Slashdot Mirror
US Think Tank Wants To Regulate The Design of IoT Devices For Security Purposes (theregister.co.uk)
New submitter mikehusky quotes a report from The Register: Washington D.C. think tank the Institute for Critical Infrastructure Technology is calling for regulation on "negligence" in the design of internet-of-things (IoT) devices. If the world wants a bonk-detecting Wi-Fi mattress, it must be a malware-free bonk-detecting Wi-Fi mattress. The report adds: "Researchers James Scott and Drew Spaniel point out in their report Rise of the Machines: The Dyn Attack Was Just a Practice Run [PDF] that IoT represents a threat that is only beginning to be understood. The pair say the risk that regulation could stifle market-making IoT innovation (like the Wi-Fi cheater-detection mattress) is outweighed by the need to stop feeding Shodan. 'Regulation on IoT devices by the United States will influence global trends and economies in the IoT space, because every stakeholder operates in the United States, works directly with United States manufacturers, or relies on the United States economy. Nonetheless, IoT regulation will have a limited impact on reducing IoT DDoS attacks as the United States government only has limited direct influence on IoT manufacturers and because the United States is not even in the top 10 countries from which malicious IoT traffic originates.' State level regulation would be 'disastrous' to markets and consumers alike. The pair offer their report in the wake of the massive Dyn and Mirai distributed denial of service attacks in which internet of poorly-designed devices were enslaved into botnets to hammer critical internet infrastructure, telcos including TalkTalk, routers and other targets."
Friday Friday
Gotta get down on Friday
Have the router enforce per device network profiles, like which hosts it can contact, how much bandwidth it can use, how many connections it can have open at a time, etc.
There won't be adequate security for IoT until the day comes when Russian hackers turns off everyone's fridge on Super Bowl Sunday and everyone is stuck with warm beers and all the TVs are tuned to the Oxygen channel's Oprah marathon.
THEN IoT security will be taken seriously.
This is the danger our resident experts create by going along with the IoT scare ...
The disease is the unpunished insecure practices by ISPs and the complete lack of cooperation in cutting off DDOS's at the source. The IoT mess is a symptom, a symptom laws won't help ... the programmers will still be using C after all (another root cause which must not be named).
So let me get this straight:
1. The risk that it will stifle innovation is outweighed by the need to regulate
2. Every stakeholder operates within the US
3. The US is not in the top 10 countries of origin for IoT-based attacks
Based on those three points it sounds more like a "business plan" to start collecting regulatory fees to provide yet another false flag of security. That's just what we need here in the US, another group of unelected bureaucrats sitting in a room thinking about ways to protect us from a threat they know nothing about. Sure, "experts" will be involved but I would be willing to bet following the money leads back to donors and/or lobbyists. Do vendors and end users need to get smarter about security? Yes. Do I think this will do anything to prevent DDoS attacks? No. This won't fix anything. It will only add to the cost of IoT devices to consumers and put billions into the government's coffers to waste.
It's all designed to make you believe that TRUMP will make America Great Again!
It's left as an exercise for the reader to figure out how a scare story about the "Internet of Things" is FAKE NEWS related to TRUMP... ;-)
Regulate all you want. Malware authors won't care; they are already breaking the law. International corporations won't care, they just won't sell to the US. Users won't care, their thing works. So who are the targets of the regulation?
You can have it fast, accurate, or pretty. Pick any 2.
Fake news. Regulation would target sales, not design, obviously. Media, if you love our U.S. Direct Democracy then you must take away Slashdot's power to peddle this Russian propaganda.
So we still keep finding security problems with major OS's and browsers. What makes anything think an IOT can be made even half secure?
This is the danger our resident experts create by going along with the IoT scare ...
Not sure what you mean here. IoT is another attack vector. IoT can be defined as consumer devices with embedded computers that have WIFI connectivity. Most likely they communicate with common things like REST and JSON. They use the same internet service providers that mobile phones, gaming consoles, PC's, etc.
I think there is increased cause for concern with IoT because people buying consumer devices with dumbed down UI's will be mostly unaware of things like firmware upgrades, network security, etc. They will be more available and at cheaper prices so it's going to greatly increase the attack surface. Black hats however are going to attack these devices running stripped downed versions of *nix like they always have though.
