US Think Tank Wants To Regulate The Design of IoT Devices For Security Purposes (theregister.co.uk) 87
New submitter mikehusky quotes a report from The Register: Washington D.C. think tank the Institute for Critical Infrastructure Technology is calling for regulation on "negligence" in the design of internet-of-things (IoT) devices. If the world wants a bonk-detecting Wi-Fi mattress, it must be a malware-free bonk-detecting Wi-Fi mattress. The report adds: "Researchers James Scott and Drew Spaniel point out in their report Rise of the Machines: The Dyn Attack Was Just a Practice Run [PDF] that IoT represents a threat that is only beginning to be understood. The pair say the risk that regulation could stifle market-making IoT innovation (like the Wi-Fi cheater-detection mattress) is outweighed by the need to stop feeding Shodan. 'Regulation on IoT devices by the United States will influence global trends and economies in the IoT space, because every stakeholder operates in the United States, works directly with United States manufacturers, or relies on the United States economy. Nonetheless, IoT regulation will have a limited impact on reducing IoT DDoS attacks as the United States government only has limited direct influence on IoT manufacturers and because the United States is not even in the top 10 countries from which malicious IoT traffic originates.' State level regulation would be 'disastrous' to markets and consumers alike. The pair offer their report in the wake of the massive Dyn and Mirai distributed denial of service attacks in which internet of poorly-designed devices were enslaved into botnets to hammer critical internet infrastructure, telcos including TalkTalk, routers and other targets."
We probably need network profiles for things (Score:1)
Have the router enforce per device network profiles, like which hosts it can contact, how much bandwidth it can use, how many connections it can have open at a time, etc.
Re: (Score:2, Troll)
Re: (Score:1, Troll)
Fortunately, Apple doesn't make routers anymore.
Re: (Score:1)
Apple has chosen to become the predominant gadget maker.
They haven't really made a successful server product since the SE/30.
It's going to fall in to deaf ears. (Score:1)
There won't be adequate security for IoT until the day comes when Russian hackers turns off everyone's fridge on Super Bowl Sunday and everyone is stuck with warm beers and all the TVs are tuned to the Oxygen channel's Oprah marathon.
THEN IoT security will be taken seriously.
Re: (Score:2)
Re: (Score:1)
No mention of the internet architecture of course (Score:5, Interesting)
This is the danger our resident experts create by going along with the IoT scare ...
The disease is the unpunished insecure practices by ISPs and the complete lack of cooperation in cutting off DDOS's at the source. The IoT mess is a symptom, a symptom laws won't help ... the programmers will still be using C after all (another root cause which must not be named).
Re: (Score:3)
This is the danger our resident experts create by going along with the IoT scare ...
Not sure what you mean here. IoT is another attack vector. IoT can be defined as consumer devices with embedded computers that have WIFI connectivity. Most likely they communicate with common things like REST and JSON. They use the same internet service providers that mobile phones, gaming consoles, PC's, etc.
I think there is increased cause for concern with IoT because people buying consumer devices with dumbed down UI's will be mostly unaware of things like firmware upgrades, network security, etc. T
Re: No mention of the internet architecture of cou (Score:1)
Re: (Score:2)
That's *part* of the problem, and new laws aren't going to affect the Alibaba vendors who simply don't care.
Re: (Score:2)
I think the problem with the IoT is that the manufacturers take little or no steps to make their devices secure That's *part* of the problem, and new laws aren't going to affect the Alibaba vendors who simply don't care.
It's quite simple. Want to join a botnet? Buy IoT devices. If you don't, don't buy them.
Re:No mention of the internet architecture of cour (Score:5, Insightful)
Well that's the problem isn't it, how to create economic incentives for security.
We are poor at making developers and users bear the cost of insecurity in a way our Pavlovian reflexes will respond to (hence why we are still massively using C after decades of pointer fuck ups, even when efficiency can't possibly be an excuse for the massive economic damage caused 99% of the time). We are also poor at incentivizing backbones and ISPs at helping prevent/mitigate DDOS's.
Re: (Score:3)
Re: (Score:2)
How to secure Iot: 1-have experts make a chip that securely does Iot stuff. 2-make it cheap. 3-Secure!
Wrong:
1 buy big hammer.
2. apply said hammer with sufficient force to ensure that there are no surviving bugs in the device.
3. Now it's secure.
This, or ensuring the device is never powered up, are the only 2 ways that are guaranteed to work, and you can never be sure some idiot won't plug it in or insert a battery, so it's back to HAMMER TIME.
Re: (Score:3)
How to create an economic incentive for security? Easy. Remember Part 15 of the FCC Rules? That sticker nobody reads anymore that says
1. This device may not cause harmful interference.
2. This device must accept any interference received, including interference that may cause undesired operation.
Create the same for the IoT rubbish.
Failure to comply makes YOU liable for any damage the device you created caused.
