Bruce Schneier: We Need To Save the Internet From the Internet of Things

Bruce Schneier, writing for Motherboard:What was new about the Krebs attack was both the massive scale and the particular devices the attackers recruited. Instead of using traditional computers for their botnet, they used CCTV cameras, digital video recorders, home routers, and other embedded computers attached to the internet as part of the Internet of Things. Much has been written about how the IoT is wildly insecure. In fact, the software used to attack Krebs was simple and amateurish. What this attack demonstrates is that the economics of the IoT mean that it will remain insecure unless government steps in to fix the problem. This is a market failure that can't get fixed on its own.

The only way this will get fixed

[Registered+Coward+v2]

is when the manufacturers of the devices get hit with DDoS attacks and it disrupts their business. Otherwise, as TFA points out, they had no reason to bear the costs of fixing the problem since it doesn't impact them. Until there is a significant cost associated with making an insecure device they will remain insecure. That's also one of the problems with the internet, there is no way to block access from insecure devices when they become part of a BotNet. If their was, and manufacturers suddenly got lots of warranty calls when it stopped working they might actual care about security.

Re:The only way this will get fixed

[mlts]

"Security has no ROI" is a mantram I've heard uttered in a lot of places dealing with IoT. They don't care at all, because the EULA protects them from most stuff, the fact they can throw up their hands and say, "the blackhats can break into everything" gives them legitimacy with the press, and if push comes to shove, there are no real laws out there that have any teeth. Someone can have a root shell on a telnet port, and a company having that would not have to fret about stock prices. If people griped, they just tell users to buy the version 2 of the device that might move the open port from 23 to another ID, call it done.

What would be the ideal, would be something like UL listings, except instead of electrical safety, is for security. However, I wouldn't be surprised if this gets perverted into no real remote security, but "security" from the owner being able to do things with the device.

Re:The only way this will get fixed

[gnick]

is when the manufacturers of the devices get hit with DDoS attacks and it disrupts their business.

What motivation would vandals have to go after the manufacturers? You'd be begging them to interfere with you with no apparent up-side.

Re:The only way this will get fixed

[MitchDev]

When they get SUED and pay out the nose is the only time they'll take it seriously

Re:The only way this will get fixed

[DickBreath]

Maybe the cost needs to be a government fine. That way it has a guarantee of financial impact. No uncertainty about whether a lawsuit will be filed, or whether it will be won. And a private party does not have to bear the cost of initiating the lawsuit.

Simply have a statutory damages for manufacturing an IoT device that has been used in an attack. The device you made was used in an attack. You have to pay the fine. Simple as that.

Now to make devices more secure there could be something like a process of getting an "Underwriter's Laboratories" type seal of approval. The seal doesn't mean an appliance won't burn your house down, just that it is very, very unlikely. Unlikely enough to suit the insurance underwriters. Which raises the subject of insurance -- for liability of getting fined for building an unsafe device.

It seems like this would work. Just like electrical devices are pretty safe -- even though manufacturers have a built in incentive to build them as cheaply and unsafely as possible.

Re:The only way this will get fixed

[rtkluttz]

Wrong. The only way this gets fixed is if cloud command and control goes away. Internet of things is fine as long as each person gets to control their own security destiny and punch holes in their firewalls in ways that suits them. Configuration differences from one place to another make mass control almost impossible. Yes its much more likely individuals sites gets compromised, but much less likely that huge masses of them do all at once. Plus.... why the F*ck do I have to ask a corporation for permission to log in to something that is behind my own firewall. The CORPORATION is the biggest damn security threat we have.

Re:The only way this will get fixed

[Snotnose]

Maybe the white hats can help. Get the malware used in subverting the devices, then modify the payload so it changes the network settings to knock the device off the internet. If the owner is knowledgeable they can fix it, probably do so 3-4 times, then return the unit. Everybody else will just return the unit.

This costs the manufactures big $$$ and removes the threat.

Re:The only way this will get fixed

[Hognoxious]

According to AmiMoJo, it's a form of transportation that is literally a rapist.

Re:The only way this will get fixed

[arth1]

It ought to be illegal to sign away your legal rights, especially in situations where you don't get anything out of the arrangement.

In many countries, it is, and the right to redress cannot be signed away by a contract. Apple discovered that when they started selling products in Europe and attempted to enforce US style boilerplate contracts.

So, yes, I can see the manufacturers being sued for damages, no matter what the sales terms say. It just isn't likely to happen in the US.

