Bruce Schneier: We Need To Save the Internet From the Internet of Things

Bruce Schneier, writing for Motherboard:What was new about the Krebs attack was both the massive scale and the particular devices the attackers recruited. Instead of using traditional computers for their botnet, they used CCTV cameras, digital video recorders, home routers, and other embedded computers attached to the internet as part of the Internet of Things. Much has been written about how the IoT is wildly insecure. In fact, the software used to attack Krebs was simple and amateurish. What this attack demonstrates is that the economics of the IoT mean that it will remain insecure unless government steps in to fix the problem. This is a market failure that can't get fixed on its own.

The only way this will get fixed

[Registered+Coward+v2]

is when the manufacturers of the devices get hit with DDoS attacks and it disrupts their business. Otherwise, as TFA points out, they had no reason to bear the costs of fixing the problem since it doesn't impact them. Until there is a significant cost associated with making an insecure device they will remain insecure. That's also one of the problems with the internet, there is no way to block access from insecure devices when they become part of a BotNet. If their was, and manufacturers suddenly got lots of warranty calls when it stopped working they might actual care about security.

Re:The only way this will get fixed

[mlts]

"Security has no ROI" is a mantram I've heard uttered in a lot of places dealing with IoT. They don't care at all, because the EULA protects them from most stuff, the fact they can throw up their hands and say, "the blackhats can break into everything" gives them legitimacy with the press, and if push comes to shove, there are no real laws out there that have any teeth. Someone can have a root shell on a telnet port, and a company having that would not have to fret about stock prices. If people griped, they just tell users to buy the version 2 of the device that might move the open port from 23 to another ID, call it done.

What would be the ideal, would be something like UL listings, except instead of electrical safety, is for security. However, I wouldn't be surprised if this gets perverted into no real remote security, but "security" from the owner being able to do things with the device.

Re:The only way this will get fixed

[gnick]

is when the manufacturers of the devices get hit with DDoS attacks and it disrupts their business.

What motivation would vandals have to go after the manufacturers? You'd be begging them to interfere with you with no apparent up-side.

Re:The only way this will get fixed

[MitchDev]

When they get SUED and pay out the nose is the only time they'll take it seriously

Re:The only way this will get fixed

[rtkluttz]

Wrong. The only way this gets fixed is if cloud command and control goes away. Internet of things is fine as long as each person gets to control their own security destiny and punch holes in their firewalls in ways that suits them. Configuration differences from one place to another make mass control almost impossible. Yes its much more likely individuals sites gets compromised, but much less likely that huge masses of them do all at once. Plus.... why the F*ck do I have to ask a corporation for permission to log in to something that is behind my own firewall. The CORPORATION is the biggest damn security threat we have.

Re:The only way this will get fixed

[Snotnose]

Maybe the white hats can help. Get the malware used in subverting the devices, then modify the payload so it changes the network settings to knock the device off the internet. If the owner is knowledgeable they can fix it, probably do so 3-4 times, then return the unit. Everybody else will just return the unit.

This costs the manufactures big $$$ and removes the threat.

Re:The only way this will get fixed

[Hognoxious]

According to AmiMoJo, it's a form of transportation that is literally a rapist.

Re:The only way this will get fixed

[arth1]

It ought to be illegal to sign away your legal rights, especially in situations where you don't get anything out of the arrangement.

In many countries, it is, and the right to redress cannot be signed away by a contract. Apple discovered that when they started selling products in Europe and attempted to enforce US style boilerplate contracts.

So, yes, I can see the manufacturers being sued for damages, no matter what the sales terms say. It just isn't likely to happen in the US.

Re: The only way this will get fixed

[spire3661]

Yes, i very much do. For too long we have coddled users, either they step up and learn some of this stuff, or they get left behind and cut off. A firewall configuration is not a high bar to cross in an Information Age.

The government to save us?

[JcMorin]

So the government will pass a law and all IoT will be secure... that would be the US gouv I assume? All companies in the world will be complying to the new law? I would not count that for sure.

Pass law that allows 3rd party to brick devices

Just pass a law that allows anybody to brick or take offline any insecure IoT device found on the internet. Problem solved.

Script kiddies can then have fun bricking insecure devices found on the internet, and users will be force to care about the security of the IoT devices that they run. And if users care more, then device manufactures will respond.

Re:B...b...but government always BAD!

[lgw]

Someone else suggested a UL-like certification for household IoT. I really like that solution. It's not hard for the average person to understand that this seal means a stranger can't watch you through your webcam, can't unlock your doors, etc. I think people would care, if it were as simple as looking for 1 logo, no geek needed.