Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Botnet Security Communications Network Networking Software The Internet United States Wireless Networking

US Think Tank Wants To Regulate The Design of IoT Devices For Security Purposes (theregister.co.uk) 87

New submitter mikehusky quotes a report from The Register: Washington D.C. think tank the Institute for Critical Infrastructure Technology is calling for regulation on "negligence" in the design of internet-of-things (IoT) devices. If the world wants a bonk-detecting Wi-Fi mattress, it must be a malware-free bonk-detecting Wi-Fi mattress. The report adds: "Researchers James Scott and Drew Spaniel point out in their report Rise of the Machines: The Dyn Attack Was Just a Practice Run [PDF] that IoT represents a threat that is only beginning to be understood. The pair say the risk that regulation could stifle market-making IoT innovation (like the Wi-Fi cheater-detection mattress) is outweighed by the need to stop feeding Shodan. 'Regulation on IoT devices by the United States will influence global trends and economies in the IoT space, because every stakeholder operates in the United States, works directly with United States manufacturers, or relies on the United States economy. Nonetheless, IoT regulation will have a limited impact on reducing IoT DDoS attacks as the United States government only has limited direct influence on IoT manufacturers and because the United States is not even in the top 10 countries from which malicious IoT traffic originates.' State level regulation would be 'disastrous' to markets and consumers alike. The pair offer their report in the wake of the massive Dyn and Mirai distributed denial of service attacks in which internet of poorly-designed devices were enslaved into botnets to hammer critical internet infrastructure, telcos including TalkTalk, routers and other targets."
This discussion has been archived. No new comments can be posted.

US Think Tank Wants To Regulate The Design of IoT Devices For Security Purposes

Comments Filter:
  • Have the router enforce per device network profiles, like which hosts it can contact, how much bandwidth it can use, how many connections it can have open at a time, etc.

  • by Anonymous Coward

    There won't be adequate security for IoT until the day comes when Russian hackers turns off everyone's fridge on Super Bowl Sunday and everyone is stuck with warm beers and all the TVs are tuned to the Oxygen channel's Oprah marathon.

    THEN IoT security will be taken seriously.

  • by Pinky's Brain ( 1158667 ) on Saturday December 10, 2016 @09:31AM (#53458829)

    This is the danger our resident experts create by going along with the IoT scare ...

    The disease is the unpunished insecure practices by ISPs and the complete lack of cooperation in cutting off DDOS's at the source. The IoT mess is a symptom, a symptom laws won't help ... the programmers will still be using C after all (another root cause which must not be named).

    • by zifn4b ( 1040588 )

      This is the danger our resident experts create by going along with the IoT scare ...

      Not sure what you mean here. IoT is another attack vector. IoT can be defined as consumer devices with embedded computers that have WIFI connectivity. Most likely they communicate with common things like REST and JSON. They use the same internet service providers that mobile phones, gaming consoles, PC's, etc.

      I think there is increased cause for concern with IoT because people buying consumer devices with dumbed down UI's will be mostly unaware of things like firmware upgrades, network security, etc. T

      • I think the problem with the IoT is that the manufacturers take little or no steps to make their devices secure, e.g. same default password on every device, no password for Bluetooth pairing, etc. Imagine if cars had no safety requirements or regulations. Imagine if your dentist didn't need to have any independently accredited qualifications.
        • I think the problem with the IoT is that the manufacturers take little or no steps to make their devices secure

          That's *part* of the problem, and new laws aren't going to affect the Alibaba vendors who simply don't care.
          • by zifn4b ( 1040588 )

            I think the problem with the IoT is that the manufacturers take little or no steps to make their devices secure That's *part* of the problem, and new laws aren't going to affect the Alibaba vendors who simply don't care.

            It's quite simple. Want to join a botnet? Buy IoT devices. If you don't, don't buy them.

    • Using an unsecured and unlicensed C compiler will become illegal. Hexadecimal op codes will become propritary trade secrets. Owning a binary editor will be a felony. Use this cuckgadget from Apple or Google, not that scary open device. You aren't one of those unmutual terrorists, are you?