Re: No mention of the internet architecture of cou (Score:1, Troll)
Using an unsecured and unlicensed C compiler will become illegal. Hexadecimal op codes will become propritary trade secrets. Owning a binary editor will be a felony. Use this cuckgadget from Apple or Google, not that scary open device. You aren't one of those unmutual terrorists, are you?
Re: (Score:3)
Be careful (Score:2, Interesting)
Re:Be careful (Score:5, Insightful)
That will help very little, approval doesn't make the device secure.
The network needs to be robust against insecure devices.
Re: (Score:1)
So ISPs would never use security as an excuse to make such a policy, even if the policy failed to improve security?
Re: (Score:2)
Not the network perse, but ISPs should certainly take some responsibility for what happens on their networks. Some typical DDOS patterns are easy enough to detect, and should result in blocking that traffic. If ISPs did this as a matter of course it would be much harder to set up an effective DDOS attack.
Re: (Score:2)
What will rather happen, since they can neither enforce nor control this sensibly and at a reasonable cost, is that they will simply include a clause in their contract that allows them to cut you off if they notice any harmful traffic coming from you.
With "harmful" being "you using more bandwidth than we want you to", of course.
Re: (Score:2)
Re:No mention of the internet architecture of cour (Score:4, Interesting)
AFAIK the only thing that ISPs could reasonably do is not filter outbound traffic that couldn't have originated within their network, ie, bogus addresses.
The challenge with DDOS though is that it seems to work best and be hardest to mitigate when the number of sources is high and the requests are legitimate.
What's the ISP to filter then?
Re: (Score:3)
One option is filter the traffic from a customer suspected at participating in a DDOS on request from an ISP which owns the destination IP range. Easy to authenticate that the request is genuine and an ISP would be unlikely to abuse the power to remotely block users from reaching one of their IPs, since they could do that themselves locally in the first place.
Once an ISP has a ton of rules for a single customer screwing up their router they might feel the need to talk with him about taking his fucking IoT o
Re: (Score:1)
Using an unsecured and unlicensed C compiler will become illegal. Owning a binary editor will be a felony. Use this cuckgadget from Apple or Google, not that scary open device. You aren't one of those unmutual terrorists, are you?
Re: (Score:3)
Being part of a botnet engaging in a DDoS attack is just one of many things that could go wrong with IoT devices.
I'd be more worried about hackers disabling my IoT-enabled alarms (e.g. smoke alarms, burglar alarms) or IoT-enabled door locks and garage door opener. ISPs can't do anything to help with that.
As a point of comparison, many Android handset manufacturers refuse to even provide security updates during the two-year contract period. I expect IoT device manufacturers to be even worse.
It should be ille
Re: (Score:2)
This guarantees that the upcoming deluge of IoT devices will be insecure unless we do something.
IoT devices will have their OS hardwired in so that it can't be upgraded (cost considerations; and we'll sell you a new gadget if this one becomes compromised). Which means we'll be waist-deep in applications that will be bot
I think this whole idea stinks (Score:2, Interesting)
So let me get this straight:
1. The risk that it will stifle innovation is outweighed by the need to regulate
2. Every stakeholder operates within the US
3. The US is not in the top 10 countries of origin for IoT-based attacks
Based on those three points it sounds more like a "business plan" to start collecting regulatory fees to provide yet another false flag of security. That's just what we need here in the US, another group of unelected bureaucrats sitting in a room thinking about ways to protect us from a t
Re: I think this whole idea stinks (Score:2)
They want to regulate all the endpoints, rather than just beef security at the transition points. It's ludicrous! Anybody can push whatever firmware they want into a microcontroller, except not (!!!) with this kind of regulatory burden. Will I need a jtag license? Will operating a compiler without a license become illegal, or too dangerous to contemplate because of the liability risk?
Umm, the hell with that. Protect your network at it's routing points. It's not YOUR network until it passes through your dema
Re: (Score:3)
Regulation could come in regarding how product can claim compliance.
Many or all of those standards may already exist, but they likely need some motherhood standards to tie them together. All easier said t
Re: I think this whole idea stinks (Score:4, Interesting)
The best approach for the general consumer is to have a set of standards that, if met, reduce security risks to an acceptable level from a hardware/software perspective. Products can choose to prove compliance with those standards. Educated consumers can require that compliance in their product choice. Regulation could come in regarding how product can claim compliance. Many or all of those standards may already exist, but they likely need some motherhood standards to tie them together. All easier said than done because there is not simple answer to 'the right way to do it', and a huge and varied scope of things under the umbrella.
I agree with this mostly, but I do think there need to be some minimum standards for regulation. Some IOT stuff - automated stoves or heating / cooling or whatever - isn't just obnoxious if hacked, it can be downright dangerous if somebody makes the oven set itself on fire while you're asleep. Using a hardcoded check of PASSWORD, for example, is something I think we can all agree is unacceptable, and that shouldn't be tolerated.
