New Open Source Standard Hopes To Cure The Internet Of Broken Things Of Some Awful Security Practices
from the come-together,-right-now dept
As we've pretty well documented, the internet of things is a security and privacy shitshow. Millions of poorly-secured internet-connected devices are now being sold annually, introducing massive new attack vectors and vulnerabilities into home and business networks nationwide. Thanks to IOT companies and evangelists that prioritize gee-whizzery and profits over privacy and security, your refrigerator can now leak your gmail credentials, your kids' Barbie doll can now be used as a surveillance tool, and your "smart" tea kettle can now open your wireless network to attack.
Security analysts like Bruce Schneier have been warning for a while that the check is about to come due for this mammoth dumpster fire, potentially resulting in human fatalities at scale -- especially if these flaws are allowed to impact integral infrastructure systems. But Schneier has also done a good job noting how nobody in the production or consumer cycle has any incentive to take responsibility for what's happening:
"The market can't fix this because neither the buyer nor the seller cares. Think of all the CCTV cameras and DVRs used in the attack against Brian Krebs. The owners of those devices don't care. Their devices were cheap to buy, they still work, and they don't even know Brian. The sellers of those devices don't care: they're now selling newer and better models, and the original buyers only cared about price and features. There is no market solution because the insecurity is what economists call an externality: it's an effect of the purchasing decision that affects other people. Think of it kind of like invisible pollution."
There's no quick fix for this problem. And as Schneier notes it's going to take the cooperation of companies, governments, consumers and independent groups to craft a solution, something that was already difficult enough during decidedly more sane times.
Consumer Reports has been one of the few organizations to try and tackle this problem with plans to incorporate some open source security and privacy testing standards into its product reviews, to name and shame companies that turn a blind eye to this problem. Just about a year ago the organization noted it was working with privacy software firm Disconnect, non-profit privacy research firm Ranking Digital Rights (RDR), and nonprofit software security-testing organization Cyber Independent Testing Lab (CITL) on the new effort, which it acknowledged was early and requires public and expert assistance.
This week these groups shed a little more detail on the new effort, which it claims is the first step in reinstilling some degree of trust in the internet of very broken things. The standard is still very much under development, and the groups are looking for your help in spreading the word:
"We are focused on ensuring the Standard’s maximum impact by working across many constituencies to use and refine this tool as a metric for evaluating consumer software and hardware. Our goals are to educate companies on how they can use the Standard to improve their products, help consumer and digital rights advocates to leverage the Standard in their advocacy, and solicit feedback from the full range of stakeholders on how the Standard can be improved."
The emerging standard would incorporate 35 different security and privacy testing standards into product reviews, with a heavy emphasis on the obvious need for quality encryption, non-default usernames and passwords, transparency as to what data is collected and who it's being sold to, more easily understood terms of service, and better government mechanisms to handle consumer complaints and enforcement against bad actors.
Traditionally, IOT companies have disregarded these issues in both their business models and product design, creating Schneier's unaccountable "invisible pollution" (for example when your cheap ass Chinese security camera gets hacked minutes after being connected online, then contributes to historically massive DDOS attacks without your knowledge or consent). Convincing companies (especially when they're overseas and outside of regulatory authority) that contributing to the greater good benefits everybody in the long run hasn't been easy.
As such, the OTI tries to make the case that over the long term, respecting privacy and embracing security standards should save everybody money, noting that firms like the Ponemon Institute have estimated that the average data breach in 2017 cost "responsible" businesses $3.5 million. Not to mention the costs of downtime from massive DDOS attacks like the one that targeted Dyn last year, or the costs of having to deal with regulatory action because of the lack of common security sense we've seen applied to everything from smart TVs to in-car infortainment systems.
Still, the temptation to disregard security and privacy and just move on to marketing the next IOT product in the pipeline is a siren song that will be hard to compensate for (especially for overseas Chinese vendors), and it's going to take a massive, collective push to avoid some of the doomsday scenarios many security researchers have been warning about.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: iot, open standards, security
Reader Comments
Subscribe: RSS
View by: Time | Thread
but will this even make much of a difference?
The problem is that the vast majority of people don't care one bit about security, and tend to brand anyone who does as some kind of paranoid conspiracy kook. That's just about as true today as it was 25 years ago, when the few people who taught themselves how to use PGP discovered it was a complete waste of time because everyone else they ever knew with an email address thought PGP was too silly to bother with.
Hopefully this new OTI standard will not just be taken seriously, but will be widely if not universally adopted. But based on the history of internet security (non)adoptions, that's likely to be another pipe dream.
