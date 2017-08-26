Who's Responsible For IoT Security? (networkworld.com) 78
"It is much too easy to connect devices and industrial equipment to the internet," writes an anonymous Slashdot reader. But what's the solution -- and who's to blame for the abundance of insecure IoT devices? Network World examined the conclusions in a paper titled "The Internet of Hackable Things" [PDF]. The authors say the IoT security problem is not a technological one; it's cultural... "A security culture is nearly non-existent in our society... developers must be educated to adopt the best practices for securing their IoT devices within the particular application domain; the general public must be educated to take security seriously, too, which among other things will fix the problem of not changing default password."
The anonymous reader who submitted this story argued that "IoT product makers do not need a deeply skilled team because component makers have made it so easy to connect anything to the internet. Maybe the responsibility for strong security should rest with chip makers like Intel, Freescale and Qualcomm." Leave your own opinions in the comments. Who is ultimately responsible for IoT security?
Janit0r is responsible because he bricks your insecure devices.
Security is everybody's responsibility.
Indeed. With the prevalent binary thinking of today, people seem to fall into the trap of thinking that if the manufacturer is responsible, the user is not.
But responsibility and guilt are not finite resources. Adding it to one party does not reduce it elsewhere; not an iota.
Bruce wrote a cryptology book back when nobody else would. He's a security journalist.
Responsible? That would obviously be whoever is making the products, selling them, and turning a profit on it, period.
But who should care about it is an entirely other matter... everyone from chip makers, to product developers, assembly lines, government, stores that are buying and selling the stuff as well as costumers/businesses that are getting the products should be looking into it.
Unfortunately, there's no easy answer as to solve the entire conundrum. This might be one case were we'll eventually need g
I would say that if a user does not at least make a good faith effort to secure his things using the documentation available, and his stuff gets compromised, then the majority of the responsibility falls on his shoulders.
If the user does do his best to secure it, and it still gets compromised, then the blame falls on whatever entities were responsible for the development of whatever component was the weak link.
> I would say that if a user does not at least make a good faith effort to secure his things using the documentation available
I'm afraid that the documentation is _not_ available. Features are modified without notification, especially including how new "features" are designed and how the back end data is protect on the vendor's part. I'm afraid I recently attended a presentation on a new set of IoT devices, and had a quiet back room talk with several of the IT personnel about how they handle the data. I
Under the proposed rules, this would make it the fault of whomever ensured that no matter what the user did, their things would be insecure. A good way to encourage them to think about it is to have it be a liability risk--make the potential costs serious enough, and you'll have their legal department insisting.
I suggest starting with your legislator(s) to make it so security is not something they can get freed from liability for by having the EULA say it's your problem not theirs if they screw up. (Yes,
No, not just developers. I work on IoT, we do security and we try to do the best security. Customers don't think this is important. It raises the cost. We get a max cost of a product and adding security can blow past it. A big problem is with companies and customers alike wanting to jump on the band wagon with instant results.
Also, security requires resources. More memory, better chips (ie, keep keys out of RAM), use PKI instead of preshared keys, etc. Every framework online that claims to IoT ready
It's the classical dancing pigs problem (Score:5, Informative)
Only worse.
Here [wikipedia.org] you find a pretty good summary of the phenomenon. In a nutshell, given the choice between "ohhh shiny!" and security, the vast majority will go for the former without even considering the latter. People don't know and I have the creeping suspicion that they don't want to know what security implications their actions have.
Maybe initially. When it begins to impact them they'll care. Someone hack the thermostat and ran your AC bill up to 1000 bucks for the month? Suddenly security becomes quite the consideration.
Given the impact connected discrete peripherals can have on people, I fully expect this nonchalance towards security to be a phase. A very very short phase.
Not is we allow them to sue the manufacturers and everyone else they want rather than have any responsibility
This is a great example of an unrealistic FUD scenario. It's going to take:
a) Something that would really happen, not just could happen, and the "could" here, at least for anyone actually at home at the time, is very weak.
b) Something that happens to a large number of people, not just "the other guy", i.e. the guy who dies in a car accident because he was distracted by eating a burrito.
c) Something expensive enough to be worth the trouble to defend against it.
d) Something where the damages will not
You're forgetting the possibility that such problems might result in the IoT ending up being essentially a fad--with people opting to simply not have anything important hooked up to the IoT once the problems with securing it become sufficiently known and left unfixed. You might have a few things still connected, maybe a few exterior lights hooked up so you could switch them on remotely, but beyond that? Nope.
For this to really have any measurable impact, it would not only have to happen to a LOT of people, if not to everyone who ever bought an insecure IoT gadget. Why? Experience.
