California Eyes Questionable Legislation In Bid To Fix The Internet Of Broken Things
from the broken-stuff dept
If you hadn't noticed, the much-hyped internet of things is comically broken. WiFi connected Barbies that spy on your kids, refrigerators that cough up your Gmail credentials, and "smart" televisions that watch you as often as you watch them are all now the norm. And while this has all been the focus of a lot of humor (like the Internet of shit Twitter feed), security experts have been warning for a while about how introducing millions of security flaws into millions of homes and businesses is, sooner or later, going to come back and bite us all on the ass.
As security analysts like Bruce Schneier have pointed out, few people in this dance of dysfunction really care, so things tend to not improve. Customers often aren't even aware (or don't care) that their device has been compromised and hijacked into a DDOS attacking botnet, and hardware vendors tend to prioritize sales of new devices over securing new (and especially older) gear.
Efforts to regulate the problem away are the option for many. That's what California lawmakers are considering with the recent passage of SB-327, which was introduced in February of last year, passed the California Senate on August 29, and now awaits signing from California Governor Jerry Brown. If signed into law, it would take effect in early 2020, and mandates that "a manufacturer of a connected device shall equip the device with a reasonable security feature or features," while also taking aim at things like default login credentials by requiring devices auto-prompt users to change their usernames and passwords.
But as you might expect, critics of the bill state it's not likely to actually fix the problem, in part because Chinese gearmakers (a major source of the problem) can just ignore the law. Others state California's solution is superficial at best, given that just "adding security features" doesn't really help if the technology is just fundamentally unsecure on the skeletal level:
"It’s based on the misconception of adding security features. It’s like dieting, where people insist you should eat more kale, which does little to address the problem you are pigging out on potato chips. The key to dieting is not eating more but eating less. The same is true of cybersecurity, where the point is not to add “security features” but to remove “insecure features”. For IoT devices, that means removing listening ports and cross-site/injection issues in web management. Adding features is typical “magic pill” or “silver bullet” thinking that we spend much of our time in infosec fighting against."
So if legislation isn't the solution, what is? Some believe transparency is a better bet, as exemplified by the Princeton computer science department's IOT Inspector, which aims to better educate users as to what their devices are actually doing on the internet. Others, like Consumer Reports, have been pushing to include privacy and security issues as standard operating procedure in hardware reviews. Both could go a long way toward making it much clearer as to what kind of product you're actually buying and what it's doing, since many vendors (and their user interfaces) refuse to.
Whatever the solution, it's going to likely require a coordinated response by consumers, hardware vendors, governments, and security professionals alike. While there have been some scattered efforts around the world on this front, as a whole that's generally not yet happening. As folks like Schneier continue to argue, it's likely going to require IOT devices causing massive damage and a potential loss of life (say, via attacks on core infrastructure) before the willpower for such a super-union truly materializes.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: california, iot, security
Reader Comments
Subscribe: RSS
View by: Time | Thread
Why buy these things?
[ link to this | view in chronology ]
Re: Why buy these things?
[ link to this | view in chronology ]
Re: Why buy these things?
[ link to this | view in chronology ]
Re: Re: Why buy these things?
[ link to this | view in chronology ]
Re: Re: Re: Why buy these things?
[ link to this | view in chronology ]
This is going to be stupid hard to legislate.
Then some companies are farming their development out to places like the Ukraine and India. If you dont control your source then you have no idea what it really does. I have seen companies that have four engineers that act as managers of a project and then they farm out the rest of their development to Indonesia. Then when there is a problem they start looking locally for a fix.
Like that isnt some deep ass soup to wade through.
[ link to this | view in chronology ]
Re: This is going to be stupid hard to legislate.
Instead of saying (legislating) that IoT devices must be more secure, California could simply implement the "All Things Cause Cancer" concept into a rating system for these units.
For instance, a board/commission/bureau could apply a meaningful set of tests to a device, and develop a rating that would be required to be displayed prominently on boxes at the retail level. Likewise for advertising, both online and off. Failure to display said ratings as required would simply mean "no sales allowed here".
California, like it or not, has more than 10% of the total American population, thus setting it up as a leader in potential sales. If something fails in Cal., likely it won't go over too well in the rest of the country. Again, like it or not, that's the way of things in these times.
I'd suggest that Cal "draft" some of the industry big-wigs like Bruce Schneier and others of like knowledge, to get a first-pass methodology for this kind of testing. Obviously it will need to be monitored and modified as real-world devices come in for testing, but in esssence, a Rating System of any kind will be a good measure for retail-level buyers to think about, as they make their decisions.
Enforcement efforts might include Mystery Shoppers who can be on the lookout for unrated devices, plus sales people that espouse that buyers "just ignore that rating, it's worthless".
sumgai
[ link to this | view in chronology ]
Re: Re: This is going to be stupid hard to legislate.
My car causes cancer (it has a prop 65 sticker). Food causes cancer (Every restaurant and supermarket that I've gone to has a sticker) . Coffee causes cancer, apparently(Starbucks has a warning).
It would be worse, in my opinion, because with the IoT, because everything actually IS a security risk. With security, the question is not "if" but "when" (so the solution is to make security modular so that it can be upgradable).
[ link to this | view in chronology ]
Re: Re: Re: This is going to be stupid hard to legislate.
[ link to this | view in chronology ]
Re: This is going to be stupid hard to legislate.
What's next, the House of Harkonnen heart plug?
