Bruce Schneier: We Need To Save the Internet From the Internet of Things

Bruce Schneier, writing for Motherboard:What was new about the Krebs attack was both the massive scale and the particular devices the attackers recruited. Instead of using traditional computers for their botnet, they used CCTV cameras, digital video recorders, home routers, and other embedded computers attached to the internet as part of the Internet of Things. Much has been written about how the IoT is wildly insecure. In fact, the software used to attack Krebs was simple and amateurish. What this attack demonstrates is that the economics of the IoT mean that it will remain insecure unless government steps in to fix the problem. This is a market failure that can't get fixed on its own.

confirms the Matrix

Bruce just confirmed we are in the Matrix.

Re:confirms the Matrix

[ls671]

Elon had already done so...

http://www.telegraph.co.uk/tec...

Re:confirms the Matrix

[LQ]

Elon had already done so...

http://www.telegraph.co.uk/tec...

That article includes the wonderfully tautologous statement that we may live in a computer simulation run by our descendants.

The only way this will get fixed

[Registered+Coward+v2]

is when the manufacturers of the devices get hit with DDoS attacks and it disrupts their business. Otherwise, as TFA points out, they had no reason to bear the costs of fixing the problem since it doesn't impact them. Until there is a significant cost associated with making an insecure device they will remain insecure. That's also one of the problems with the internet, there is no way to block access from insecure devices when they become part of a BotNet. If their was, and manufacturers suddenly got lots of warranty calls when it stopped working they might actual care about security.

Re:The only way this will get fixed

[mlts]

"Security has no ROI" is a mantram I've heard uttered in a lot of places dealing with IoT. They don't care at all, because the EULA protects them from most stuff, the fact they can throw up their hands and say, "the blackhats can break into everything" gives them legitimacy with the press, and if push comes to shove, there are no real laws out there that have any teeth. Someone can have a root shell on a telnet port, and a company having that would not have to fret about stock prices. If people griped, they just tell users to buy the version 2 of the device that might move the open port from 23 to another ID, call it done.

What would be the ideal, would be something like UL listings, except instead of electrical safety, is for security. However, I wouldn't be surprised if this gets perverted into no real remote security, but "security" from the owner being able to do things with the device.

Re:The only way this will get fixed

[gnick]

is when the manufacturers of the devices get hit with DDoS attacks and it disrupts their business.

What motivation would vandals have to go after the manufacturers? You'd be begging them to interfere with you with no apparent up-side.

Re:The only way this will get fixed

[MitchDev]

When they get SUED and pay out the nose is the only time they'll take it seriously

Re:The only way this will get fixed

yea we need government to fix this because people will have no problem putting security cameras in their house that are known to be open to anyone to look at. Or door locks that anyone can open, etc. Consumers need to be informed not regulated.

Re:The only way this will get fixed

[DickBreath]

Maybe the cost needs to be a government fine. That way it has a guarantee of financial impact. No uncertainty about whether a lawsuit will be filed, or whether it will be won. And a private party does not have to bear the cost of initiating the lawsuit.

Simply have a statutory damages for manufacturing an IoT device that has been used in an attack. The device you made was used in an attack. You have to pay the fine. Simple as that.

Now to make devices more secure there could be something like a process of getting an "Underwriter's Laboratories" type seal of approval. The seal doesn't mean an appliance won't burn your house down, just that it is very, very unlikely. Unlikely enough to suit the insurance underwriters. Which raises the subject of insurance -- for liability of getting fined for building an unsafe device.

It seems like this would work. Just like electrical devices are pretty safe -- even though manufacturers have a built in incentive to build them as cheaply and unsafely as possible.

Re:The only way this will get fixed

[rtkluttz]

Wrong. The only way this gets fixed is if cloud command and control goes away. Internet of things is fine as long as each person gets to control their own security destiny and punch holes in their firewalls in ways that suits them. Configuration differences from one place to another make mass control almost impossible. Yes its much more likely individuals sites gets compromised, but much less likely that huge masses of them do all at once. Plus.... why the F*ck do I have to ask a corporation for permission to log in to something that is behind my own firewall. The CORPORATION is the biggest damn security threat we have.

Re:The only way this will get fixed

I herd U liek mudkipz!!

Re:The only way this will get fixed

[Grishnakh]

What would be the ideal, would be something like UL listings, except instead of electrical safety, is for security.

Won't work. People used to value UL ratings because they were worried about electrical appliances catching on fire. People don't even care about UL ratings any more because this just doesn't happen, except with things that have lithium batteries.

The fact is, consumers just don't care about security. They don't know anything about it, they don't want to know, they just know the nebulous "hackers" are "out there" and there's nothing they can do about them, so they stick their heads in the sand and hope for the best.

Re:The only way this will get fixed

[Snotnose]

Maybe the white hats can help. Get the malware used in subverting the devices, then modify the payload so it changes the network settings to knock the device off the internet. If the owner is knowledgeable they can fix it, probably do so 3-4 times, then return the unit. Everybody else will just return the unit.

This costs the manufactures big $$$ and removes the threat.

Re:The only way this will get fixed

Submit your electrical product that has no UL rating to a retailer, then come back and tell us all how nobody cares about UL.

Re:The only way this will get fixed

As long as they're allowed to disclaim liability for obvious problems with their products, there will be no movement on the issue.

It ought to be illegal to sign away your legal rights, especially in situations where you don't get anything out of the arrangement.

Re:The only way this will get fixed

[unixisc]

The only way this will get fixed is when internet providers get serious about IPv6 security and migration, since that's what the internet of things hinges on. Essentially, how to set things so that things like camcorders connected to the internet can't be remotely maneuvered except by network nodes authorized to do that. And before anyone says 'NAT', this is not an issue about NAT: it's an issue about not knowing how to set up IPv6 based VPNs, and have everything operate within that

Re: The only way this will get fixed

Fines wont work unless thwy are income based. Too many times international corporations with income in the millions to billions pay 0.00001% of the profit they made from a defective product.

Of course, this only works if every country in the world is agreeable. Otherwise they will just relocate to the most conveinent point of manufacture.

Re: The only way this will get fixed

You expect average Joe on DSL, with an IP that changes every 10 minutes to research and implement dyndns?

Re:The only way this will get fixed

[Hognoxious]

According to AmiMoJo, it's a form of transportation that is literally a rapist.

Re:The only way this will get fixed

[arth1]

It ought to be illegal to sign away your legal rights, especially in situations where you don't get anything out of the arrangement.

In many countries, it is, and the right to redress cannot be signed away by a contract. Apple discovered that when they started selling products in Europe and attempted to enforce US style boilerplate contracts.

So, yes, I can see the manufacturers being sued for damages, no matter what the sales terms say. It just isn't likely to happen in the US.

Re: The only way this will get fixed

[Dadoo]

Fines wont work unless they are income based

So fine the people who own the devices. Start with a small fine, like $10, then double it for each repeat offense. Eventually, the word will get out, people will stop buying products from that vendor, and sales will suffer. They won't have any choice but to make their products secure.

Re:The only way this will get fixed

Yes, all open source projects and apps that access the network must be registered and licensed by the government so you can be fined if it turns out to be insecure

(Because there is no difference between IoT and computers. IoT = computer)

Re:The only way this will get fixed

[Grishnakh]

Is the iPhone UL-rated?

Re:The only way this will get fixed

Yes. https://support.apple.com/en-u...

Re: The only way this will get fixed

[bestweasel]

I know this goes against everything you believe but sometimes government has to step in because people and corporations with a vested interest can't always be trusted to do the right thing. That's why you have mandatory requirements for electrical goods and many others, from water to food. Do you think those laws should be repealed? There should be mandated security standards for internet devices, checked by independent researchers and paid for by the manufacturer.