For ages we have banking trojans, and still people click every bullshit. We've had encryption trojans for a while now too, and still people neither make backups nor do they up their security. Both things still work as planned. Because it doesn't happen to enough people. And as long as it's not just happening to someone who happens to b
Right, they don't want to know. They don't want security. What they want is a crime-free neighborhood. In the end, it comes down to economics. People make rational individual economic choices about security. Consider how people have long handled security for their homes. Most homes and even businesses are not physically secure in any way even close to what is being demanded by security zealots. Setting people who got sold a bill of goods by ADT and Dr. Robert Neville aside, for most the "price" of l
The problem is that you can live in the best possible neighborhood and still have the slums next door on the internet. There is no "better neighborhood" on the internet that you could move to, because everyone, literally everyone, is living next door.
You can of course choose to live in a gated community. But again, as the internet is a thoroughly bidirectional system, this also means that you live in a prison.
Choose freedom and responsibility or prison and a warden that decides who may visit you and where y
Yup. I've seen industrial customers delay and delay adding in the security. There's worry that it's too complicated, that they'll brick their systems, etc. But you can't get both convenience and security at the same time.
In the United States IoT (Internet of Things) has no legal definition.
Microwave ovens on the other hand are legally defined and have several federal regulations concerning them. USC Title 21, Chapter 9, Subchapter V as well as Subchapter J, parts 1000 through 1005., 1010 and 1030.10.
Manufacturers and individuals get "a pass" unless there is a specific law regulating their behavior.
Please excuse my lack of understanding, but what is the relevance of whether the "IoT" is the local hardware or the network over which the data is shared, or the services on which the data is stored and services provided by the vendor?
And software is also the only product where you get away with something like this.
Just check the status as of today (Score:2)
Currently: nobody. (Score:3)
Hacked devices are the result of a "tragedy of the commons" because the internet is shared. The only real resolution to these problem has been proven to be regulation. Now, some people find the "dreaded r-word" to be too offensive to consider but the reality is that the free market cannot solve this problem because it doesn't have a strong enough feedback loop that would compel companies to invest in strong security. So, if you follow this logic, it's ultimately the lack of regulation by lawmakers that is responsible. Then again, we could go even further and say it's the fault of the people who voted them into power. In conclusion, it's the fault of idiots, likely the same idiots buying this insecure shit.
> It's largely not the individuals purchasing the insecure IoT devices who are directly harmed by the security holes.
I agree that most of the harm is indirect. Botnets hosted on various IoT devices are an issue. Another issue is the regulatory difficulty of embedding robust security in such devices. To quote from the Wikipedia article on encryption export controls:
> As of 2009, non-military cryptography exports from the U.S. are controlled by the Department of Commerce's Bureau of Industry and Securit
Well, care to tell me where I can buy secure shit?
Just recently we had someone ask for suggestions for a 4k TV that does NOT try its best to connect to the internet and send all kinds of information to its master while at the same time allowing streaming from a LAN connected media source.
As far as I know, nobody could point to such a thing.
Per port firewalls. (Score:2)
I have been predicting that at some point in the future, all switches, routers, etc will have a firewall per port so you can control access to well everything but especially this proliferation of IOT.
Make them easily configurable so your tv and refrigerator can talk to each other but nothing else etc.
No matter what its going to be another wild wild west of security problems going forward, so many things have zero support after being shipped, it just works without any regard to security.
NaT covers most of it. One of the benefits of the lack of available address space for IPv4 is that many sites are using NaT. This provides an excellent opportunity filter connections _into_ your local environment, as well as data _leaving_ your local environment.
I'm seeing companies, partners, and clients entirely disable IPv6 entirely on their local network because the increased address space encourages every device to be routable and accessible from the Intenet at large. And I'm in full agreement, and it'
You're doing security wrong if you think NAT is a "solution" to properly securing IPv4 or IPv6 networks.
My entire subnet of workstations has public IP, some still run DOS, OS9, WinXP etc. but you still can't access them from the Internet or even within the subnet.
It's a _start_, and an extremely useful one. There is a goal of some IPv6 and IoT advocates that every device in the world should be accessible via publishable IPv6 address. It was also one of the underlying constraints in setting the size of the IPv6 address space. Such exposure to externally routable or scannable addresses is completely unnecessary for most "IoT" devices, which can be run more safely in a "the device polls specific services on the Internet" rather than a "anything on the Internet can rea
This is easy ... (Score:2)
... it's the manufacturer's responsibility.
"Enter an administrative password and click Next to continue
..."
I don't expect an award or stuff.
It's 2 part (Score:2)
Second, the device need's it's password changed before it works.
The other option is for the default password to be the serial number of the device, which will probably cause vendors $0.01 more but save on customer support calls.
> First, the vendor provides a default password.
> Second, the device need's it's password changed before it works.
_Thank you_. I'd not put it in such terms, but that is a viable approach which I'd gladly support.
