Slashdot Mirror

← Back to Stories (view on slashdot.org)

US Think Tank Wants To Regulate The Design of IoT Devices For Security Purposes (theregister.co.uk)

Posted by BeauHD on from the trial-and-error dept.

New submitter mikehusky quotes a report from The Register: Washington D.C. think tank the Institute for Critical Infrastructure Technology is calling for regulation on "negligence" in the design of internet-of-things (IoT) devices. If the world wants a bonk-detecting Wi-Fi mattress, it must be a malware-free bonk-detecting Wi-Fi mattress. The report adds: "Researchers James Scott and Drew Spaniel point out in their report Rise of the Machines: The Dyn Attack Was Just a Practice Run [PDF] that IoT represents a threat that is only beginning to be understood. The pair say the risk that regulation could stifle market-making IoT innovation (like the Wi-Fi cheater-detection mattress) is outweighed by the need to stop feeding Shodan. 'Regulation on IoT devices by the United States will influence global trends and economies in the IoT space, because every stakeholder operates in the United States, works directly with United States manufacturers, or relies on the United States economy. Nonetheless, IoT regulation will have a limited impact on reducing IoT DDoS attacks as the United States government only has limited direct influence on IoT manufacturers and because the United States is not even in the top 10 countries from which malicious IoT traffic originates.' State level regulation would be 'disastrous' to markets and consumers alike. The pair offer their report in the wake of the massive Dyn and Mirai distributed denial of service attacks in which internet of poorly-designed devices were enslaved into botnets to hammer critical internet infrastructure, telcos including TalkTalk, routers and other targets."

48 of 87 comments (clear)

  1. We probably need network profiles for things by Anonymous Coward · · Score: 1

    Have the router enforce per device network profiles, like which hosts it can contact, how much bandwidth it can use, how many connections it can have open at a time, etc.

    1. Re:We probably need network profiles for things by 110010001000 · · Score: 1, Troll

      And this is how it starts: the router will only allow certain "approved" devices on the Internet.

    2. Re:We probably need network profiles for things by Bing+Tsher+E · · Score: 1

      Apple has chosen to become the predominant gadget maker.

      They haven't really made a successful server product since the SE/30.

  2. It's going to fall in to deaf ears. by Anonymous Coward · · Score: 1

    There won't be adequate security for IoT until the day comes when Russian hackers turns off everyone's fridge on Super Bowl Sunday and everyone is stuck with warm beers and all the TVs are tuned to the Oxygen channel's Oprah marathon.

    THEN IoT security will be taken seriously.

    1. Re:It's going to fall in to deaf ears. by BarbaraHudson · · Score: 1

      Please, over-regulate it to death. Problem solved.

      --
      "Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
  3. No mention of the internet architecture of course by Pinky's+Brain · · Score: 4, Interesting

    This is the danger our resident experts create by going along with the IoT scare ...

    The disease is the unpunished insecure practices by ISPs and the complete lack of cooperation in cutting off DDOS's at the source. The IoT mess is a symptom, a symptom laws won't help ... the programmers will still be using C after all (another root cause which must not be named).

  4. I think this whole idea stinks by Alcemenes · · Score: 2, Interesting

    So let me get this straight:

    1. The risk that it will stifle innovation is outweighed by the need to regulate
    2. Every stakeholder operates within the US
    3. The US is not in the top 10 countries of origin for IoT-based attacks

    Based on those three points it sounds more like a "business plan" to start collecting regulatory fees to provide yet another false flag of security. That's just what we need here in the US, another group of unelected bureaucrats sitting in a room thinking about ways to protect us from a threat they know nothing about. Sure, "experts" will be involved but I would be willing to bet following the money leads back to donors and/or lobbyists. Do vendors and end users need to get smarter about security? Yes. Do I think this will do anything to prevent DDoS attacks? No. This won't fix anything. It will only add to the cost of IoT devices to consumers and put billions into the government's coffers to waste.