Re: The only way this will get fixed

[spire3661]

Yes, i very much do. For too long we have coddled users, either they step up and learn some of this stuff, or they get left behind and cut off. A firewall configuration is not a high bar to cross in an Information Age.

Re: The only way this will get fixed

There should be mandated security standards for internet devices, checked by independent researchers and paid for by the manufacturer.

I work at a non-profit on a two person tech staff. The company is pretty big - 13 counties, mid size, lower millions for revenue. We accept federal, state and county funding so we have some fairly heavy auditing requirements. Third party audits one regular schedules are required by law. We are allowed to hire our own auditing firm.

Think about that. Does anyone see a conflict of interest?

I'm asked about things like backup procedures - how are backups run, can you show me a copy and demonstrate recovery. Of so far. An auditor stops in to ask me if I've been asked to do anything unethical (delete something behind the scenes, alter logs, email forgery, whatever) but I'm not there. My counterpart answers no to the questions and mentions it to me later. I go speak with the auditors because I had to answer the same questions with 'yes'...

The auditors were not interested in speaking with me. They were able to get an answer from a departmental level so I guess that is good enough. I pressed and they basically said "ok, thank you, got to go now."

Wouldn't want to report something bad about the company that is paying me right? They might not contract with me next time right? How obvious can that flaw in your proposal be?

Agree with you in spirit, but that one point is crucial. Proposal: 'independent'* researchers paid for by the competitors of the manufacturer. Nothing is more honest that a bad word said about a friend or a good word said about an enemy.

* For all parties, funding determines friendships and feuds.

Re: The only way this will get fixed

[kuhnto]

Agree. Most of us are capable of operating 3000lb machines at 70 mph and we learned that in high school. Configuring a firewall should be the new drivers Ed for our society. I was about to say " No IT license, no Internet" but unlike driving, I think the Internet has become a basic right. So I will step back from that ledge, and say it would be valuable to society there was some training going on somewhere. I just do not know where...

Re: The only way this will get fixed

[bestweasel]

Yes, that's always a danger with regular auditing because the auditors want the repeat business next year. Then the audit becomes routine, everyone complains about how pointless it is and it's treated as a box-ticking exercise. They're mostly right because how often does the shit hit the fan? How likely is it that an auditor will come across an Enron? They missed that of course.

Mostly though, the regulations, inspections and enforcement work. Thousands of Americans aren't electrocuted because of faulty electrical goods. A similar framework for internet security would work just as well, if it weren't for the privacy implications, which means there should also be some oversight of both government and manufacturers, which is why I suggested independent researchers . They needn't be hired directly by the manufacturers (and going along with your concerns, shouldn't be), just paid for by them.

Re: The only way this will get fixed

Hear hear! Do you want to be instructor for the class teaching my 85 year old grandma with cataracts and a hip replacement how to configure a firewall for her internet enabled fridge? She's driving after all.

Re:The only way this will get fixed

[overnight_failure]

Actually I think it's time they were made legally responsible for their product's security. Practically speaking they could never know about every single attack vector that could be dreamed up. But using making them (on pain of large, ongoing fines) use decent security protocols and decent, random default passwords would be a start.

Re: The only way this will get fixed

Driving is primarily physical skill not at all comparable to the mental task of firewall configuration.

Your suggestion would mean that people would need to know to employ that they can trust to do this for them, do so, and pay them. For some this may not be affordable. In theory this would make IoT unaffordable and thus unavailable, except standard items will be IoT equipped in time and hard to avoid.

Re:The only way this will get fixed

[Pieroxy]

What you say is that some "good conscience" grey hats need to write robots that hack through those devices and brick them ? That could work. But then you need to protect yourself pretty well, cause the day one of those manufacturers get a hold of you you're going to get sued down to oblivion.

Re:The only way this will get fixed

[turbidostato]

"The only way this will get fixed is when internet providers get serious about IPv6 security and migration"

So, the problem is stated as being no motivation for the IoT producer to spend on securing their devices and then your proposed solution is for a third party to do something it is even less motivated to do?

Brilliant.

Re:The only way this will get fixed

[Bert64]

If the manufacturers are not based in europe, nor selling directly in europe then there's not much recourse under european law.
Most of these devices come from china.

Re:The only way this will get fixed

[Bert64]

I agree, i want devices that work in exactly the way you describe... I would put them on their own VLAN, access them via VPN and there would be relatively little risk even if the devices themselves are horrendously insecure.

Unfortunately the vast majority of potential customers are not up to that, most have no idea how to punch holes in their firewall or aren't even able to (carrier NAT for instance) so you have devices that connect out to a server somewhere that the end user has no control over. You end up with automated ways to punch holes through firewalls (UPNP etc) which defeats the whole point.

If devices are directly reachable over the internet they will get mass owned, there won't be many configuration differences because most users never change the defaults. Most if not all of the devices exploited recently were obtained through default passwords and these make up the minority of users who have such devices directly reachable. Many more such devices will live on internal networks waiting to be found.

Re:The only way this will get fixed

Or changing the laws to hold them liable for negligence. If you leave your pistol collection on a pedestal behind an open window combined with copious amounts of ammo and go out of town for the week and some criminal takes and uses it your negligence contributed to it.

Re: The only way this will get fixed

[spire3661]

No, I want her to pay a professional to help her with it, just like if she wanted a new electrical socket installed to plug it in, or a needed a water line for the automatic ice maker.

Re: The only way this will get fixed

[TheMeth0D]

The governments idea of security is the TSA. I'd hate to see what the internet equivalent would be.

Re:The only way this will get fixed

the blackhats can break into everything

If they coded like OpenBSD with someone like Linus yelling at them every time they did something dimwitted, we wouldn't have security issues.

Re:The only way this will get fixed

[DickBreath]

I didn't say anything about government licensing, registration or inspection. Only about mandatory fines. Inspection could be done privately, similarly to voluntarily getting a UL sticker -- which says a lot about your product.

If you product causes a fire, your company is to blame. It should be similarly for IoT devices used for hacking. If you make a device that is hacked and used to cause damage, your company is to blame just as much as if your device caused the building to burn down. What is so difficult to understand about this? Companies should make unsafe products. If you can't, then get out of the way for the next guy who can.

B...b...but government always BAD!

B...b...but government always BAD!

Moron libertarians roar approval

Post with absolutely no insight gets modded up to +5, insightful

Smug libertarians strut around triumphantly. They have won the argument in their own minds yet again.

Re:B...b...but government always BAD!

[fche]

smug collectivists yell "the government will save us!"
with the glowing "success" of anti-spam "laws" ignored
and unintended consequences safely unimagined
they can save the world, if we'd only let them

Re:B...b...but government always BAD!

right... because the government had nothing to do with the creation of the Internet and has certainly never ran secure nodes with large numbers of devices attached to them...

Re:B...b...but government always BAD!

They sure don't run any secure nodes on the Internet. Maybe you missed all those reports?

Re:B...b...but government always BAD!

yeah... and that is why there are nukes being accidentally launched

read up on Arpanet and SAGE sonny

Re:B...b...but government always BAD!

That's a pathetically weak argument there, certainly not strong enough to lord it over your opponent as a "shithead." Moreover, what the fuck is up with your prose?

Assertion: "The government can indeed help with certain problems, but not this one."
Support 1: They, whoever 'they' are, are unable to understand the problem. That's awfully vague and unsubstantiated.
Support 2: 'They lack the ability to create any useful solution." umm, that's just a rewording of your assertion.
Conclusion: "solutions will have to come from another source" more hand-waviness, based on an assertion that you didn't prove.

