Slashdot Mirror

← Back to Stories (view on slashdot.org)

US Think Tank Wants To Regulate The Design of IoT Devices For Security Purposes (theregister.co.uk)

Posted by BeauHD on from the trial-and-error dept.

New submitter mikehusky quotes a report from The Register: Washington D.C. think tank the Institute for Critical Infrastructure Technology is calling for regulation on "negligence" in the design of internet-of-things (IoT) devices. If the world wants a bonk-detecting Wi-Fi mattress, it must be a malware-free bonk-detecting Wi-Fi mattress. The report adds: "Researchers James Scott and Drew Spaniel point out in their report Rise of the Machines: The Dyn Attack Was Just a Practice Run [PDF] that IoT represents a threat that is only beginning to be understood. The pair say the risk that regulation could stifle market-making IoT innovation (like the Wi-Fi cheater-detection mattress) is outweighed by the need to stop feeding Shodan. 'Regulation on IoT devices by the United States will influence global trends and economies in the IoT space, because every stakeholder operates in the United States, works directly with United States manufacturers, or relies on the United States economy. Nonetheless, IoT regulation will have a limited impact on reducing IoT DDoS attacks as the United States government only has limited direct influence on IoT manufacturers and because the United States is not even in the top 10 countries from which malicious IoT traffic originates.' State level regulation would be 'disastrous' to markets and consumers alike. The pair offer their report in the wake of the massive Dyn and Mirai distributed denial of service attacks in which internet of poorly-designed devices were enslaved into botnets to hammer critical internet infrastructure, telcos including TalkTalk, routers and other targets."

20 of 87 comments (clear)

  1. No mention of the internet architecture of course by Pinky's+Brain · · Score: 4, Interesting

    This is the danger our resident experts create by going along with the IoT scare ...

    The disease is the unpunished insecure practices by ISPs and the complete lack of cooperation in cutting off DDOS's at the source. The IoT mess is a symptom, a symptom laws won't help ... the programmers will still be using C after all (another root cause which must not be named).

  2. I think this whole idea stinks by Alcemenes · · Score: 2, Interesting

    So let me get this straight:

    1. The risk that it will stifle innovation is outweighed by the need to regulate
    2. Every stakeholder operates within the US
    3. The US is not in the top 10 countries of origin for IoT-based attacks

    Based on those three points it sounds more like a "business plan" to start collecting regulatory fees to provide yet another false flag of security. That's just what we need here in the US, another group of unelected bureaucrats sitting in a room thinking about ways to protect us from a threat they know nothing about. Sure, "experts" will be involved but I would be willing to bet following the money leads back to donors and/or lobbyists. Do vendors and end users need to get smarter about security? Yes. Do I think this will do anything to prevent DDoS attacks? No. This won't fix anything. It will only add to the cost of IoT devices to consumers and put billions into the government's coffers to waste.

    1. Re: I think this whole idea stinks by Bing+Tsher+E · · Score: 2

      They want to regulate all the endpoints, rather than just beef security at the transition points. It's ludicrous! Anybody can push whatever firmware they want into a microcontroller, except not (!!!) with this kind of regulatory burden. Will I need a jtag license? Will operating a compiler without a license become illegal, or too dangerous to contemplate because of the liability risk?

      Umm, the hell with that. Protect your network at it's routing points. It's not YOUR network until it passes through your demarcation point.

      If well defined boundaries are established, freedom can still flourish in the places where tight-assed security is not necessary.

    2. Re: I think this whole idea stinks by Mr+D+from+63 · · Score: 2

      The best approach for the general consumer is to have a set of standards that, if met, reduce security risks to an acceptable level from a hardware/software perspective. Products can choose to prove compliance with those standards. Educated consumers can require that compliance in their product choice.

      Regulation could come in regarding how product can claim compliance.

      Many or all of those standards may already exist, but they likely need some motherhood standards to tie them together. All easier said than done because there is not simple answer to 'the right way to do it', and a huge and varied scope of things under the umbrella.