We'll make great pets
So C is bad because it hasn't got perfect security built into the language? The disease is profit. And will remain so until bad security damages those profits.
Using an unsecured and unlicensed C compiler will become illegal. Hexadecimal op codes will become propritary trade secrets. Owning a binary editor will be a felony. Use this cuckgadget from Apple or Google, not that scary open device. You aren't one of those unmutual terrorists, are you?
Is to legislate back doors into all of it.
Not really, they are *all* part of the problem, including all of the people pointing fingers - no one is perfect at security, nor will anyone they ever be if you are realistic, although I do agree that lax end-user ISPs are playing a huge part in this particular instance with Mirai and its derivatives - e.g. TalkTalk is still a huge source of the Mirai traffic being dropped by my firewall, whereas Eircom and Deutsche Telekom are now dropping off fast. The security principles of defense in depth, while normally applied by an individual organization, can be applied on the large scale as well, and that's what's ultimately needed here - the issue is coercing people who are able to do something but can't be bothered to actually do it, and that generally means some form of legislation. *Everyone*, regardless of whether they are a device maker (of IoT devices and routers), end user, service provider, or backbone carrier, needs to assume that their devices and/or users are dumb, and put appropriate security and mitigation measures in place to the best of their ability. You're never going to completely fix the problem, so the best you can do is to try as hard as you can to mitigate against the damage with the resources you have, and hopefully that will be enough to reduce the problem to a mere nuisance.
UNIX? They're not even circumcised! Savages!
Be careful of what you wish for. The ISPs could institute a policy that only "approved" devices are allowed on the Internet. Don't think that can happen? That is where this is leading.
Such as making sure all devices have a NSA backdoor?
This is the danger our resident experts create by going along with the IoT scare ...
The disease is the unpunished insecure practices by ISPs and the complete lack of cooperation in cutting off DDOS's at the source. The IoT mess is a symptom, a symptom laws won't help ... the programmers will still be using C after all (another root cause which must not be named).
Don't you dare slander the C programming language.
There shouldn't be "regulation" of these devices, but there should be legal standards and legal liability.
However, bonk-detecting mattresses aren't where we need to start. Where we actually need to start is by holding financial institutions, corporations, and governments responsible, when they leak information.
And we need to change the culture of making excuses; politicians like Clinton shouldn't be able to get away with "Russia diddit", when they are stupid enough to expose their E-mails. Rather, such errors should be sufficient for people to consider them incompetent and unsuitable for public office.
I think the problem with the IoT is that the manufacturers take little or no steps to make their devices secure, e.g. same default password on every device, no password for Bluetooth pairing, etc. Imagine if cars had no safety requirements or regulations. Imagine if your dentist didn't need to have any independently accredited qualifications.
Job Two will a federally-mandated backdoor for real-time warrant less surveillance.
Well that's the problem isn't it, how to create economic incentives for security.
We are poor at making developers and users bear the cost of insecurity in a way our Pavlovian reflexes will respond to (hence why we are still massively using C after decades of pointer fuck ups, even when efficiency can't possibly be an excuse for the massive economic damage caused 99% of the time). We are also poor at incentivizing backbones and ISPs at helping prevent/mitigate DDOS's.
It is very simple. If software providers were at least partially liable for damages caused by security breaches, the situation would rapidly change: we would see companies hiring programmers with "security training", etc., and programmers would start caring about software security - because that would be where the jobs are. The total lack of liability today is the core problem.
AFAIK the only thing that ISPs could reasonably do is not filter outbound traffic that couldn't have originated within their network, ie, bogus addresses.
The challenge with DDOS though is that it seems to work best and be hardest to mitigate when the number of sources is high and the requests are legitimate.
What's the ISP to filter then?
I think the problem with the IoT is that the manufacturers take little or no steps to make their devices secure
That's *part* of the problem, and new laws aren't going to affect the Alibaba vendors who simply don't care.