    1. Re: I think this whole idea stinks by Bing+Tsher+E · · Score: 2

      They want to regulate all the endpoints, rather than just beef security at the transition points. It's ludicrous! Anybody can push whatever firmware they want into a microcontroller, except not (!!!) with this kind of regulatory burden. Will I need a jtag license? Will operating a compiler without a license become illegal, or too dangerous to contemplate because of the liability risk?

      Umm, the hell with that. Protect your network at it's routing points. It's not YOUR network until it passes through your demarcation point.

      If well defined boundaries are established, freedom can still flourish in the places where tight-assed security is not necessary.

    2. Re: I think this whole idea stinks by Mr+D+from+63 · · Score: 2

      The best approach for the general consumer is to have a set of standards that, if met, reduce security risks to an acceptable level from a hardware/software perspective. Products can choose to prove compliance with those standards. Educated consumers can require that compliance in their product choice.

      Regulation could come in regarding how product can claim compliance.

      Many or all of those standards may already exist, but they likely need some motherhood standards to tie them together. All easier said than done because there is not simple answer to 'the right way to do it', and a huge and varied scope of things under the umbrella.

    3. Re:I think this whole idea stinks by tuxgeek · · Score: 1

      And of course there will be LESS government, and more FREEDOM.
      And a pony for all ..

      --
      "Suppose you were an idiot...and suppose you were a member of Congress...but I repeat myself." Mark Twain
    4. Re: I think this whole idea stinks by EmeraldBot · · Score: 3, Interesting

      The best approach for the general consumer is to have a set of standards that, if met, reduce security risks to an acceptable level from a hardware/software perspective. Products can choose to prove compliance with those standards. Educated consumers can require that compliance in their product choice. Regulation could come in regarding how product can claim compliance. Many or all of those standards may already exist, but they likely need some motherhood standards to tie them together. All easier said than done because there is not simple answer to 'the right way to do it', and a huge and varied scope of things under the umbrella.

      I agree with this mostly, but I do think there need to be some minimum standards for regulation. Some IOT stuff - automated stoves or heating / cooling or whatever - isn't just obnoxious if hacked, it can be downright dangerous if somebody makes the oven set itself on fire while you're asleep. Using a hardcoded check of PASSWORD, for example, is something I think we can all agree is unacceptable, and that shouldn't be tolerated.

      If we do make those standards too, they shouldn't be compromises, they should be seriously tough, and come in shades or grades instead of compromise. You can always let people pass lower, but no company is ever going to do better than the minimum required of them, so "A" had better mean pretty solid protection from hacking...

      --
      "Set a man a fire, he'll be warm for the rest of the night. Set a man afire, he'll be warm for the rest of his life."
    5. Re:I think this whole idea stinks by unixisc · · Score: 2

      So let me get this straight:

      1. The risk that it will stifle innovation is outweighed by the need to regulate 2. Every stakeholder operates within the US 3. The US is not in the top 10 countries of origin for IoT-based attacks

      Based on those three points it sounds more like a "business plan" to start collecting regulatory fees to provide yet another false flag of security. That's just what we need here in the US, another group of unelected bureaucrats sitting in a room thinking about ways to protect us from a threat they know nothing about. Sure, "experts" will be involved but I would be willing to bet following the money leads back to donors and/or lobbyists. Do vendors and end users need to get smarter about security? Yes. Do I think this will do anything to prevent DDoS attacks? No. This won't fix anything. It will only add to the cost of IoT devices to consumers and put billions into the government's coffers to waste.

      This is pretty correct. And having just (correctly) turned over ICANN into an international body, how do they get to regulate any IoT designs outside the US?

      The solution to IoT security would be to have a standard firewall list of known IP ranges that would be dropped at a gateway, if known to be a malware site. Just like a lot of ISPs use universal Google DNS servers rather than roll their own, similarly, routers should come w/ a list of public firewalls that one can choose from while setting things up. Right now, the default action is to allow all traffic at routers, instead of dropping, since the latter would cause it to look to the consumer like the internet doesn't work. But if the consumer is directed to, in the instructions, either select from a list of known public firewalls, be it from the likes of Google, Apple, Microsoft, Symantec, ESET, et al, or fill in a known firewall of his own, that would solve IoT security just like mainstream PC security

      This is particularly needed for IPv6, where security considerations are still fairly new

  5. Politics vs. Reality by Lemmeoutada+Collecti · · Score: 3, Insightful

    Regulate all you want. Malware authors won't care; they are already breaking the law. International corporations won't care, they just won't sell to the US. Users won't care, their thing works. So who are the targets of the regulation?