[ link to this | view in chronology ]
Re: Re: This is going to be stupid hard to legislate.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
I do have to say it's really nice being able to turn on/off lights and open and close the garage door and adjusting the temp. I have one side of my garage lights linked to my garage door using Apple's Home App so that when the door starts to open, the garage lights turn on, and when the door is closing, the lights turn off. It makes such a HUGE difference at night. So much more light than what little I get from the garage door opener. Best of all, it doesn't matter if you use Siri, or you pushing the button on the garage wall, or use the normal remote in your car. The garage in the main way we come and go. Not the front door. So having the garage light come on in the area we're walking through has been great.
Being able to open my garage hands free on my Harley using Siri, with my Bluetooth in my Helmet, Nice!!! I don't have to deal with any remotes. I do have to shut off my Motorcycle first, tell Siri to open the garage, and then start back up again. I can do it pretty fast. Siri can't hear me otherwise.
There's a lot of benefits to having a Smart house. But you only really need to make things smart where it makes sense. So you need a SMart Light switch for a closet? Not really. Baby Monitors have had some of the worst security around. IoT devices can be good. The Ring Doorbell uses IoT, but they keep the software updated and care about security. The login and password are not hardcoded where you can't change it like a number of IoT devices.
A lot of IoT devices just thrown out of China with little care in the world. California can't legislate it away. In general, Politicians have to much time on their hands and just keep growing everything. They all should really only work for maybe 2-3 months at most, and the rest of the time, working a real job.
[ link to this | view in chronology ]
Re: Working Politicians
[ link to this | view in chronology ]
Re: Re: Working Politicians
[ link to this | view in chronology ]
thanxs
[ link to this | view in chronology ]
Chinese manufacturers
That part's easy. Just convince the current administration that we need crushing tariffs on imported Chinese IoT devices, and then it won't matter how good or bad those devices are from a security or compliance perspective. Development will necessarily move on-shore, where it can be properly ignored by local regulators.
[ link to this | view in chronology ]
Linux and lazy developers are the problem
It's far easier to start with something that already does 98% of what you need (like Linux), and add the last 2%.
Harder is to build up 100% of your application from scratch, using simple, relatively bulletproof things like state machines and (at worst) simple RTOSes.
But most of the current generation of programmers wouldn't know where to start if not handed a full-blown OS with TCP/IP, CLI, a filesystem, USB, WiFi, graphics, multitasking, etc. already running.
There's simply NO WAY to build a secure device that way - every unused and unneeded "feature" hosts a swarm of security holes.
If you want a secure device, you've got to design it bottom-up from the hardware, adding only what you need, not top-down by stripping away functionality from a general-purpose OS.
(Kindly remove yourself from my lawn.)
[ link to this | view in chronology ]
Re: Linux and lazy developers are the problem
[ link to this | view in chronology ]
Re: Re: Linux and lazy developers are the problem
But I know a number of very smart and (otherwise) competent developers who simply have no bare-metal experience at all. The very idea of building up a system from scratch doesn't occur to them, and they wouldn't know where to start.
And they don't understand that the more moving parts anything has, the more likely it is for something to go wrong.
[ link to this | view in chronology ]
Re: Linux and lazy developers are the problem
A better designed toolkit could reduce misconfiguration issues but they are often determined to be complete idiots who would insist upon doing things like recording passwords in the clear for the sake of "ease of use".
People can and have secured systens via accounting for every possibility. Indeed just deleting every single unneeded function or setting them all accessible via permissions would create a pretty secure system.
[ link to this | view in chronology ]
These CRAZY CONSPIRACY THEORIES are great entertainment....
/sarcasm
Maybe they're right, maybe not. Wouldn't shock me if they are. One kid was suspended from school after they spied on him in his bedroom through his webcam. It's easy to just assume we're being watched 24/7, though many of us do that out of narcissism and we are "big brother."
It's amazing how there is always someone willing to poison something by doing something intrusive or stupid.
[ link to this | view in chronology ]
Re:
Yeah, that child was eating Mike 'n Ike candy and the stupid ass school administrator thought he could claim it was drugs and not be called out for the spyware they put on laptops prior to giving them to students. They should be brought up on pedo charges. But that story had nothing to do with IOT did it?
[ link to this | view in chronology ]
Sure, legislation is the answer
How about "you are 100 percent liable for all damage to your customer or ANY THIRD PARTY caused by any deliberately induced unintentional or undisclosed behavior of your product"?
[ link to this | view in chronology ]
problem might be that no one is responsible
Legislation should address these issues. A way to do that is to make sure those that benefit from a situation will feel it when things go bad.
So, the consumer and the people that sell iot devices should feel the pain when things go bad. ie. they should be held accountable for when devices end up doing harm.
Consumers should be aware of the risks, and do what they can to minimize risk, manufacturers and sellers should be made accountable if they provide iot devices that cannot be repaired/updated/made safe, or if they do not provide the means (patches, instructions, support) to consumers.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
A Quiet Place
[ link to this | view in chronology ]
Product Safety
I have been thinking that we currently have lots of existing product safety rules. I think these can be applied to IoT devices. If they proved to be vulnerable, then they can be declared unsafe and banned from sale. Then retailers like Amazon and the like would stop selling the bad ones.
Going after the people who sell them, vs. the user or the vendor, should have a bigger effect.
[ link to this | view in chronology ]
Re: Product Safety
Admittedly I have a bit of an agenda in wanting hardware to be free as in freedom, private maintainable, and workable without an external connection instead of shutting down once they get bought out (*cough* Nest).
[ link to this | view in chronology ]
Security is not port-based
By "listening ports" they might mean "servers", but we need to be clear with suggestions like this. Shunting every service onto port 80 won't improve security (we're already here: port-based firewalls mean most new protocols use 80 or 443). Merging all the code into one giant server won't improve security. It's the size of the attack surface, and the quality of the code behind it, that determine security.
[ link to this | view in chronology ]