You're exactly the kind of shithead that attempts to ape rational argumentation based on what you think it sounds like. You have no ability to generate it or express it in legitimate prose.

Re:B...b...but government always BAD!

[lgw]

Someone else suggested a UL-like certification for household IoT. I really like that solution. It's not hard for the average person to understand that this seal means a stranger can't watch you through your webcam, can't unlock your doors, etc. I think people would care, if it were as simple as looking for 1 logo, no geek needed.

Re:B...b...but government always BAD!

[Bing+Tsher+E]

And notably, the UL is a non-governmental organization.

Re: B...b...but government always BAD!

[kuhnto]

While I agree with your sarcasm, I will say that there are a LOT of people actively involved in keeping those systems secure non-stop.

Re: B...b...but government always BAD!

The equivalent in Europe is the CE mark. However, some products carry fake CE marks. This doesn't mean it's not a good idea, just that policing of standards will be required.

Re: B...b...but government always BAD!

And how will the UL seal be revoked when an exploit is found later?

Iot items are expected at commodity prices but last for 1-3 decades. This dichotomy isnt trivially solved.

Re:B...b...but government always BAD!

The government took the money and gave it to smart people (ie people not in the government).

The government to save us?

[JcMorin]

So the government will pass a law and all IoT will be secure... that would be the US gouv I assume? All companies in the world will be complying to the new law? I would not count that for sure.

Re:The government to save us?

So the government will pass a law and all IoT will be secure... that would be the US gouv I assume? All companies in the world will be complying to the new law?

It worked with the DMCA. That's an evil USian thing that companies all over the globe have been bending over backward for.

It worked for US copyright laws. Look at what happened to Kim Dotcom and the various torrent trackers that, despite being perfectly legitimate in their home countries, have been taken down through USian influence due to US laws. I miss the entertaining replies the TPB people would post to takedown requests US companies would send them. ("Pull out a globe, dumbass. Our country is not a US state. The stupid US laws you're telling us to obey don't apply in other countries.")

Re:The government to save us?

The government is complicit not responsible. Chaos is good for them; it creates a demand for control that we refused them over and over again. They either gonna let it rot to replace it or fix it in their own mischievous way.

Re:The government to save us?

Well, the US, or the EU, or another country or bunch of countries with a sufficiently large population. It just takes a big enough segment of the market to demand better security, either through consumer or legislative action, that the loss of sales would outweigh the cost of better development.

Re:The government to save us?

[thegarbz]

It gets even better. He's declaring the free market as incapable to solve a situation that is well and truly in its infancy.

You know parents don't take kindly to people calling their toddlers retarded.

Re:The government to save us?

I miss the entertaining replies the TPB people would post to takedown requests US companies would send them. ("Pull out a globe, dumbass. Our country is not a US state. The stupid US laws you're telling us to obey don't apply in other countries.")

And the U.S. companies said "Oh yeah? Watch this." And people went to prison.

Re:The government to save us?

[rudy_wayne]

So the government will pass a law and all IoT will be secure... that would be the US gouv I assume? All companies in the world will be complying to the new law?

I would not count that for sure.

99% of all those IOT devices are made in China. If the U.S. created tougher regulations regarding security, it seems unlikely that Chinese manufacturers would make one set of devices for the U.S. and one for everyone else. So the rest of the world would end up getting more secure devices also.

Re:The government to save us?

I'm pretty sure that he's correct when he assumes that the market itself will not be able to fix this.

Have you ever seen an average business where security has been higher priority than pushing out the next release as fast as possible? Writing as much code as possible as fast as possible is what is important. I'm usually the person at my work who has to tidy up and fix everything. More often than not I pull on our "stable" branch before I am about to branch off a new branch and then I have to spend half a day fixing it before I can actually branch...

I don't think any laws will change anything either, I'm just saying that things are actually really bad and they are not about to change any time soon.

Hell, I'm even pretty sure there are powers inside most governments that want it this way, so they can spy on their own people and have bot nets themselves they can use in a potential "cyber war".

Re:The government to save us?

EXACTLY. In fact if you search for 'Security Certifications of IoT devices' you find a number of relevant links, here's just 1:

http://www.darkreading.com/iot/new-internet-of-things-security-certification-program-launched/d/d-id/1325676

Now, if Schneier wanted to do the world a favour & make money to boot, maybe just maybe he'd get involved in one of these or create a 'start up' that people who trust his name might than see as 'valuable' to the market. Of course that puts HIS name on the line potentially if a 'certification lab' is found taking money to just allow someone to slap a sticker on something without actual valued testing etc.

Push comes to shove, 'society will just have to learn'. There is clearly stuff that the manufacturer's can easily fix right off the bat but there may be 'configuration or maintenance' that individuals are responsible for that the manufacturer can't do anything about. Consider brakes on a vehicle, you can have the best brake design in the world but if you ignore maintenance the brakes can fail, if you're in an accident that kills someone you don't blame the manufacturer unless you can provide its a failure in their design (e.g. requiring a recall).

Any time I see someone say we need government intervention to 'fix a market failure', I see a pessimist as all I see is a 'market opportunity' and someone who is 'lazy'.

Re:The government to save us?

No, more likely they'll just make it legal to sue the manufacturer when there's a defect in the product and bar the manufacturers from requiring people waive their rights to sue.

Honestly, this isn't a hard problem to solve, it just requires idiots like you to think a few minutes before voting.

Re:The government to save us?

[lgw]

seems unlikely that Chinese manufacturers would make one set of devices for the U.S. and one for everyone else.

They do this with almost everything manufactured in China - including the version with the branding, and the (sometimes local-only) cheap version without logos. Chinese manufacturing companies are really good at manufacturing these days, and can do custom runs easily.

In the case of IoT, there'd certainly be a version with a backdoor for the Chinese government, so we can only hope there would be 2 versions.

Re:The government to save us?

It could be every government, and it still won't matter.
People that put faith in the government to regulate every little thing are morons.

Re: The government to save us?

Keep drinking the free market cola. Best hope it's not adulterated with anything too bad.

Re: The government to save us?

How well does your argument stand up if you substitute "electrical safety" for "security"?

Re:The government to save us?

[Bert64]

The law under which they were requesting the takedown didn't apply, but their actions were still illegal in their home country under other existing laws there.

In most countries a DMCA request is meaningless and you have no obligation to comply with it, you are only required to comply with a court order issued by a local court. Especially when you are a hosting provider, as you're not responsible for the content in question anyway - your customer is.

For the things i host (none of which is hosted in the US), i ignore DMCA complaints as the vast majority are just automated anyway. If i get a polite personal request from someone i'l usually look into it and may in turn make a polite request to the user who uploaded the content, but a templated DMCA demand just gets junked.
The users i'm hosting are free to act on or ignore such requests as they see fit, but i won't be deleting their files or handing over their personal details unless a court order compels me to.

Why the hell...

are these system not designed with a basic level of security which would prevent most of this abuse?

All of the information is widely available from SANS and the open source communities who develop the platforms which most of these are based on.

At least there is until the vendor builds in default passwords or makes horrible cost-reduction decisions that invalidate the entire security scheme.

The way this will be fixed..

..is when the manufacturers get hit financially for the problems they cause. A few lawsuits against manufacturers of these shoddy devices will change the market quickly.

The government can fix this?

[hsmith]

Really? The same one who let 30m clearance files on people get stolen by the Chinese because they didn't even leverage basic encryption? The congress which thinks the internet is just tubes? The FBI that thinks math is stupid and you can limit encryption?