    --

    You can have it fast, accurate, or pretty. Pick any 2.
    1. Re:Politics vs. Reality by El+Cubano · · Score: 1

      I had a similar thought to "regulate all you want," only I was thinking more along the lines of "if security of networked devices is so important, why have we not had similar regulation for the last 20-30+ years?" I mean, we've all seen the movie Sneakers. I know it was a bit fanciful, but the very first time someone decided to connect a power plant, bank, or air traffic control tower to any sort of external network, the world changed. The problem is I don't think that the general public understood just how dramatic that change was until only very recently, decades later. I guess what I'm trying to say is that this is a combination of "quick, the horses got out, close the barn" and "that ship has already sailed."

    2. Re:Politics vs. Reality by tchdab1 · · Score: 1

      IOT attacks, that this discussion is addressing, are possible because millions of attached devices exist that aren't designed to be managed yet are capable of being hijacked. If it's possible to design IEEE-level standards into these devices that prevent the hijack, and legislation mandates that those standards must be present in any device sold in the USA, then those standards will proliferate. Malware authors will have many fewer targets on which to base DOS attacks. They will still break the rules, but they'll have far fewer targets with which to break the rules in this way. That's the idea, and it's a worthy idea to pursue.

    3. Re:Politics vs. Reality by Dutch+Gun · · Score: 3, Insightful

      It's an issue of critical mass. Previous DDoS attacks were often due to exploits, some sort of reflection attack. Now, with IoT devices, there's sufficient bandwidth and enough devices to overwhelm a system with 100% legitimate and non-spoofed attacks, and that's a new and worrying trend. We're seeing a flood of *very* easy to compromise devices hit the market, along with sufficient outgoing consumer bandwidth to make them truly damaging even in the thousands, let alone in the hundreds of thousands or even millions.

      We're going to be seeing even more of these devices on the market. If they don't improve their security, we'll be seeing connectivity drop to the reliability of a third-world power grid, and that's going to have a huge impact on a lot of people and businesses who now absolutely rely on that infrastructure being ubiquitous and reliable.

      There's already an Underwriters Laboratories stamp (the best known of several Nationally Recognized Testing Laboratories) on the bottom of most electrical or electronic devices you purchase. Why not a set of security requirements similar to that for internet connected devices? Let private industry and organizations develop and certify the specifics of the safety requirements, and the government can simply oversee the process. We already have a clear precedent on how to do this, and it doesn't appear to have stifled innovation in any sense.

      And of course, this not a license to connect to the internet (it shouldn't affect hobbyists or software), but a requirement to ensure basic security when someone wants to mass-produce and sell hardware devices that connect to the internet. Just saying "but... internet" doesn't make shitty products immune from reasonable regulations that permeate every other aspect of business for the greater good.

      --
      Irony: Agile development has too much intertia to be abandoned now.
    4. Re: Politics vs. Reality by BarbaraHudson · · Score: 1
      If you have a printer connected to your laptop, better make that 4. And even if you're not using wireless to access the net, your switch is yet another device, so 5. And unless your roku isn't connected to anything else, your TV makes it 6 (yes, they can destroy a TV by feeding it signals that turn it off and on in rapid succession, or overdriven video, or they can feed it a signal for hard-core porn when your kids are watching).

      Read John Varley's "Press Enter" if you want instructions on how to be almost 100% risk-free.

      --
      "Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
    5. Re:Politics vs. Reality by RockDoctor · · Score: 1

      I mean, we've all seen the movie Sneakers.