[ link to this | view in chronology ]
Re: but will this even make much of a difference?
[ link to this | view in chronology ]
[ link to this | view in chronology ]
The problem in a nutshell
[ link to this | view in chronology ]
[ link to this | view in chronology ]
The next step is marketing
The next step would be to show the importance of the evaluations by third party tech organizations. Consumer Reports is a good start, but since it is paywalled it should not be the only source of such information. Getting consumers to value ratings by such organizations, and getting those ratings to be freely available to consumers is very, very important. Once consumers begin to value those ratings, they will become important to the manufacturers.
[ link to this | view in chronology ]
Like driverless vehicles. The cheerleaders for these like to pretend that they're exempt from the dumpster fire, but in fact they may be the worst part of it.
Last week's Uber incident was only the beginning.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Three Layers of Fictionalization
Dear Boss:
Last night, when Nunzio and I were finishing up the special task you sent us on, a movie idea came to my head. On my off time, I jotted down a script and thought, y'know, this ain't half bad. So I send it to you, hoping one of your studio lots might make use of it. Let me know.
Regards,
Joe.
--- SCRIPT FOLLOWS ---
SETTING: Classy office in a publishing company. BURTON is behind the desk looking at a manuscript. DANIELS the author is in front of the desk nervously sitting in a chair.
DANIELS: This is, of course, an early draft. I can change names, circumstances. Whatever you need.
BURTON: The premise sounds a big wonky. Let's take a look
(Voice over as Burton reads the story.)
Little sue was all good and tucked into bed. "Daddy, I'm ready for bed. Is it story time?"
Daddy sat down at the side of the bed "It sure is, pumpkin. Do you want to hear a particular story?"
Sue giggled. "Surprise me," she said.
Daddy began "Long ago there were two princesses Avril and Clara who spent their days in the royal garden laughing and playing. One day while running through the daffodil thickets, Clara tripped and fell into the fountain. She got her clothes all wet and had to take them all off..."
Sue's little face soured. "You told me that one, yesterday." she said.
"Whoops!" Daddy said. "Okay, let me start again." He breathed. "Once upon a time there was a land where devices were connected to the internet. It was really nifty, because someone could take pictures remotely, or adjust their thermostat before they got home, or check their email on their refrigerator as they were getting breakfast. Only these devices were not built with locks, so mischieveous little boys could find them on the internet and repurpose them to obey a supreme master computer. With enough devices they could force large portions of the internet to malfunction, in what was called a Distributed Denial of Service attack, or DDOS.
Only the camera owners didn't care, because the cameras still worked. And the camera makers didn't care, because it wasn't making their customers unhappy. So a man in a hat came up with an idea: Lets make our own botnet out of all these devices and DDOS the camera manufacturers. That way it WILL be their problem.
Sue asked "But wouldn't that be highly illegal, and in violation of the CFAA? He'd go to jail for that longer than he would for murder or child endangerment."
"Desperate times call for desperate measures, my sweet." Daddy replied.
BURTON: Is this a story of a father corrupting his own daughter.
DANIELS: (Nods) It's a slow burn. Something of objective horror fiction with a sci-fi twist.
BURTON: (shakes his head) I don't think we have an audience for it. But let me give you a phone number.
[ link to this | view in chronology ]
I couldn't figure out from the PDF linked to in the article text above what the context of this was. Here's the blog post announcing the PDF:
https://www.newamerica.org/oti/blog/raising-standard/ (March 23)
The only new detail shed is that they're starting a promotional effort for The Digital Standard. Which is good!
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Print Office Depot Brand Cleaning Dusters 10
Renard Pierrette Rue André Phililp 3336 Lyon 69007. 040989475 0658843898 Bouyggues. Eteclcom Nous avons besoin d'une nouvelle version de Twitter de la maison de campagne électorale pour le reste c'est de faire la même chose de la musique de la maison des jeunes de nos services dans les années passent plus vite que les autres sont des jeunes de la maison des jeunes filles qui ont fait une nouvelle fois
[ link to this | view in chronology ]
The Dutch police
The Dutch police have brought down the world’s biggest DDoS-for-hire service that improved international cybercriminals launch over 4 million attacks and arrested its administrators yesterday help withDutch Police. An administration led by the UK’s National Crime Agency (NCA) and the Dutch Police, dubbed “Power Off,” with the assistance of Europol and a dozen different law enforcing agencies, issued in the arrest of 6 members of the group behind the “webstresser.org” website in Scotland, Croatia, Canada and Serbia on Tuesday.
[ link to this | view in chronology ]