    3. Re: I think this whole idea stinks by EmeraldBot · · Score: 3, Interesting

      The best approach for the general consumer is to have a set of standards that, if met, reduce security risks to an acceptable level from a hardware/software perspective. Products can choose to prove compliance with those standards. Educated consumers can require that compliance in their product choice. Regulation could come in regarding how product can claim compliance. Many or all of those standards may already exist, but they likely need some motherhood standards to tie them together. All easier said than done because there is not simple answer to 'the right way to do it', and a huge and varied scope of things under the umbrella.

      I agree with this mostly, but I do think there need to be some minimum standards for regulation. Some IOT stuff - automated stoves or heating / cooling or whatever - isn't just obnoxious if hacked, it can be downright dangerous if somebody makes the oven set itself on fire while you're asleep. Using a hardcoded check of PASSWORD, for example, is something I think we can all agree is unacceptable, and that shouldn't be tolerated.

      If we do make those standards too, they shouldn't be compromises, they should be seriously tough, and come in shades or grades instead of compromise. You can always let people pass lower, but no company is ever going to do better than the minimum required of them, so "A" had better mean pretty solid protection from hacking...

      --
      "Set a man a fire, he'll be warm for the rest of the night. Set a man afire, he'll be warm for the rest of his life."
    4. Re:I think this whole idea stinks by unixisc · · Score: 2

      So let me get this straight:

      1. The risk that it will stifle innovation is outweighed by the need to regulate 2. Every stakeholder operates within the US 3. The US is not in the top 10 countries of origin for IoT-based attacks

      Based on those three points it sounds more like a "business plan" to start collecting regulatory fees to provide yet another false flag of security. That's just what we need here in the US, another group of unelected bureaucrats sitting in a room thinking about ways to protect us from a threat they know nothing about. Sure, "experts" will be involved but I would be willing to bet following the money leads back to donors and/or lobbyists. Do vendors and end users need to get smarter about security? Yes. Do I think this will do anything to prevent DDoS attacks? No. This won't fix anything. It will only add to the cost of IoT devices to consumers and put billions into the government's coffers to waste.

      This is pretty correct. And having just (correctly) turned over ICANN into an international body, how do they get to regulate any IoT designs outside the US?

      The solution to IoT security would be to have a standard firewall list of known IP ranges that would be dropped at a gateway, if known to be a malware site. Just like a lot of ISPs use universal Google DNS servers rather than roll their own, similarly, routers should come w/ a list of public firewalls that one can choose from while setting things up. Right now, the default action is to allow all traffic at routers, instead of dropping, since the latter would cause it to look to the consumer like the internet doesn't work. But if the consumer is directed to, in the instructions, either select from a list of known public firewalls, be it from the likes of Google, Apple, Microsoft, Symantec, ESET, et al, or fill in a known firewall of his own, that would solve IoT security just like mainstream PC security

      This is particularly needed for IPv6, where security considerations are still fairly new

  3. Politics vs. Reality by Lemmeoutada+Collecti · · Score: 3, Insightful

    Regulate all you want. Malware authors won't care; they are already breaking the law. International corporations won't care, they just won't sell to the US. Users won't care, their thing works. So who are the targets of the regulation?

    --

    You can have it fast, accurate, or pretty. Pick any 2.
    1. Re:Politics vs. Reality by Dutch+Gun · · Score: 3, Insightful

      It's an issue of critical mass. Previous DDoS attacks were often due to exploits, some sort of reflection attack. Now, with IoT devices, there's sufficient bandwidth and enough devices to overwhelm a system with 100% legitimate and non-spoofed attacks, and that's a new and worrying trend. We're seeing a flood of *very* easy to compromise devices hit the market, along with sufficient outgoing consumer bandwidth to make them truly damaging even in the thousands, let alone in the hundreds of thousands or even millions.

      We're going to be seeing even more of these devices on the market. If they don't improve their security, we'll be seeing connectivity drop to the reliability of a third-world power grid, and that's going to have a huge impact on a lot of people and businesses who now absolutely rely on that infrastructure being ubiquitous and reliable.

      There's already an Underwriters Laboratories stamp (the best known of several Nationally Recognized Testing Laboratories) on the bottom of most electrical or electronic devices you purchase. Why not a set of security requirements similar to that for internet connected devices? Let private industry and organizations develop and certify the specifics of the safety requirements, and the government can simply oversee the process. We already have a clear precedent on how to do this, and it doesn't appear to have stifled innovation in any sense.