Yes, brilliant, you fucking idiot.

Re:The government can fix this?

[Gilgaron]

Not directly, as you point out, but if they passed a law stating that the IoT makers were liable for misuse and made it easy to pin them on these things they'd be sure to secure them.

Re:The government can fix this?

[hsmith]

What makes anyone think the government would want to do that? They'd much rather it be wide open so they can get into systems. The last thing they want is to push down hardened security.

If there were only a backdoor

then the government could fix it all for us.

Not sure I see the logic of this conclusion

How do they envisage government involvement solving this? It sounds like an administrative globally dispersed mess that governments would really struggle to have an impact on. Surely the simplest solution is for ISPs that don't deal with DDoS nodes to be blacklisted or otherwise punished by other firms? Currently ISPs do nothing about nodes in their network because there's a risk to degrading a customers service until they sort out an exploited IoT device or some such; they need a consequence for not doing something, but surely government (outside of asking firms to act) isn't the right party for this?

At the very least...

[lance_of_the_apes]

All IOT products need to be labeled as such. Then I can avoid them...

Re:At the very least...

One down, 100 million to go.

Re: At the very least...

The problem is when they become a botnet and start ddosing other sites you like. They most definitely can impact you.

Re:At the very least...

[Opportunist]

Great. You avoid them. So do I. That's already half the problem done, now let's go and educate the millions of others who will buy those things.

The problem is not you or me. The problem is that "internet connectivity" is another checkbox in the little card that gives people information about the appliance they're looking at at Wal-Mart, Cosco and whatever other chains there are that can't give you any idea about the things they sell 'cause they themselves have no idea about them.

And this TV has 6 checkboxes ticked, and that one over there only 5. What's that extra checkbox? "WiFi". Beats me what this is, but it's one checkbox more, let's buy that one!

Re:At the very least...

[SeaFox]

All IOT products need to be labeled as such. Then I can avoid them...

This isn't hard.

The device I'm about to purchase (check all that apply)
__ has existed for decades, but has a computer built into it now, and did not normally have one prior to the year 2000.
__ can control other simpler items in my house (i.e. lamps, garage doors, entry doors, climate control systems, security systems).
__ connects to my household LAN.
__ can be used from outside my own local area network through a smartphone app or a publicly accessible website that was not written by me.
__ was made by a company that primarily makes PC accessories or peripherals (Belkin, Logitech, etc) or a company that is less than 8 years old.

If you checked two or more lines it's an Internet of Things device.

Re:At the very least...

So what you are saying is that 'society at large has insufficient information about the issue to make a fully informed decision' about the products they are buying. Ok. So there are 2 ways to attack that:

1) Rely on the government to pass regulations and hope that this doesn't become an entire 'boon doggle', where you have yet another large government agency with power but no money to 'enforce the regulations'. Not to mention the fact that all government 'regulations' do is provide for the 'minimum set of requirements a company must meet to indemnify themselves against a lawsuit' (whether or not this 'minimum set' meets the needs of the public at large is also open to WIDE debate). That is to say, there is NO incentive for any manufacturer to do BETTER than those government regulations AND they are indemnified against lawsuit by simply pointing at them and saying they meet 'all applicable laws'. Not only that there simply is no incentive for the public to educate themselves about this as they figure 'the government is handling it', and when the problem doesn't go away or becomes worse the public screams at the government for doing or not doing 'something' and claims 'government incompetence' for the problem. O, and as an 'ancillary benefit' any 'back doors' that the government regulations mandate or at least don't cover are than open for exploit by the government & hackers without recourse to the law.

2) Rely on 3rd party 'certification authorities' (such as UL labs or others. google for 'Security Certifications of IoT devices' and you'll see the 'market is working to fix the problem'). Now granted the public may only get 'educated enough' to wonder what that 'UL Security Certificate' on their IoT device means and just buy one because "I've heard its important so its nice they have that sticker". BUT it is than up to UL Labs or other certification authorities to 'educate the public' (so that THEIR certification program generates revenue's for them), you end up with 'competing certifications' but then each of those 'gets better' over time as the competing certification authorities work to promote their brand as representing the 'highest level of security', and the devices get better in this regard as those certifications get better. Again the 'public at large' may not get down in to the 'nitty gritty' of those certifications, but you me & others (including Mr. Schneir) would and when our pals, families etc. ask our advice we'd tell them which certification is 'worth while' or 'the best'. At that point 'security certification' becomes a 'tick mark' along with other features, the public in general has some better idea of what it means, starts demanding their products meet some such standards or they won't buy them etc. The other benefit being that any company found misrepresenting the level of certification or 'rigging tests' or paying off an authority can be sued by the PUBLIC over 'misrepresentation'/fraud under existing laws...see no NEW laws need passing. As it is now, the IoT manufacturers aren't 'misrepresenting anything' because they don't say 1-word about it one way or the other. But as the certifications become more widely known (again the companies with such certifications have an incentive to educate the populace) AND those of us who supposedly 'know better' demand better than the manufacturers do make statements which they can be legally held to.

Hell, by the time the government gets around to 'regulating this' (probably at the behest of the manufacturers themselves rather than the public because than the manufacturers will write the law and make it so it barely costs them anything AND they are guarded against lawsuits) it is very likely the problem will be WELL on its way to being 'solved' (given that the search I did indicates its already started to be 'fixed' by some measure of 'fixed').

I swear, people who think that an existing 'issue' (especially one in a 'new area of concern') should automatically be 'fixed' by government are the same type of people that would expect government to 'fix evolution' because 'its not moving fast enough in creating new species or differentiation of the species'.

Re:At the very least...

All IdiOT products need to be labeled as such. Then I can avoid them...

One solution

[imbusy]

Can we have a botnet that scans the internet for insecure devices and changes their password?

Re:One solution

How about infects them with code that damages their network stack and knocks them off the internet instead?

Re:One solution

[b0bby]

It would actually be pretty great if there were a site which would let you scan the ip address you were coming from (so you couldn't use it against others) with a full Metasploit style array of checks. It could be helpful to a lot of home users who have a basic NAT router going on, maybe with some port forwarding so they can get to various devices like DVRs.

Hopefully someone is going to chime in "You mean like..."

Re:One solution

It isn't only about insecure passwords. Most of these appliances run some form of old Linux with known exploits and/or some form of in house made web gui that probably is exploitable as well.

You create an install image, sell the device and then probably issue a few updates the first year and then leave it as it is because you started to sell a new version and then leave people hanging with a device they will use for years to come which is riddled with holes. And most users will probably not even install the few updates that where created...

Re:One solution

That's been an obvious thing since the days when metasploit (or its concept) was known as SAINT, and earlier SATAN (look it up).

If this actually was deployed, things would improve, and a vast amount of the baked in FUD from the governments would evaporate. That FUD is being used by them as leverage to keep the system in a certain form and keep it from evolving to other forms. They argue that the other forms involve "dark dark places you don't even want to imagine". I argue that those places involve light shined on the darkness, such as what you described (each individual internet subscriber getting some real feel for their own security).

How to fix this and other problems.

Hold corporations, their executives, boards of directors, and stockholders, directly responsible, both criminally and financially, for the consequences of their mistakes.

Your cars blow up if hit from the rear? Welcome to prison, Mr. CEO, BoD, and major stockholders.

Your devices are insecure? They can be exploited by world and dog? Same thing.

government interventions

[silas_moeckel]

or just turn of upnp on your firewall?