Re: The only way this will get fixed

[Dadoo]

Fines wont work unless they are income based

So fine the people who own the devices. Start with a small fine, like $10, then double it for each repeat offense. Eventually, the word will get out, people will stop buying products from that vendor, and sales will suffer. They won't have any choice but to make their products secure.

Re:The only way this will get fixed

Yes. https://support.apple.com/en-u...

Re: The only way this will get fixed

[bestweasel]

I know this goes against everything you believe but sometimes government has to step in because people and corporations with a vested interest can't always be trusted to do the right thing. That's why you have mandatory requirements for electrical goods and many others, from water to food. Do you think those laws should be repealed? There should be mandated security standards for internet devices, checked by independent researchers and paid for by the manufacturer.

Re: The only way this will get fixed

[spire3661]

Yes, i very much do. For too long we have coddled users, either they step up and learn some of this stuff, or they get left behind and cut off. A firewall configuration is not a high bar to cross in an Information Age.

Re: The only way this will get fixed

[spire3661]

No, I want her to pay a professional to help her with it, just like if she wanted a new electrical socket installed to plug it in, or a needed a water line for the automatic ice maker.

The government to save us?

[JcMorin]

So the government will pass a law and all IoT will be secure... that would be the US gouv I assume? All companies in the world will be complying to the new law? I would not count that for sure.

Re:The government to save us?

[rudy_wayne]

So the government will pass a law and all IoT will be secure... that would be the US gouv I assume? All companies in the world will be complying to the new law?

I would not count that for sure.

99% of all those IOT devices are made in China. If the U.S. created tougher regulations regarding security, it seems unlikely that Chinese manufacturers would make one set of devices for the U.S. and one for everyone else. So the rest of the world would end up getting more secure devices also.

One solution

[imbusy]

Can we have a botnet that scans the internet for insecure devices and changes their password?

Re:One solution

[b0bby]

It would actually be pretty great if there were a site which would let you scan the ip address you were coming from (so you couldn't use it against others) with a full Metasploit style array of checks. It could be helpful to a lot of home users who have a basic NAT router going on, maybe with some port forwarding so they can get to various devices like DVRs.

Hopefully someone is going to chime in "You mean like..."

government interventions

[silas_moeckel]

or just turn of upnp on your firewall?

IoT to the cloud is a problem security wise. The bigger issue IoT devices should not be throw away stuff. That means designing them to function as part of a home for 20+ years, the smarts need to be a IoT controller not some cloud service that might still be around.

Technically we built it to be the IoT at first

[WillAffleckUW]

Seriously, we built cameras that watched coffee pots, and coke machines, and watched the crystallography doors to see if people went to lunch so we could get console zero and run stuff.

It's just you n00bZ that think it's all you unwashed masses that we built it for.

That said, just because you can do something, doesn't mean you should.

My fridge should stop pinging the toaster, it's just rude.

Can't see how...

[DriveDog]

...a national government can fix this, and I believe in appropriate laws and regulations. Unless we wall off the internet into national subnets, and I sure don't want that. I can imagine an international organization in which states become members by agreeing to track and prosecute DDOSers and manufacturers of insecure devices and disallow nonmember states from connecting. Works for a year or two until scope creep turns the organization into a surveillance and enforcement nightmare.

Pass law that allows 3rd party to brick devices

Just pass a law that allows anybody to brick or take offline any insecure IoT device found on the internet. Problem solved.

Script kiddies can then have fun bricking insecure devices found on the internet, and users will be force to care about the security of the IoT devices that they run. And if users care more, then device manufactures will respond.

Re:Why government intervention all the time?

[psycho12345]

Here's the issue

1) Good luck doing this. It currently is tricky as is.

2) Here's the REALLY fun one. You identify the entity with the device, they live in another country. You now lack any legal power to influence them whatsoever, unless you have the money to file an international complaint/lawsuit, assuming it is even possible.

2a) Assume you suit goes through, it gets promptly ignored. Random hacked Chinese/Russian/Australian/German is not going to care what some person in another country thinks.

Re:B...b...but government always BAD!

[lgw]

Someone else suggested a UL-like certification for household IoT. I really like that solution. It's not hard for the average person to understand that this seal means a stranger can't watch you through your webcam, can't unlock your doors, etc. I think people would care, if it were as simple as looking for 1 logo, no geek needed.

Re:B...b...but government always BAD!

[Bing+Tsher+E]

And notably, the UL is a non-governmental organization.