    Sue asked "But wouldn't that be highly illegal, and in violation of the CFAA? He'd go to jail for that longer than he would for murder or child endangerment."
    
    "Desperate times call for desperate measures, my sweet." Daddy replied.
    
    BURTON: Is this a story of a father corrupting his own daughter.
    
    DANIELS: (Nods) It's a slow burn. Something of objective horror fiction with a sci-fi twist.
    
    BURTON: (shakes his head) I don't think we have an audience for it. But let me give you a phone number.
    [ link to this | view in chronology ]
Mike Linksvayer (profile), 27 Mar 2018 @ 2:55pm

This week these groups shed a little more detail on the new effort, which it claims is the first step in reinstilling some degree of trust in the internet of very broken things. The standard is still very much under development, and the groups are looking for your help in spreading the word.

I couldn't figure out from the PDF linked to in the article text above what the context of this was. Here's the blog post announcing the PDF:

https://www.newamerica.org/oti/blog/raising-standard/ (March 23)

The only new detail shed is that they're starting a promotional effort for The Digital Standard. Which is good!
[ link to this | view in chronology ]
Anonymous Coward, 27 Mar 2018 @ 3:28pm

Open source? If it's not free(dom) software, it will never work.
[ link to this | view in chronology ]
Anonymous Coward, 28 Mar 2018 @ 1:40am

Wow. Bruce Schneier seems to think his words are so magic that care itself will go away simply because he said "no one cares". Of course, he and like minded ilk (those who hang on his every word, as "if" he were an expert, even though he became irrelevant years ago, when most know the only reason he is still referred to one is because he a jew in the industry, and this being true regardless of how you feel about that statement), like Steven Gibson are so out of touch with what is actually going on in the industry they barely can make heads or tails of their own reports at their highly advanced ages. They do not know the mindset of anyone else, they only know what is conducive to apathy and that is what they spout because that is their want. Plenty of people cared, and still do, while they lie through their teeth.
[ link to this | view in chronology ]
Renaud Pierrette, 17 Apr 2018 @ 10:33am

Print Office Depot Brand Cleaning Dusters 10
Renard Pierrette Rue André Phililp 3336 Lyon 69007. 040989475 0658843898 Bouyggues. Eteclcom Nous avons besoin d'une nouvelle version de Twitter de la maison de campagne électorale pour le reste c'est de faire la même chose de la musique de la maison des jeunes de nos services dans les années passent plus vite que les autres sont des jeunes de la maison des jeunes filles qui ont fait une nouvelle fois
[ link to this | view in chronology ]
Steven Raker, 25 Apr 2018 @ 10:40pm

The Dutch police
The Dutch police have brought down the world’s biggest DDoS-for-hire service that improved international cybercriminals launch over 4 million attacks and arrested its administrators yesterday help withDutch Police. An administration led by the UK’s National Crime Agency (NCA) and the Dutch Police, dubbed “Power Off,” with the assistance of Europol and a dozen different law enforcing agencies, issued in the arrest of 6 members of the group behind the “webstresser.org” website in Scotland, Croatia, Canada and Serbia on Tuesday.
[ link to this | view in chronology ]