      Why would you assume that? I don't think I've even heard of it. Then again, I've still not head of a sensible use-case for an IoT device either. Are you sure that both this movie and a sensible use case for an IoT device exist?

      --
      Birds are not dinosaur descendants;birds are dinosaurs, for all useful meanings of "birds", "are" and "dinosaurs"
  6. Re:No mention of the internet architecture of cour by zifn4b · · Score: 2

    This is the danger our resident experts create by going along with the IoT scare ...

    Not sure what you mean here. IoT is another attack vector. IoT can be defined as consumer devices with embedded computers that have WIFI connectivity. Most likely they communicate with common things like REST and JSON. They use the same internet service providers that mobile phones, gaming consoles, PC's, etc.

    I think there is increased cause for concern with IoT because people buying consumer devices with dumbed down UI's will be mostly unaware of things like firmware upgrades, network security, etc. They will be more available and at cheaper prices so it's going to greatly increase the attack surface. Black hats however are going to attack these devices running stripped downed versions of *nix like they always have though.

    --
    We'll make great pets
  7. Re: No mention of the internet architecture of cou by Bing+Tsher+E · · Score: 1, Troll

    Using an unsecured and unlicensed C compiler will become illegal. Hexadecimal op codes will become propritary trade secrets. Owning a binary editor will be a felony. Use this cuckgadget from Apple or Google, not that scary open device. You aren't one of those unmutual terrorists, are you?

  8. Re:No mention of the internet architecture of cour by Zocalo · · Score: 2

    Not really, they are *all* part of the problem, including all of the people pointing fingers - no one is perfect at security, nor will anyone they ever be if you are realistic, although I do agree that lax end-user ISPs are playing a huge part in this particular instance with Mirai and its derivatives - e.g. TalkTalk is still a huge source of the Mirai traffic being dropped by my firewall, whereas Eircom and Deutsche Telekom are now dropping off fast. The security principles of defense in depth, while normally applied by an individual organization, can be applied on the large scale as well, and that's what's ultimately needed here - the issue is coercing people who are able to do something but can't be bothered to actually do it, and that generally means some form of legislation. *Everyone*, regardless of whether they are a device maker (of IoT devices and routers), end user, service provider, or backbone carrier, needs to assume that their devices and/or users are dumb, and put appropriate security and mitigation measures in place to the best of their ability. You're never going to completely fix the problem, so the best you can do is to try as hard as you can to mitigate against the damage with the resources you have, and hopefully that will be enough to reduce the problem to a mere nuisance.

    --
    UNIX? They're not even circumcised! Savages!
  9. Be careful by 110010001000 · · Score: 1, Interesting

    Be careful of what you wish for. The ISPs could institute a policy that only "approved" devices are allowed on the Internet. Don't think that can happen? That is where this is leading.

    1. Re:Be careful by Pinky's+Brain · · Score: 4, Insightful

      That will help very little, approval doesn't make the device secure.

      The network needs to be robust against insecure devices.

    2. Re:Be careful by Anonymous Coward · · Score: 1

      So ISPs would never use security as an excuse to make such a policy, even if the policy failed to improve security?

    3. Re:Be careful by Opportunist · · Score: 1

      What will rather happen, since they can neither enforce nor control this sensibly and at a reasonable cost, is that they will simply include a clause in their contract that allows them to cut you off if they notice any harmful traffic coming from you.

      With "harmful" being "you using more bandwidth than we want you to", of course.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    4. Re:Be careful by johannesg · · Score: 1

      Not the network perse, but ISPs should certainly take some responsibility for what happens on their networks. Some typical DDOS patterns are easy enough to detect, and should result in blocking that traffic. If ISPs did this as a matter of course it would be much harder to set up an effective DDOS attack.

  10. no regulation, but liability by ooloorie · · Score: 3, Insightful

    There shouldn't be "regulation" of these devices, but there should be legal standards and legal liability.

    However, bonk-detecting mattresses aren't where we need to start. Where we actually need to start is by holding financial institutions, corporations, and governments responsible, when they leak information.