IoT to the cloud is a problem security wise. The bigger issue IoT devices should not be throw away stuff. That means designing them to function as part of a home for 20+ years, the smarts need to be a IoT controller not some cloud service that might still be around.

Re:government interventions

[Opportunist]

Duuuuuh, upnp... is that the new detergent?

Please realize what dimwits buy those crappy pieces of junk hardware. You honestly expect them to even know what they're doing?

Re:government interventions

Real firewalls don't support upnp. :)

Re:government interventions

[thegarbz]

or just turn of upnp on your firewall?

Break my internet connection because of a misbehaving insecure device that should instead simply be blacklisted? No thanks.

I have better things to do than manually manage port forwarding, and the collective world's shrug of shoulders when it comes to IP address space exhaustion has already broken end-to-end connectivity of the internet enough without disabling about the only part of home infrastructure that still prevents me from getting daily "son the internet isn't working again, can you drop by" calls.

Re:government interventions

Those "dimwits" shouldn't have to know what they're doing. They're buying a thermostat, not a computer! Thermostats are installed by plugging in power and control wires from the HVAC system, then screwing it to the wall. An IoT thermostate looks and feels like the same thing - though the fact that you need a friggin phone to change the settings should be a giveaway. But the IoT thing should never need to "break through" the firewall and should have a firewall of its own (defense in depth) just like the "real computer" in the house. Even Windows these days is moderately secure by default - has firewall up, though there are a few too many MS-communication holes for me to be really comfortable with 10 and outbound is still mostly free (can be fixed fairly easily).

Then there are the ISPs. They more or less force you to take their gateway (yes, nerds can do better, but we're not talking nerds here). The firewall in that gateway should be set up by default so nothing but the standard non-PNP ports are allowed, in or out. Software that wants something else can ask for it, and if Mr./Ms. Dimwit don't know what that is the default should be NO and have it work anyway.

Lotsa "shoulds" there and elsewhere. Lotsa "good security practices" around. None are followed by IoT or ISPs. How can we make use of what we know works (let alone what's better when it's developed) something standard? Government? Maybe, but only broad-brush; the details change too fast for regs let alone real laws to keep up. Industry standards? Maybe, but only if they are recognized in a way that allows courts to override the total-disclaimer, arbitration-only TOS if they're not followed and Something Happens. Education? Gimme a break - we're talking people who might know how to turn on the TV and are glad they no longer have a VCR that needs programming.

Re:government interventions

[silas_moeckel]

Break what exactly? upnp is not assumed to work it's not some ancient protocol it was a hack to get home users to let devices do whatever they want.

Re:government interventions

[silas_moeckel]

A lot of IoT design is broken. My thermostat's are all part of my home automation. They do not have an IP address nor should they. I have a HA controller that has an IP address. Right now every IoT piles of IoT vendors are trying to make one off we can sell you a service at a few bucks a month. Making devices they should last for decades. The model is broken HA/IoT needs standard controllers not some cloud thing. My old HA control is perfectly capable of also being a wifi ap and firewall and realy most HA functions could easily be done on a modern wifi ap. It's a question of having the right radio's to talk to everything.

But!

[fluffernutter]

But markets solve ALL problems!

Re:But!

[Opportunist]

Markets solve all problems for themselves. Not anyone else.

Re: But!

Geewhiz! I thought the DMCA solved all problems.

Re:But!

I presume you think this is 'witty' but it isn't...now had you said 'Manufacturers solve all problems for themselves. Not anyone else' THAN you might be getting some where. And it is via 'government regulation' that those manufacturers 'solve all problems for themselves' because who the HELL do you think WRITES those regulations?

You & the parent should do a search for 'Security Certifications of IOT devices' and guess what? You'll discover that indeed the 'market is solving the problem' and these certification authorities have 0 incentive to rig their certifications on behalf of any given manufacturer or rely on the manufacturers to 'define/write' the certification. While, ok any 'single certification authority' might in order to make a 'quick buck' but when those of us who know better start calling them out that incentive dies quickly.

Now, you can debate all you want in respect to the value, competency, trustworthiness etc. of any single one of these 'certification authorities' and whether or not they have YOUR best interests at heart but what we know for SURE is that the market is driving faster than the government (proof of same is in the search) to 'solve the problem', the market has less incentive to 'game the system' vs the government (again really the manufacturers who'll write the regulations), AND that the populace at large is far more likely to become 'educated' about the problem as its a direct incentive for the 'certification authorities' to do so, as opposed to the public at large sitting back and saying 'o the government is dealing with this so I don't have to think about it at all'.

Re:But!

[Bing+Tsher+E]

But markets solve ALL problems!

So your corollary is that juntas solve all problems??

Feedback

[phorm]

If these devices are so trivially insecure and easy to get into, maybe the best way to deal with them currently is to use the same exploits used by blackhats to knock them offline.

Re:Feedback

[Opportunist]

And exactly that is illegal. Sure, a blackhat doesn't care, but a company that could (and, in this lawsuit-happy country, certainly WOULD) be sued does.

In that fucked up system someone who is not only stupid enough to buy such a crappy piece of junk but also stupid enough to not even WANT to know a thing about its function and dangers could actually sue someone trying to fix the problem AND get rewarded. Yes, this system rewards stupidity and punishes anyone trying to save it from the stupid. Wrap your mind around that.

Re:Feedback

[phorm]

Yup. I wasn't suggesting that just anyone should do it, but - assuming that laws might be passed regarding the securing of IOT devices - there could probably also be dispensations made for removing bad devices from the internet.

Re:Feedback

[Opportunist]

Whoa, careful there! Who gets to define what a "bad device" is?

Re:Feedback

[phorm]

Infected devices shown to be participating in a botnet/attack?

Re:Feedback

[phorm]

I should clarify that I've had something similar to this happen to me in the past.
(a long time ago) I had a server which was running a squid proxy. The proxy was fairly open but the firewall rules prevented it from being accessible outside of my LAN unless one SSH'ed in. During an upgrade I broke the firewall rules and accidentally had it open to the world, after which some jerk/jerks hijacked it for nefarious purposes.

Somebody traced it back to my IP, and my ISP verified it was an issue then killed my internet service and left me a voicemail letting me know. Once I fixed the issue double-checked and let me come back online.

I'd imagine a similar situation for infected devices, but perhaps just knocking the offending device offline if possible (ISP could probably do this from the modem/router if it's one they control, or if the device is accessible via a crappy backdoor it could be told to shutdown).

So long as this follows a proper process with records to show why, I'm actually quite cool with it. I realize a lot of people are wary because of the BS "3 strikes" laws, but it should be easier to show that somebody is participating in a botnet than deep-dive their traffic to check they aren't downloading hurtlock.mkv...

Re:Feedback

A device which can be damaged from internet by somebody else than its owner is a bad device.

Re:Feedback

Umm, given your clarification below with respect to your squid proxy WHY does any law need to be passed to give/provide any particular 'dispensation'. Your squid proxy was very likely violating your ISP's terms of service and as such they are already fully within their rights to shut your connection down. Just as you indicate I have 0 problem with that at all. Not that I RELY on this as a security measure for my home network, but its nice to believe that my ISP is actually watching for such things & would disconnect my network if they discovered some issue emanating from it.

Provided they treat you like a human being, than you have no reason to complain otherwise. And by 'human being' I mean they don't immediately think YOU are at fault, give you a reasonable opportunity to fix the issue etc.

Since I work from home it would be 'disconcerting' and I'd probably mumble, bitch & complain to myself as to why my network is down but once I called & found out why I'd go in to 'overdrive mode' to fix the issue.