> The other option is for the default password to be the serial number of the device, which will probably cause vendors $0.01 more but save on customer support calls.
There is a similar situation now for cable modems. They print the default network and password names on the devices, partly t
Until you can query the serial number using a variety of ways e.g. SNMP or whatever else the devs leave laying around.
Summary misses most serious problem... (Score:4, Interesting)
"It is much too easy to connect devices and industrial equipment to the internet,"
No, that misses the point entirely. It's not that it's too easy to connect devices to the Internet, but rather that, at least sometimes, it is very difficult, if not nearly impossible, to prevent devices from connecting to the Internet. Some Smart TV sets (it might have been Samsung, but I'm not sure) actively seek out open WiFi connections to connect to the Internet even if you tell it not to. It's not enough to block ports in your firewall as maybe your neighbor doesn't have those ports blocked. Or maybe the Starbucks down the street doesn't. And with integrated GPS in many devices (and probably more in the future) the fact that devices connect on someone else's IP address won't protect your privacy/anonymity, since they'll be able to locate the device down to the house or apartment that it's in. Expect to see more of this in the future.
> No, that misses the point entirely. It's not that it's too easy to connect devices to the Internet, but rather that, at least sometimes, it is very difficult, if not nearly impossible, to prevent devices from connecting to the Internet.
I can attest to this from personal and painful experience with such devices as printers and certain medical appliance toolkits for "doctor's office" use.
People who buy them (Score:3)
> Producers of products ultimately aim to please their customers
Please forgive me, but this is a common misconception that I've had to address for a number of younger Libertarian advocates recently. There are many, many counterexamples of people and businesses who are purely interested in profit. Pleasing the customer is one means to encourage sales. But theft, fraud, and neglect of damage to customers are often more effective ways to increase profit in the short term, and they _are_ common place.
I appre
Producers of products ultimately aim to please their customers
If you got more material like this you could have a standup routine going by next weekend.
Producers of products ultimately aim to make a profit. Pleasing the customer is a necessary evil, at best. If that's not necessary because the customer is stupid enough to fall for "ohh shiny!", "ohh shiny!" is all he'll get. Because it's simply cheaper than security.
Producers of products ultimately aim to please their customers
If you got more material like this you could have a standup routine going by next weekend.
Producers of products ultimately aim to make a profit. Pleasing the customer is a necessary evil, at best.
And because pleasing the customer is a necessary evil, producers ultimately do it, otherwise they would not have customers. I never meant to imply that producers were altruistic. Producers don't aim to please customers because they want them to be happy, they do it so that customers are happy enough (or at least willing) to make a purchase and not return the product.
Generally that's why I hate the consumer oriented IoT. It gives a terrible name to the whole product because of the complete lack of quality and worst in class security. But even for commercial/industrial customers there's a lack of knowledge about security, but at least they have an idea that they want some of it.
Just freaking wow! (Score:2)
Mind you, that was from pre-internet days, so who freaking dropped the ball and completely lost it when it comes to the basics with these kids?
The answer is... (Score:2)
No one.
Next question?
Seriously, manufacturers are in a hurry to get product to market, IoT security is an afterthought, that hopefully can be updated with firmware upgrades OTA.
Channelling Mahatma Ghandi (Score:2)
Interviewer: Mr. Ghandi, what do you think about security for the Internet of Things?
Mahatma Ghandi: I think it would be a good idea.
Wasn't he also the guy who had an old spinning wheel instead of a weaving machine because he said with the spinning wheel he is the master while with a machine that you might not even own, you cannot be sure just who is the master and who is the slave?
Talk about a prophet!
Are you fucking kidding? (Score:1)
THE PEOPLE SELLING THIS INSECURE SHIT!!
Full stop. End of story.
You build a gadget that connects to the Internet, you fail to properly secure it, your boss puts it up for sale, YOU ARE CULPABLE! You are at fault, it is YOUR PROBLEM, that is the end of it! Do not try to fucking weasel out of it. Nuremburg settled that for our entire species, "following orders" is not an excuse. You did it, you are responsible. You built an insecure device and offered it up to your boss so he could sell it, you MUST be liable
To put this into a bit more context, imagine this were not IoT gadgets, but food. If a restaurant is poisoning people with bad food, nobody walks around saying, "Those people should have read up on the food safety tests." They say the restaurant should be shut down until it stops poisoning people. If a company is literally dumping crap on the highway, nobody says, "Well, drive somewhere else then!" They yell for the local sheriff to haul those fuckers to jail. This is not a market failure, it is not an issu
Your Home Router should. (Score:2)
By default, it seems that your home firewall should restrict any packets from whatever stupid crap you put on your network.
That way such devices can't spy on you or hack the rest of your home network, unless you explicitly allow them in your firewall.
If you push the responsibility to dozens of different device vendors, you'll never be able to adequately vet them all.