    And we need to change the culture of making excuses; politicians like Clinton shouldn't be able to get away with "Russia diddit", when they are stupid enough to expose their E-mails. Rather, such errors should be sufficient for people to consider them incompetent and unsuitable for public office.

  11. Re: No mention of the internet architecture of cou by rantrantrant · · Score: 1

    I think the problem with the IoT is that the manufacturers take little or no steps to make their devices secure, e.g. same default password on every device, no password for Bluetooth pairing, etc. Imagine if cars had no safety requirements or regulations. Imagine if your dentist didn't need to have any independently accredited qualifications.

  12. Security will be Job One by ThatsNotPudding · · Score: 2

    Job Two will a federally-mandated backdoor for real-time warrant less surveillance.

  13. Re:No mention of the internet architecture of cour by Pinky's+Brain · · Score: 4, Insightful

    Well that's the problem isn't it, how to create economic incentives for security.

    We are poor at making developers and users bear the cost of insecurity in a way our Pavlovian reflexes will respond to (hence why we are still massively using C after decades of pointer fuck ups, even when efficiency can't possibly be an excuse for the massive economic damage caused 99% of the time). We are also poor at incentivizing backbones and ISPs at helping prevent/mitigate DDOS's.

  14. Just make manufacturers liable for damages by cjonslashdot · · Score: 2

    It is very simple. If software providers were at least partially liable for damages caused by security breaches, the situation would rapidly change: we would see companies hiring programmers with "security training", etc., and programmers would start caring about software security - because that would be where the jobs are. The total lack of liability today is the core problem.

  15. Re:No mention of the internet architecture of cour by swb · · Score: 3, Interesting

    AFAIK the only thing that ISPs could reasonably do is not filter outbound traffic that couldn't have originated within their network, ie, bogus addresses.

    The challenge with DDOS though is that it seems to work best and be hardest to mitigate when the number of sources is high and the requests are legitimate.

    What's the ISP to filter then?

  16. Re: No mention of the internet architecture of cou by NormalVisual · · Score: 1

    I think the problem with the IoT is that the manufacturers take little or no steps to make their devices secure

    That's *part* of the problem, and new laws aren't going to affect the Alibaba vendors who simply don't care.

    --
    Please stand clear of the doors, por favor mantenganse alejado de las puertas
  17. Re:No mention of the internet architecture of cour by currently_awake · · Score: 2

    How to secure Iot: 1-have experts make a chip that securely does Iot stuff. 2-make it cheap. 3-Secure!

  18. US Regulation? by richardkettle4 · · Score: 1

    Because we all really trust that anymore... right? Nobody trusts the US devices anymore post Snowden, so the very idea will just add to the distrust. Compare: approved by the Chinese government and approved by the US government.

  19. Re:No mention of the internet architecture of cour by Pinky's+Brain · · Score: 2

    One option is filter the traffic from a customer suspected at participating in a DDOS on request from an ISP which owns the destination IP range. Easy to authenticate that the request is genuine and an ISP would be unlikely to abuse the power to remotely block users from reaching one of their IPs, since they could do that themselves locally in the first place.

    Once an ISP has a ton of rules for a single customer screwing up their router they might feel the need to talk with him about taking his fucking IoT off his network.

  20. Re:No mention of the internet architecture of cour by Bing+Tsher+E · · Score: 1

    Using an unsecured and unlicensed C compiler will become illegal. Owning a binary editor will be a felony. Use this cuckgadget from Apple or Google, not that scary open device. You aren't one of those unmutual terrorists, are you?

  21. Re:No mention of the internet architecture of cour by BarbaraHudson · · Score: 1

    How to secure Iot: 1-have experts make a chip that securely does Iot stuff. 2-make it cheap. 3-Secure!

    Wrong:

    1 buy big hammer.
    2. apply said hammer with sufficient force to ensure that there are no surviving bugs in the device.
    3. Now it's secure.

    This, or ensuring the device is never powered up, are the only 2 ways that are guaranteed to work, and you can never be sure some idiot won't plug it in or insert a battery, so it's back to HAMMER TIME.