    • by Zocalo ( 252965 )
      Not really, they are *all* part of the problem, including all of the people pointing fingers - no one is perfect at security, nor will anyone they ever be if you are realistic, although I do agree that lax end-user ISPs are playing a huge part in this particular instance with Mirai and its derivatives - e.g. TalkTalk is still a huge source of the Mirai traffic being dropped by my firewall, whereas Eircom and Deutsche Telekom are now dropping off fast. The security principles of defense in depth, while norm
    • Be careful (Score:2, Interesting)

      Be careful of what you wish for. The ISPs could institute a policy that only "approved" devices are allowed on the Internet. Don't think that can happen? That is where this is leading.
      • Re:Be careful (Score:5, Insightful)

        by Pinky's Brain ( 1158667 ) on Saturday December 10, 2016 @10:42AM (#53459077)

        That will help very little, approval doesn't make the device secure.

        The network needs to be robust against insecure devices.

        • by Anonymous Coward

          So ISPs would never use security as an excuse to make such a policy, even if the policy failed to improve security?

        • Not the network perse, but ISPs should certainly take some responsibility for what happens on their networks. Some typical DDOS patterns are easy enough to detect, and should result in blocking that traffic. If ISPs did this as a matter of course it would be much harder to set up an effective DDOS attack.

      • What will rather happen, since they can neither enforce nor control this sensibly and at a reasonable cost, is that they will simply include a clause in their contract that allows them to cut you off if they notice any harmful traffic coming from you.

        With "harmful" being "you using more bandwidth than we want you to", of course.

    • by swb ( 14022 ) on Saturday December 10, 2016 @11:21AM (#53459205)

      AFAIK the only thing that ISPs could reasonably do is not filter outbound traffic that couldn't have originated within their network, ie, bogus addresses.

      The challenge with DDOS though is that it seems to work best and be hardest to mitigate when the number of sources is high and the requests are legitimate.

      What's the ISP to filter then?

      • One option is filter the traffic from a customer suspected at participating in a DDOS on request from an ISP which owns the destination IP range. Easy to authenticate that the request is genuine and an ISP would be unlikely to abuse the power to remotely block users from reaching one of their IPs, since they could do that themselves locally in the first place.

        Once an ISP has a ton of rules for a single customer screwing up their router they might feel the need to talk with him about taking his fucking IoT o

    • Using an unsecured and unlicensed C compiler will become illegal. Owning a binary editor will be a felony. Use this cuckgadget from Apple or Google, not that scary open device. You aren't one of those unmutual terrorists, are you?

    • by afgam28 ( 48611 )

      Being part of a botnet engaging in a DDoS attack is just one of many things that could go wrong with IoT devices.

      I'd be more worried about hackers disabling my IoT-enabled alarms (e.g. smoke alarms, burglar alarms) or IoT-enabled door locks and garage door opener. ISPs can't do anything to help with that.

      As a point of comparison, many Android handset manufacturers refuse to even provide security updates during the two-year contract period. I expect IoT device manufacturers to be even worse.

      It should be ille

    • by golodh ( 893453 )
      Seriously, no manufacturer will spend a dime on security since security doesn't sell very well. Markets won't provide what isn't valued. And security is a niche market, not a mass market.

      This guarantees that the upcoming deluge of IoT devices will be insecure unless we do something.

      IoT devices will have their OS hardwired in so that it can't be upgraded (cost considerations; and we'll sell you a new gadget if this one becomes compromised). Which means we'll be waist-deep in applications that will be bot

  • So let me get this straight:

    1. The risk that it will stifle innovation is outweighed by the need to regulate
    2. Every stakeholder operates within the US
    3. The US is not in the top 10 countries of origin for IoT-based attacks

    Based on those three points it sounds more like a "business plan" to start collecting regulatory fees to provide yet another false flag of security. That's just what we need here in the US, another group of unelected bureaucrats sitting in a room thinking about ways to protect us from a t

    • They want to regulate all the endpoints, rather than just beef security at the transition points. It's ludicrous! Anybody can push whatever firmware they want into a microcontroller, except not (!!!) with this kind of regulatory burden. Will I need a jtag license? Will operating a compiler without a license become illegal, or too dangerous to contemplate because of the liability risk?