Hell there is a LEGITIMATE market opportunity for ISP to sell their customer's extra services to help them 'secure their home networks' though of course they should 'allow for competition'. But right there that's the problem, because of government regulation (local,state & federal) most people are 'locked in' to a single ISP (at least for home internet) and thus there's no real competition for ISPs either. So now you have to rely on government regulation to ensure an 'open market for security services on home networks', and now you have 'regulation upon regulation upon regulation', all of which were 'expected to solve the problem', though in reality they just caused more (foreseen AND unforeseen ones).

I don't get this reliance on 'government' to 'solve issues' when it is arguably demonstrable that all the government does is cause more issues, add more regulations that add more cost or those regulations are written for the benefit of some company not the people themselves.

Seriously, I want 1 person to provide a COGENT argument as to why any particular 'government sponsored monopoly' for something like cable or POTS line service was EVER needed. Arguments that 'it costs too much so we have to provide an incentive' are 'null & void', if it costs too much than the service shouldn't be provided pure & simple.

Re:Feedback

[Opportunist]

No matter how you word it, you can bet your CPU that the ??AAs will try to make computers running torrent software "bad devices".

Fuck you statists! The Market will solve this...

[NoNonAlphaCharsHere]

Tech-clueless buyers will naturally gravitate to Internet-enabled toasters and refrigerators that cost twice as much money but can't be pwned with minimal effort by fourth-graders; and the problem will solve itself -- right after donkeys fly.

Article written by a idiot..

from the article: "but the only way for you to update the firmware in your home router is to throw it away and buy a new one."

Really? Seriously? Just what is this dingbat purchasing?

I have not owned a home router in the last 22 years that I did not update the firmware on.

Re:Article written by a idiot..

[BitterOak]

I know. Hasn't the guy heard of Tomato?

Technically we built it to be the IoT at first

[WillAffleckUW]

Seriously, we built cameras that watched coffee pots, and coke machines, and watched the crystallography doors to see if people went to lunch so we could get console zero and run stuff.

It's just you n00bZ that think it's all you unwashed masses that we built it for.

That said, just because you can do something, doesn't mean you should.

My fridge should stop pinging the toaster, it's just rude.

This is unpossible!

[Opportunist]

The market is the only thing that could save us. Government is bad! BAD, I tell you! Trust the invisible hand to squash those problems! The market will sort it out!

Re:This is unpossible!

I'm retarded

You don't think people will replace the light bulb that just doubled their power bill and doxxed their small business, then got them several letters from their ISP complaining about botnetting?

Holy shit, you see a problem and then immediately demand why a solution wasn't come up with 20 years ago -- therefore we need to put shackles around our necks and let a few thousand boots stomp on our faces to make us feel better.

IOiT

[h8sg8s]

No, we need to save the Internet from the Internet Of insecure Things. Manufacturers of crap like this should be fined until they take security seriously.

Strict liability

If hardware/software vendors were liable just like real engineering firms that build bridges or make cars or airplanes are, the crap would stop.

Of course, all the "programmers" who think coding is an "art" would be out of work....

government would make it worse

[locopuyo]

There would be a government mandated certification that wouldn't actually ensure things are more secure.
It would be an expensive and slow process so start-ups and small scale companies can't compete with the big corporations.

Re:government would make it worse

Which Government? US? China? France? the EU?

ISPs could fix it by cutting them off the Net, But they have no incentive either.

This is where gov helps

[mx+b]

No, we need to save the Internet from the Internet Of insecure Things. Manufacturers of crap like this should be fined until they take security seriously.

I see comments flipping out already about "how can government fix things?". Well, thru stuff like fines. I've heard the FCC is investigating IoT type vendors. If the FCC can fine companies, or even ban them from selling products in the US until they meet a minimum standard, that will have a huge effect on these companies' behavior.

So far, they make cheap crappy things with crappy firmware, and users/customers aren't tech savvy enough to know how to pick a device with better security features. In fact, there's no way for even a professional to tell from the box or specs. So the company has made their money from you before you know its bad. We need regulations and perhaps some gov/non-profit testing labs for these devices. Between regulations/fines, and some rating system to allow users to make best decisions, we can change how the market behaves.

Why government intervention all the time?

Why is the immediate 'knee-jerk reaction' the need for government to step in. Here's a legitimate 'market dynamic' that can be used to 'fix the issue' using only the market.

1) People impacted by a DDOS identify the devices used in the attack.
2) Sue the owner of the device based on the premise that they are the owners of that device.
3) The owner of said device can then either try to sue the manufacturer or fix their device.

The expectation is that over time the public at large would 'wake up' and extract guarantees from IoT manufacturers with respect to the security of their devices rather than just ignore that altogether when they buy their fancy new Amazon Echo or whatever other 'toy' they want to buy today without any care in the world of whether or not the device is 'crappy'. At this point the only thing the general public cares about is the features of a product without any regard to its 'safety'. It would be like buying a car because its faster or more comfortable or whatever while ignoring its made of flimsy aluminum or might blow up in an accident.

That is not to say I'm totally stupid here. You could for instance have a properly constituted entity define a 'contract' with respect to security that a device must have, you could then use the 'power of government' to extract promises from companies that they'll meet these contractual requirements, and then otherwise advertise in regards to the importance of these guarantees so that consumers would have 'requisite knowledge' in selecting those IoT devices. The 'power of government' here is only the 'threat of regulation' not actual regulation.

Let's take ISO270001 for instance. That's not a 'government regulation', but you can obtain certification for it that is 'generally recognized in the community'. You could have such certifications for IoT devices themselves, where for instance is someone like 'consumer electronics' rating the security of any IoT devices and making a big deal about it. Seriously, this seems like a great opportunity for someone to make money based on their knowledge and building a name representing 'faithful authority' that companies making Iot devices would want to get their 'approval' (certification) for their devices. You could I guess call this a 'market failure', I'd call it a 'market opportunity'.

Re:Why government intervention all the time?

[psycho12345]

Here's the issue

1) Good luck doing this. It currently is tricky as is.

2) Here's the REALLY fun one. You identify the entity with the device, they live in another country. You now lack any legal power to influence them whatsoever, unless you have the money to file an international complaint/lawsuit, assuming it is even possible.

2a) Assume you suit goes through, it gets promptly ignored. Random hacked Chinese/Russian/Australian/German is not going to care what some person in another country thinks.

Can't see how...

[DriveDog]

...a national government can fix this, and I believe in appropriate laws and regulations. Unless we wall off the internet into national subnets, and I sure don't want that. I can imagine an international organization in which states become members by agreeing to track and prosecute DDOSers and manufacturers of insecure devices and disallow nonmember states from connecting. Works for a year or two until scope creep turns the organization into a surveillance and enforcement nightmare.

Re:Can't see how...

[Wyzard]

Can't see how a national government can fix this

By making manufacturers liable for damage done by their insecure devices.

Insecure software is an externality: the manufacturer creates the vulnerability, but the customer (or the whole public) bears the cost when it's exploited. Free-market competition is good at optimizing for minimum cost, but by default, externalities aren't included in the cost being optimized. That's why you get cheap, insecure devices.

If manufacturers are held liable for damage done by security flaws in their devices, that cost is no longer external. The manufacturer bears the cost of its own insecurity, and has an incentive to reduce that cost. Security becomes cost-effective, and competition will reward the manufacturers who do it the best.

The government doesn't have to mandate that devices be secure. It doesn't have to verify that devices are secure. It just has to make the manufacturer liable when a device is insecure, and the market can do the rest.

(This will, however, generally raise the price of devices. The cost of security gets transferred more directly to the customer, instead of foisted onto the public.)