If we do make those standards too, they shouldn't be compromises, they should be seriously tough, and come in shades or grades instead of compromise. You can always let people pass lower, but no company is ever going to do better than the minimum required of them, so "A" had better mean pretty solid protection from hacking...
Re: (Score:2)
And a pony for all
Re: (Score:3)
So let me get this straight:
1. The risk that it will stifle innovation is outweighed by the need to regulate 2. Every stakeholder operates within the US 3. The US is not in the top 10 countries of origin for IoT-based attacks
Based on those three points it sounds more like a "business plan" to start collecting regulatory fees to provide yet another false flag of security. That's just what we need here in the US, another group of unelected bureaucrats sitting in a room thinking about ways to protect us from a threat they know nothing about. Sure, "experts" will be involved but I would be willing to bet following the money leads back to donors and/or lobbyists. Do vendors and end users need to get smarter about security? Yes. Do I think this will do anything to prevent DDoS attacks? No. This won't fix anything. It will only add to the cost of IoT devices to consumers and put billions into the government's coffers to waste.
This is pretty correct. And having just (correctly) turned over ICANN into an international body, how do they get to regulate any IoT designs outside the US?
The solution to IoT security would be to have a standard firewall list of known IP ranges that would be dropped at a gateway, if known to be a malware site. Just like a lot of ISPs use universal Google DNS servers rather than roll their own, similarly, routers should come w/ a list of public firewalls that one can choose from while setting things up
Politics vs. Reality (Score:4, Insightful)
Re: (Score:2)
Re:Politics vs. Reality (Score:4, Insightful)
It's an issue of critical mass. Previous DDoS attacks were often due to exploits, some sort of reflection attack. Now, with IoT devices, there's sufficient bandwidth and enough devices to overwhelm a system with 100% legitimate and non-spoofed attacks, and that's a new and worrying trend. We're seeing a flood of *very* easy to compromise devices hit the market, along with sufficient outgoing consumer bandwidth to make them truly damaging even in the thousands, let alone in the hundreds of thousands or even millions.
We're going to be seeing even more of these devices on the market. If they don't improve their security, we'll be seeing connectivity drop to the reliability of a third-world power grid, and that's going to have a huge impact on a lot of people and businesses who now absolutely rely on that infrastructure being ubiquitous and reliable.
There's already an Underwriters Laboratories [wikipedia.org] stamp (the best known of several Nationally Recognized Testing Laboratories) on the bottom of most electrical or electronic devices you purchase. Why not a set of security requirements similar to that for internet connected devices? Let private industry and organizations develop and certify the specifics of the safety requirements, and the government can simply oversee the process. We already have a clear precedent on how to do this, and it doesn't appear to have stifled innovation in any sense.
And of course, this not a license to connect to the internet (it shouldn't affect hobbyists or software), but a requirement to ensure basic security when someone wants to mass-produce and sell hardware devices that connect to the internet. Just saying "but... internet" doesn't make shitty products immune from reasonable regulations that permeate every other aspect of business for the greater good.
Re: (Score:2)
Why would you assume that? I don't think I've even heard of it. Then again, I've still not head of a sensible use-case for an IoT device either. Are you sure that both this movie and a sensible use case for an IoT device exist?
Re: (Score:2)
Read John Varley's "Press Enter" if you want instructions on how to be almost
Re: (Score:2)
IOT attacks, that this discussion is addressing, are possible because millions of attached devices exist that aren't designed to be managed yet are capable of being hijacked. If it's possible to design IEEE-level standards into these devices that prevent the hijack, and legislation mandates that those standards must be present in any device sold in the USA, then those standards will proliferate. Malware authors will have many fewer targets on which to base DOS attacks. They will still break the rules, but t
Re: (Score:2)
no regulation, but liability (Score:4, Insightful)
There shouldn't be "regulation" of these devices, but there should be legal standards and legal liability.
However, bonk-detecting mattresses aren't where we need to start. Where we actually need to start is by holding financial institutions, corporations, and governments responsible, when they leak information.
And we need to change the culture of making excuses; politicians like Clinton shouldn't be able to get away with "Russia diddit", when they are stupid enough to expose their E-mails. Rather, such errors should be sufficient for people to consider them incompetent and unsuitable for public office.
Security will be Job One (Score:3)
Just make manufacturers liable for damages (Score:3)
US Regulation? (Score:1)
That's a good idea, actually (Score:2)
And the solution is the same - impose regulation to make IoT vendors responsible for their security. For example, IoT vendors can create a standardized and replaceable "control module" that only need
Re: (Score:2)
Re: (Score:2)
Someone should (Score:1)
IEEE, ASE, someone (other than the French of course). I have a bunch of Internet Connected Tech (ICT) and they're easy to break into and re-purpose. Very low security. Not hard to figure out what it's running - arm processor, etc and kernel - Linux, mich, etc. then update it. For some devices it's as bad as having a barn to store your 1969 restored Corvette and instead of a lock, you're using a board to keep the doors closed. Sure, it'll do the job unless someone wants to get in.