    --
    "Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
  22. Re:No mention of the internet architecture of cour by Opportunist · · Score: 2

    How to create an economic incentive for security? Easy. Remember Part 15 of the FCC Rules? That sticker nobody reads anymore that says
    1. This device may not cause harmful interference.
    2. This device must accept any interference received, including interference that may cause undesired operation.

    Create the same for the IoT rubbish.

    Failure to comply makes YOU liable for any damage the device you created caused.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  23. Re:No mention of the internet architecture of cour by BarbaraHudson · · Score: 1

    Name me one managed language run-time that doesn't depend on c or c++, either directly or indirectly.

    --
    "Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
  24. Re:No mention of the internet architecture of cour by afgam28 · · Score: 2

    Being part of a botnet engaging in a DDoS attack is just one of many things that could go wrong with IoT devices.

    I'd be more worried about hackers disabling my IoT-enabled alarms (e.g. smoke alarms, burglar alarms) or IoT-enabled door locks and garage door opener. ISPs can't do anything to help with that.

    As a point of comparison, many Android handset manufacturers refuse to even provide security updates during the two-year contract period. I expect IoT device manufacturers to be even worse.

    It should be illegal for companies to sell devices if they won't provide security updates for a reasonable period. It should be illegal to sell a device that cannot be patched if security flaws are found - this is just negligence.

  25. Re: Fake news by BarbaraHudson · · Score: 1

    If the people who ran in this last election are truly representative you have bigger problems.

    --
    "Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
  26. Re: No mention of the internet architecture of cou by zifn4b · · Score: 1

    I think the problem with the IoT is that the manufacturers take little or no steps to make their devices secure That's *part* of the problem, and new laws aren't going to affect the Alibaba vendors who simply don't care.

    It's quite simple. Want to join a botnet? Buy IoT devices. If you don't, don't buy them.

    --
    We'll make great pets
  27. That's a good idea, actually by Cyberax · · Score: 1

    Regulating IoT devices is a GOOD idea. Right now they are an example of a market failure - the huge cloud of insecure devices is created by the same market forces as a huge clouds of polluted air. Securing devices requires vendors to spend money so that vendors who don't care about security can undercut them.

    And the solution is the same - impose regulation to make IoT vendors responsible for their security. For example, IoT vendors can create a standardized and replaceable "control module" that only needs to be certified once.

    1. Re:That's a good idea, actually by Cyberax · · Score: 1

      See: "replaceable". It will present a big attack surface but at the same time it can be designed to support updating and be easily swapable.

  28. Re:It can't be done. by Cyberax · · Score: 1

    Beaglebones and RPi are OK - they are hobbyist products and won't be regulated. And an X-ray machines with WiFi are _already_ deeply regulated - there are mandated interlocks to avoid overdosing, for example (see: Therac).

  29. Someone should by ebvwfbw · · Score: 1

    IEEE, ASE, someone (other than the French of course). I have a bunch of Internet Connected Tech (ICT) and they're easy to break into and re-purpose. Very low security. Not hard to figure out what it's running - arm processor, etc and kernel - Linux, mich, etc. then update it. For some devices it's as bad as having a barn to store your 1969 restored Corvette and instead of a lock, you're using a board to keep the doors closed. Sure, it'll do the job unless someone wants to get in.

  30. Re:No mention of the internet architecture of cour by golodh · · Score: 1
    Seriously, no manufacturer will spend a dime on security since security doesn't sell very well. Markets won't provide what isn't valued. And security is a niche market, not a mass market.

    This guarantees that the upcoming deluge of IoT devices will be insecure unless we do something.

    IoT devices will have their OS hardwired in so that it can't be upgraded (cost considerations; and we'll sell you a new gadget if this one becomes compromised). Which means we'll be waist-deep in applications that will be botnet components within a year of manufacture and which will phone home to wherever from day one.

    Like it or not, the only way to prevent this is ... legislation and regulation.

    And it's a lot cheaper and easier to regulate new devices than to regulate the existing Internet to be 100% safe.