Re:Can't see how...

Yes, I understand what you're saying, but the point is that it's not going to work internationally, when devices could be made anywhere, out of the reach of courts, and deployed anywhere. Such a scheme is just going to ensure that no manufacturer or seller bases anything in the US or western Europe. We can't even tell the real country of origin of food half the time. Maybe we could give the DEA a new mission, in which it would be just about as successful as the old.

Re:Can't see how...

One problem with this is that it relies on the people managing the devices to apply updates. If they never update, it's not the manufacturer's fault when the device is hacked, and applying fault to them would be ridiculous and stifling. I mean, apart from devices that are broken from the outset, there are cases where the manufacturer makes perfectly good software, but bases it on common libraries that have bugs. Is it a manufacturer's fault if they use OpenSSL and suddenly a vulnerability like Heartbleed happens? Imagine if we applied the standards you're proposing to computer manufacturers.

Don't get me wrong. I work with industrial IoT devices, and lots of people really just don't care. I've seen things running Debian 3 where the root password is limited to 8 characters and stored as an MD5 hash. It took my 4 year old laptop using an Nvidia GPU like 4 hours to conduct a brute force attack against that thing. And had I used a dictionary it probably would have been minutes given what the password turned out to be. But there are people out there who try, and they don't deserve to be under a constant threat of lawsuits for things that aren't their fault.

Re:Can't see how...

[Wyzard]

It's one thing if you've made a conscientious and competent effort to build a secure product, and you provide security updates for a reasonable support period afterward. The point isn't to punish vendors for not being perfect; responsibility for an attack ultimately lies with the attacker, after all, and the vendor is a victim too.

Something like an open telnet port with a hard-coded password, though, is gross negligence. Heartbleed might not be the device vendor's fault, but not providing a firmware update to fix it, for devices that haven't reached a reasonable end-of-life date, is gross negligence. Continuing to ship something like Debian 3, which reached end-of-life and stopped getting security updates more than a decade ago, is gross negligence.

That's the sort of thing that vendors ought to be held liable for. Gross negligence in the security of your product makes you an (unwitting) contributor to the attack, not an innocent victim.

Getting updates actually installed on devices, after they're released by the vendor, is tricky. It may be a good idea to have the device just update itself automatically, though that opens a different can of worms relating to forced updates and people's control over the devices they own. But if the owner chooses not to install a security update within some reasonable time period after it's released, maybe the owner should be liable for some portion of the damage when the device ends up participating in an attack.

IoT devices = advertisers' wet dream

Think about this: soon almost everyone will own an IoT refrigerator. Refrigerators are large purchases, so you probably won't pay cash, and you'll probably also register the product with the manufacturer. If you didn't register the product, then the fridge company may still be able to find out your real identity from the seller.

Now for the devious part: Your fridge will phone home to the manufacturer every day. If the fridge company knows your real name, they can provide a real-name database keyed on IP address.

The more IoT things you purchase, the greater chance the advertisers will be able to figure out who you are, because chances are pretty good that you'll reveal yourself by registering one or paying for one with a credit card. And not even IPv6 will save you from that, because all of your devices will be on the same 64-bit subnet.

Pass law that allows 3rd party to brick devices

Just pass a law that allows anybody to brick or take offline any insecure IoT device found on the internet. Problem solved.

Script kiddies can then have fun bricking insecure devices found on the internet, and users will be force to care about the security of the IoT devices that they run. And if users care more, then device manufactures will respond.

Many 'IoT' devices are unnecessary anyway

[Rick+Schumann]

Many of these 'IoT' devices are literally solutions in search of a problem, being pushed by overeager marketers looking for a new way to get your hard-earned dollars. Honestly, ask yourself how many of these things do you really need? Some of the are useful, granted, but most of them are just toys that you can get along just fine without, and remove a layer of complication from your life in the process.

The internet doesn't need saved

New devices utilizing the best communication infrastructure ever created will make lives better.

Now you want the gubbermint to save yer ass?

You failed policymaking 101, now live with the consequences.

JUSTICE IS SERVED!

[TiggertheMad]

Modifying software/firmware on computers and devices that you don't own or have been explicitly granted access to is criminal hacking, and a federal felony. Your suggestion might work, but I suspect that the definition of 'white hat' doesn't include incurring hundreds of thousands counts of a felony activity.

Perhaps the word you were looking for is 'Vigilante'?

Re:JUSTICE IS SERVED!

[Bert64]

Not everywhere, simply get someone in a jurisdiction where it's not illegal to deploy such tools and do the whole world a favor.

not a market failure

[ooloorie]

That's not a "market failure", it's a government failure: the way liability is handled for software and security, companies get away with selling insecure crap without anybody being able to sue them for damages.

The government?

[Watter]

"...it will remain insecure unless government steps in to fix the problem. This is a market failure that can't get fixed on its own."

Are you kidding me? I work for a company that is betting it's future on IoT in the manufacturing and heavy equipment area. I promise you, it's the evil 'ole "market" that is causing us to focus a HUGE portion of our resources on security. How do you figure it isn't in every IoT makers best interest to deliver secure products? They may be failing right now but those that do it right will win in the market. This isn't 2002 when security was an afterthought. Even tech novices are aware of security issues these days and demand it from the companies that supply them.

Show me one time where the government has gotten something like this right! They can't even handle their own security and you want them crafting regulation to manage the security of everyone else? The mind boggles.

but but but

[Some_Llama]

the free market can fix all things, regulation is bad and hampers the self correcting free market.

Re:but but but

[Bing+Tsher+E]

Another content-free garbage comment.

Huge mistake in his article

I used to have a ton of respect for Bruce. But then I read this nugget in the article:

"But the only way for you to update the firmware in your home router is to throw it away and buy a new one."

Seriously? I've been applying router vendor firmware updates since the wireless-G days.

Egregious mistake, or FUD on his part? I'm not sure which is worse.

How much bandwidth do these things need?

[wjcofkc]

Surely most IoT devices need very little bandwidth to call home. Let's limit that to the minimum and call it standards based. For example, if an IoT device truly only needs say 5k of bandwidth here and there, then limit it to that. Better yet, work to limit the bandwidth all IoT devices need. Real security is even better, but we all know that takes a back seat.

Re:How much bandwidth do these things need?

[I4ko]

Hard with cameras. They really need to be able to upload to the offsite FTP server as fast as possible

Copyright Law to the rescue?

There is (conceivably) a remedy available under Copyright Law. Many of these "Internet of Things" devices (in particular, network cameras) run (at least some) libraries that were licensed under the GNU LGPL. One of the conditions of the LGPL is that users be able to - at will - replace the device's LGPL'd libraries with their own version (with the same API). If these devices do not have such an 'upgrade' mechanism available (and I suspect that few, if any, do), then they could find themselves legally liable.

If the device manufacturers feel that they're at risk here, then this may motivate them to make their products more easily updatable in the future.

Open Source to the Rescue

[redcliffe]

I feel like in a way we need more open source firmware options. Sure most of these run Linux, but it's the configuration and front end custom software that's the problem. If there were a good standard open source distribution for different devices that was secure by default maybe this would be better.

All IOT TCP traffic should be non-routable

IOT devices will always have serious security vulnerabilities. The cost of a vulnerability is on the customer, not the manufacturer. The manufacturers don't care if their device becomes part of a DDOS attack or spyware/malware server.

Just about everyone with a high speed network connection has a firewall of some sort.