Please stand clear of the doors, por favor mantenganse alejado de las puertas
How to secure Iot: 1-have experts make a chip that securely does Iot stuff. 2-make it cheap. 3-Secure!
State level regulation would be 'disastrous' to markets and consumers alike
Why would anybody even suggest that? It would be comparable to radio regulation made at the State level: at the border regions nobody hear can hear your scream, at your radio. Abstract frameworks could guide the design to sane directions like building codes do for the buildings, but the abstraction level might have to be very high, and the accompanying test framework maintained religiously by the community or entity steering it.
I hate to break it to you, kid, but your precious Python, Java, Ruby, PHP, Javascript, whatever bullshit, is written in, you guessed it, C! (note, I excluded better languages like Lua and Perl because you won't know what those are but they are written in C too)
When you can write an OS in Javascript, let me know.
Because we all really trust that anymore... right? Nobody trusts the US devices anymore post Snowden, so the very idea will just add to the distrust. Compare: approved by the Chinese government and approved by the US government.
One option is filter the traffic from a customer suspected at participating in a DDOS on request from an ISP which owns the destination IP range. Easy to authenticate that the request is genuine and an ISP would be unlikely to abuse the power to remotely block users from reaching one of their IPs, since they could do that themselves locally in the first place.
Once an ISP has a ton of rules for a single customer screwing up their router they might feel the need to talk with him about taking his fucking IoT off his network.
Using an unsecured and unlicensed C compiler will become illegal. Owning a binary editor will be a felony. Use this cuckgadget from Apple or Google, not that scary open device. You aren't one of those unmutual terrorists, are you?
the programmers will still be using C after all (another root cause which must not be named).
Oh, the programmers are completely capable of writing security holes in other languages too.
the autism-hating, custom EpiPen-hating, Musk-hating Slashdot troll!
"The OSI model has too much overhead for megabit-per-second (or greater) communications. Consequently, the Transmission Control Protocol/ Internet Protocol (TCP/IP) stack was invented to manage the Internet."
Another clueless vendor lobbyist and tax dollar parasite giving advice to Federal employees, perfect. This will end well.
If you have a problem with klingons either use better toilet paper or a bidet. An IoT bidet. This way someone can hack it to make you realize just how stupid the IoT is.
"Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
How to secure Iot: 1-have experts make a chip that securely does Iot stuff. 2-make it cheap. 3-Secure!
Wrong:
1 buy big hammer.
2. apply said hammer with sufficient force to ensure that there are no surviving bugs in the device.
3. Now it's secure.
This, or ensuring the device is never powered up, are the only 2 ways that are guaranteed to work, and you can never be sure some idiot won't plug it in or insert a battery, so it's back to HAMMER TIME.
"Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
How to create an economic incentive for security? Easy. Remember Part 15 of the FCC Rules? That sticker nobody reads anymore that says
1. This device may not cause harmful interference.
2. This device must accept any interference received, including interference that may cause undesired operation.
Create the same for the IoT rubbish.
Failure to comply makes YOU liable for any damage the device you created caused.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Name me one managed language run-time that doesn't depend on c or c++, either directly or indirectly.
"Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
Being part of a botnet engaging in a DDoS attack is just one of many things that could go wrong with IoT devices.
I'd be more worried about hackers disabling my IoT-enabled alarms (e.g. smoke alarms, burglar alarms) or IoT-enabled door locks and garage door opener. ISPs can't do anything to help with that.
As a point of comparison, many Android handset manufacturers refuse to even provide security updates during the two-year contract period. I expect IoT device manufacturers to be even worse.
It should be illegal for companies to sell devices if they won't provide security updates for a reasonable period. It should be illegal to sell a device that cannot be patched if security flaws are found - this is just negligence.
What the gov't really means is that it wants a backdoor, but what we really need is strong encryption on all these iOT devices for our own security and stop botnets from using them.
Regulation is not really needed here. Instead, make people responsible when their internet-thing is used in a ddos-attack or whatever. Have a standard fine fir this sort of thing - a fine the size of a parking fine or speeding ticket.
Reputation will do the rest. Some makers will get a reputation for costing you fines - nobody wants that. Others will get a cleaner rep.