      Umm, the hell with that. Protect your network at it's routing points. It's not YOUR network until it passes through your dema

      • The best approach for the general consumer is to have a set of standards that, if met, reduce security risks to an acceptable level from a hardware/software perspective. Products can choose to prove compliance with those standards. Educated consumers can require that compliance in their product choice.

        Regulation could come in regarding how product can claim compliance.

        Many or all of those standards may already exist, but they likely need some motherhood standards to tie them together. All easier said t
        • by EmeraldBot ( 3513925 ) on Saturday December 10, 2016 @11:14AM (#53459183)

          The best approach for the general consumer is to have a set of standards that, if met, reduce security risks to an acceptable level from a hardware/software perspective. Products can choose to prove compliance with those standards. Educated consumers can require that compliance in their product choice. Regulation could come in regarding how product can claim compliance. Many or all of those standards may already exist, but they likely need some motherhood standards to tie them together. All easier said than done because there is not simple answer to 'the right way to do it', and a huge and varied scope of things under the umbrella.

          I agree with this mostly, but I do think there need to be some minimum standards for regulation. Some IOT stuff - automated stoves or heating / cooling or whatever - isn't just obnoxious if hacked, it can be downright dangerous if somebody makes the oven set itself on fire while you're asleep. Using a hardcoded check of PASSWORD, for example, is something I think we can all agree is unacceptable, and that shouldn't be tolerated.

          If we do make those standards too, they shouldn't be compromises, they should be seriously tough, and come in shades or grades instead of compromise. You can always let people pass lower, but no company is ever going to do better than the minimum required of them, so "A" had better mean pretty solid protection from hacking...

    • by tuxgeek ( 872962 )
      And of course there will be LESS government, and more FREEDOM.
      And a pony for all ..
    • So let me get this straight:

      1. The risk that it will stifle innovation is outweighed by the need to regulate 2. Every stakeholder operates within the US 3. The US is not in the top 10 countries of origin for IoT-based attacks

      Based on those three points it sounds more like a "business plan" to start collecting regulatory fees to provide yet another false flag of security. That's just what we need here in the US, another group of unelected bureaucrats sitting in a room thinking about ways to protect us from a threat they know nothing about. Sure, "experts" will be involved but I would be willing to bet following the money leads back to donors and/or lobbyists. Do vendors and end users need to get smarter about security? Yes. Do I think this will do anything to prevent DDoS attacks? No. This won't fix anything. It will only add to the cost of IoT devices to consumers and put billions into the government's coffers to waste.

      This is pretty correct. And having just (correctly) turned over ICANN into an international body, how do they get to regulate any IoT designs outside the US?

      The solution to IoT security would be to have a standard firewall list of known IP ranges that would be dropped at a gateway, if known to be a malware site. Just like a lot of ISPs use universal Google DNS servers rather than roll their own, similarly, routers should come w/ a list of public firewalls that one can choose from while setting things up

  • by Lemmeoutada Collecti ( 588075 ) <obereonNO@SPAMgmail.com> on Saturday December 10, 2016 @09:40AM (#53458873) Homepage Journal
    Regulate all you want. Malware authors won't care; they are already breaking the law. International corporations won't care, they just won't sell to the US. Users won't care, their thing works. So who are the targets of the regulation?
    • I had a similar thought to "regulate all you want," only I was thinking more along the lines of "if security of networked devices is so important, why have we not had similar regulation for the last 20-30+ years?" I mean, we've all seen the movie Sneakers. I know it was a bit fanciful, but the very first time someone decided to connect a power plant, bank, or air traffic control tower to any sort of external network, the world changed. The problem is I don't think that the general pub
      • by Dutch Gun ( 899105 ) on Saturday December 10, 2016 @01:37PM (#53459829)

        It's an issue of critical mass. Previous DDoS attacks were often due to exploits, some sort of reflection attack. Now, with IoT devices, there's sufficient bandwidth and enough devices to overwhelm a system with 100% legitimate and non-spoofed attacks, and that's a new and worrying trend. We're seeing a flood of *very* easy to compromise devices hit the market, along with sufficient outgoing consumer bandwidth to make them truly damaging even in the thousands, let alone in the hundreds of thousands or even millions.