The solution is for the FCC to require all Cable, DSL or Fiber modems to distinguish between a PC running a maintainable OS vs. an IOT device running an embedded OS with no option for maintenance. The router would then block all connections between the IOT device and the outside internet. Thus an IOT device cannot be hacked from the internet and cannot be part of a DDOS attack. If the IOT device needs to communicate with the outside internet, a PC with a maintainable OS must act as a network proxy.

Use one the Option field in the TCP/IP connection header to indicate a IOT device vs. a computer that can be maintained. IOT devices MUST use an Option field with a Kind value of 4 [non-routable] and a length of 1 byte if the manufacturer does not provide regular updates to the firmware for at least 7 years after the date of manufacture.

IoT clusterfuck

[Chas]

On its surface, the IoT sounds like a neat idea.

Unfortunately, in implementation, it's a raging clusterfuck.

Basically, just because you can connect ANYTHING to a network doesn't mean you SHOULD.

Why support the unbacked claim on this?

[MyFirstNameIsPaul]

The government proposes to add a backdoor to all encryption systems, and Schneier, an encryption expert, immediately goes to bat, contributing to and promoting large amounts of nuanced study on the matter to explain why such a proposal will fail. Then, on this networking issue, Schneier provides a completely unbacked claim that the Government is somehow going to magically fix something. I guess because Schneier is a "good guy" I should just assume that his completely unsubstantiated, critical-thinking-free solution is the one that we should support.

There is nothing the U.S. Government can do about hacked IoT devices in other countries. How about that one, Schneier? Are you even going to admit to the fundamental core of the World Wide Web is a substantial part of the problem, and cannot be addressed by U.S. government legislation?

Schneier's claim is barely three weeks from the date of the event, and Schneier is boldly proclaiming the market has failed. Puh-lease. There are very few, if any, events of this magnitude that any "solution", private or public, can take care of, or even propose to take care of, in such a short time.

Brian Krebs has clearly been the victim of some malicious actor, and as such must have methods for being made whole. These options do not even seem to merit any evaluation by Schneier.

Where's the Krebs DDOS analysis?

Instead of using traditional computers for their botnet, they used CCTV cameras, digital video recorders, home routers, and other embedded computers attached to the internet as part of the Internet of Things.

Is this a substantiated statement? I know Krebs said it was likely, but has there been a analysis to establish it for sure? Seems like it wouldn't be that hard to trace ip addresses back to IoT devices and nmap them for identifying indicators.

Re:Where's the Krebs DDOS analysis?

[I4ko]

OVH said it

The problem

... the IoT is wildly insecure ...

Because online security is an aftermarket issue; for both the vendor and the buyer. Because insecure IoT devices are profitable, they will continue being insecure. Capitalism is inefficient, even in a free market, because buyers aren't rational or properly informed. The solution is government-enforced standards on the IoT device and the network gateway, or creating demand (See marketing campaign: See shoe event horizon) for an aftermarket home-network security device.

The "standards" dilemma

Standards, for both hardware and software, are very useful things. We get all the interchangability and interoperability they provide with a sprinkling of the usual benefits of mass production.

There's one problem, however, and it's a doozy: Human beings are not perfect and benevolent.

As a result, there are people with malicious intent always looking to exploit stuff, and on the other side there are imperfect people trying to construct perfect defenses. By definition, this construction of perfect defenses is impossible. It is therefore the case that standards actually serve the malicious. Any webcam or other standard gadget which complies with standards can be probed and detected in standard ways. When detected, these "standard" devices can be identified and then exploited based on the knowledge that they are identical to many others which have been found to be exploitable. Botnets are only possible because of standards and standardized hardware and standardized software.

Straightfoward solution

[sigmabody]

As with other instances where the ROI for implementing good computer security is not there, with potentially disastrous societal consequences...

Make manufacturers liable for damages if their devices are compromised for malicious purposes (DDOS, PII extraction, etc.). Make anyone collecting PII or selling a network-connected device have insurance to cover liability for losses due to security. Bam, problem solved: the insurance market will create the implied ROI (vis-a-vis reduced insurance costs), and businesses will either modify their products or behavior accordingly. The solution also side-steps most of the traditional and vexing issues with government oversight (eg: since there's no government-specified "security standard" or anything, there's no potential to make a gigantic mess of that).

It seems so obvious, but I suppose that's why it's seemingly entirely inscrutable to the people in government...

Bruce Schneier: I'm old and scared

[swalve]

If he is so smart, why is he writing letters to the editor instead of working toward a solution?

Re:Bruce Schneier: I'm old and scared

[Bing+Tsher+E]

Bruce Schneier is a journalist/popular-writer. He wrote a precedent-breaking book on Cryptography. He didn't write it because he was a cryptographer, he wrote it because he dared to do so when a lot of other people were afraid to do so. Out of this, he established a punditry that allows him to pretend to be a 'smart cryptography expert.' Sometimes he's even billed as a 'security expert.' But really he's a popular writer who writes for nerds. Not an expert who could contribute a solution.

Re:Bruce Schneier: I'm old and scared

Pretend to be a smart cryptography expert? What about these?

Never Say Never

"can't get fixed" is technically incorrect, considering that a good swath of these iot devices can take firmware updates. For some of these device (like select IP video cameras) patched-to-date, open-source software exists.

"won't get fixed" by a public further numbed to tech work by an onslaught of overly simplistic, non-rooted devices (in the majority of cases where an upgrade path exists).

What's the solution? Please don't say metered Internet connections!

Legislating against proprietary firmware locking is probably the best possible first step...

underlying insecurity

[bigtreeman]

The internet will never be secure while it is based on insecure hardware and protocols.

Only government can save us!

Give me a break. This problem is caused by government in the first place protecting losers like this from their rightful retribution at the hands of a vengeful market. Any attempt to correct the problem will run into its biggest obstacle, government regulation. Just another slashdotfalsememe.

BCP38

The internets needs to get real. BCP 38 everywhere.

http://bcp38.info/

Let's just start with the common sense approach as outlined in bcp 38.

Once spoofing is largely eliminated, then let's go after stupid vendors. Tracking owned devices will become way simpler once spoofing is done for.

*GASP*

"What this attack demonstrates is that the economics of the IoT mean that it will remain insecure unless government steps in to fix the problem. This is a market failure that can't get fixed on its own."

but but but... that would be SOCIALISM. *shudder*

Is more regulation really necessary?

I don't quite understand the issue at hand.

Most IoT devices are primarily clients and not servers, i.e. the device establishes a connection to the internet and not the other way 'round. If they do act as servers, they are usually meant to act as such in the context of one's local network. Or can you provide me any good reason why I should have my DVR be accessible over the internet? Even the CCTV will usually connect to a surveillance NAS or similar locally and the NAS itself could then be accessed from the internet, though that still seems to be an exception to the rule. So it seems to me that all you need to do is make sure your local network is safe from external attacks, in most cases a NAT router will (still) do.

IMO asking the IoT device makers to implement a separate firewall is the same like asking every software manufacturer to do it, too. If I create a software package, I should be able to rely that the operating system or a special purpose software is already taking care of security and that I don't have to duplicate the effort. With the IoT device it's the same, why go the effort of separately securing hundreds of devices when the problem could be solved with one good firewall?

If you really want to centralize control, start with internet providers. Make them ship hardened routers to their customers and offer better support. I guess this will solve most of the issues.

And before engaging governments in controlling the production quality of IoT devices globally, I'd much prefer if they would start to cooperate against cyber crime. I find it simply dumbfounding how much money laundering is done through Asia with complete paper trails available and still nothing is being done about it. Stop the money, and you stop the crime, including those pesky DDoS attacks. Unfortunately, I believe we're still years if not decades away from a solution.