And home firewalls can save you from some fines, so those will get popular too.
This is similiar to how you're responsible for storing dangerous equipment in a safe way. If bank robbers have easy access to your guns & dynamite, you get punished. If kids can start your bulldozer and level the neighbour house, you get punished. If you put stuff on the internet that is trivially taken over via network access, you have some responsibility for that too. The hacker is of course responsible for actual damage, but you should be fined for leaving 'dangerous equipment' accessible for the evil.
I think the problem with the IoT is that the manufacturers take little or no steps to make their devices secure That's *part* of the problem, and new laws aren't going to affect the Alibaba vendors who simply don't care.
It's quite simple. Want to join a botnet? Buy IoT devices. If you don't, don't buy them.
We'll make great pets
Regulating IoT devices is a GOOD idea. Right now they are an example of a market failure - the huge cloud of insecure devices is created by the same market forces as a huge clouds of polluted air. Securing devices requires vendors to spend money so that vendors who don't care about security can undercut them.
And the solution is the same - impose regulation to make IoT vendors responsible for their security. For example, IoT vendors can create a standardized and replaceable "control module" that only needs to be certified once.
Consumer unfamiliarity with proper management of devices is a problem, but it's not the big problem.
The big problem is crappy engineering by the cheapest possible offshore barely qualified people who don't give a crap about what they design, MBAs who don't give a crap about what they produce and, most importantly, putting stuff on the Internet that doesn't need to be there.
Putting product liability where it belongs is perfect for these situations.
There will soon be more people writing code than there are other people to regulate them. In a world where Angry Birds got knocked off the top of the charts by an app coded by a 13 year old, you think you can control software development? Good luck with that..
How many people building IoT devices even believe they are in the IoT business? How many of this years Christmas toys will be connectable online? And the entire market for STEM stuff like Arduinos, Raspberry Pi, Beaglebones, etc? You think the people that built the wifi enabled Xray machine that I saw at a hospital last week think they are in the IoT business? Or the people that sell those $10 kits to turn a paper airplane into a wifi RC airplane? It's already too late, there is a critical mass already of legacy gear that will be online and connected for a generation, no matter what else happens.
Remember cars? First keyholes could be drilled out, then remote unlocking signals could be recorded and replayed, so the current technology is electronically-tagged keys. That's because everyone knew when the previous access control mechanism had failed but people aren't aware of the security in (or not in) their local network and, obviously, don't want to know. It's not market failure, the market is supplying exactly what people want to buy; devices that don't care about security.
What's needed is a mechanism that changes what the buyer wants; that's why we have auditing and rating agencies, whether it's Moody's (who re-labelled their service as an opinion), ANCAP, or even ISO (I remember the whitewash called Quality Assurance) to advise consumers. As I suggest, such rating systems can be corrupted or ineffective but the basic principle is good. We need every network device to be rated on its security services and policies, with a higher standard for infrastructure devices (gateways & routers, access points) than client devices. As security technology will change and provide more services, the rating system must be open-ended, allowing more stars to represent more services being offered in a device.
yes. let's introduce regulation for a fridge showing photos of it's insides on the web because for a fridge to claim it's a dentist it would need accreditation so you're sure it won't kill you. what are you some kind of a moron?
IEEE, ASE, someone (other than the French of course). I have a bunch of Internet Connected Tech (ICT) and they're easy to break into and re-purpose. Very low security. Not hard to figure out what it's running - arm processor, etc and kernel - Linux, mich, etc. then update it. For some devices it's as bad as having a barn to store your 1969 restored Corvette and instead of a lock, you're using a board to keep the doors closed. Sure, it'll do the job unless someone wants to get in.
This guarantees that the upcoming deluge of IoT devices will be insecure unless we do something.
IoT devices will have their OS hardwired in so that it can't be upgraded (cost considerations; and we'll sell you a new gadget if this one becomes compromised). Which means we'll be waist-deep in applications that will be botnet components within a year of manufacture and which will phone home to wherever from day one.
Like it or not, the only way to prevent this is ... legislation and regulation.
And it's a lot cheaper and easier to regulate new devices than to regulate the existing Internet to be 100% safe.