        We're going to be seeing even more of these devices on the market. If they don't improve their security, we'll be seeing connectivity drop to the reliability of a third-world power grid, and that's going to have a huge impact on a lot of people and businesses who now absolutely rely on that infrastructure being ubiquitous and reliable.

        There's already an Underwriters Laboratories [wikipedia.org] stamp (the best known of several Nationally Recognized Testing Laboratories) on the bottom of most electrical or electronic devices you purchase. Why not a set of security requirements similar to that for internet connected devices? Let private industry and organizations develop and certify the specifics of the safety requirements, and the government can simply oversee the process. We already have a clear precedent on how to do this, and it doesn't appear to have stifled innovation in any sense.

        And of course, this not a license to connect to the internet (it shouldn't affect hobbyists or software), but a requirement to ensure basic security when someone wants to mass-produce and sell hardware devices that connect to the internet. Just saying "but... internet" doesn't make shitty products immune from reasonable regulations that permeate every other aspect of business for the greater good.

      • I mean, we've all seen the movie Sneakers.

        Why would you assume that? I don't think I've even heard of it. Then again, I've still not head of a sensible use-case for an IoT device either. Are you sure that both this movie and a sensible use case for an IoT device exist?

    • by tchdab1 ( 164848 )

      IOT attacks, that this discussion is addressing, are possible because millions of attached devices exist that aren't designed to be managed yet are capable of being hijacked. If it's possible to design IEEE-level standards into these devices that prevent the hijack, and legislation mandates that those standards must be present in any device sold in the USA, then those standards will proliferate. Malware authors will have many fewer targets on which to base DOS attacks. They will still break the rules, but t

  • by ooloorie ( 4394035 ) on Saturday December 10, 2016 @10:59AM (#53459135)

    There shouldn't be "regulation" of these devices, but there should be legal standards and legal liability.

    However, bonk-detecting mattresses aren't where we need to start. Where we actually need to start is by holding financial institutions, corporations, and governments responsible, when they leak information.

    And we need to change the culture of making excuses; politicians like Clinton shouldn't be able to get away with "Russia diddit", when they are stupid enough to expose their E-mails. Rather, such errors should be sufficient for people to consider them incompetent and unsuitable for public office.

  • by ThatsNotPudding ( 1045640 ) on Saturday December 10, 2016 @11:04AM (#53459157)
    Job Two will a federally-mandated backdoor for real-time warrant less surveillance.
  • by cjonslashdot ( 904508 ) on Saturday December 10, 2016 @11:21AM (#53459203)
    It is very simple. If software providers were at least partially liable for damages caused by security breaches, the situation would rapidly change: we would see companies hiring programmers with "security training", etc., and programmers would start caring about software security - because that would be where the jobs are. The total lack of liability today is the core problem.
  • Because we all really trust that anymore... right? Nobody trusts the US devices anymore post Snowden, so the very idea will just add to the distrust. Compare: approved by the Chinese government and approved by the US government.
  • Regulating IoT devices is a GOOD idea. Right now they are an example of a market failure - the huge cloud of insecure devices is created by the same market forces as a huge clouds of polluted air. Securing devices requires vendors to spend money so that vendors who don't care about security can undercut them.

    And the solution is the same - impose regulation to make IoT vendors responsible for their security. For example, IoT vendors can create a standardized and replaceable "control module" that only need
  • IEEE, ASE, someone (other than the French of course). I have a bunch of Internet Connected Tech (ICT) and they're easy to break into and re-purpose. Very low security. Not hard to figure out what it's running - arm processor, etc and kernel - Linux, mich, etc. then update it. For some devices it's as bad as having a barn to store your 1969 restored Corvette and instead of a lock, you're using a board to keep the doors closed. Sure, it'll do the job unless someone wants to get in.

You know you've landed gear-up when it takes full power to taxi.

Working...