      And of course, this not a license to connect to the internet (it shouldn't affect hobbyists or software), but a requirement to ensure basic security when someone wants to mass-produce and sell hardware devices that connect to the internet. Just saying "but... internet" doesn't make shitty products immune from reasonable regulations that permeate every other aspect of business for the greater good.

      --
      Irony: Agile development has too much intertia to be abandoned now.
  4. Re:No mention of the internet architecture of cour by zifn4b · · Score: 2

    This is the danger our resident experts create by going along with the IoT scare ...

    Not sure what you mean here. IoT is another attack vector. IoT can be defined as consumer devices with embedded computers that have WIFI connectivity. Most likely they communicate with common things like REST and JSON. They use the same internet service providers that mobile phones, gaming consoles, PC's, etc.

    I think there is increased cause for concern with IoT because people buying consumer devices with dumbed down UI's will be mostly unaware of things like firmware upgrades, network security, etc. They will be more available and at cheaper prices so it's going to greatly increase the attack surface. Black hats however are going to attack these devices running stripped downed versions of *nix like they always have though.

    --
    We'll make great pets
  5. Re:No mention of the internet architecture of cour by Zocalo · · Score: 2

    Not really, they are *all* part of the problem, including all of the people pointing fingers - no one is perfect at security, nor will anyone they ever be if you are realistic, although I do agree that lax end-user ISPs are playing a huge part in this particular instance with Mirai and its derivatives - e.g. TalkTalk is still a huge source of the Mirai traffic being dropped by my firewall, whereas Eircom and Deutsche Telekom are now dropping off fast. The security principles of defense in depth, while normally applied by an individual organization, can be applied on the large scale as well, and that's what's ultimately needed here - the issue is coercing people who are able to do something but can't be bothered to actually do it, and that generally means some form of legislation. *Everyone*, regardless of whether they are a device maker (of IoT devices and routers), end user, service provider, or backbone carrier, needs to assume that their devices and/or users are dumb, and put appropriate security and mitigation measures in place to the best of their ability. You're never going to completely fix the problem, so the best you can do is to try as hard as you can to mitigate against the damage with the resources you have, and hopefully that will be enough to reduce the problem to a mere nuisance.

    --
    UNIX? They're not even circumcised! Savages!
  6. Re:Be careful by Pinky's+Brain · · Score: 4, Insightful

    That will help very little, approval doesn't make the device secure.

    The network needs to be robust against insecure devices.

  7. no regulation, but liability by ooloorie · · Score: 3, Insightful

    There shouldn't be "regulation" of these devices, but there should be legal standards and legal liability.

    However, bonk-detecting mattresses aren't where we need to start. Where we actually need to start is by holding financial institutions, corporations, and governments responsible, when they leak information.

    And we need to change the culture of making excuses; politicians like Clinton shouldn't be able to get away with "Russia diddit", when they are stupid enough to expose their E-mails. Rather, such errors should be sufficient for people to consider them incompetent and unsuitable for public office.

  8. Security will be Job One by ThatsNotPudding · · Score: 2

    Job Two will a federally-mandated backdoor for real-time warrant less surveillance.

  9. Re:No mention of the internet architecture of cour by Pinky's+Brain · · Score: 4, Insightful

    Well that's the problem isn't it, how to create economic incentives for security.

    We are poor at making developers and users bear the cost of insecurity in a way our Pavlovian reflexes will respond to (hence why we are still massively using C after decades of pointer fuck ups, even when efficiency can't possibly be an excuse for the massive economic damage caused 99% of the time). We are also poor at incentivizing backbones and ISPs at helping prevent/mitigate DDOS's.

  10. Just make manufacturers liable for damages by cjonslashdot · · Score: 2

    It is very simple. If software providers were at least partially liable for damages caused by security breaches, the situation would rapidly change: we would see companies hiring programmers with "security training", etc., and programmers would start caring about software security - because that would be where the jobs are. The total lack of liability today is the core problem.

  11. Re:No mention of the internet architecture of cour by swb · · Score: 3, Interesting

    AFAIK the only thing that ISPs could reasonably do is not filter outbound traffic that couldn't have originated within their network, ie, bogus addresses.

    The challenge with DDOS though is that it seems to work best and be hardest to mitigate when the number of sources is high and the requests are legitimate.

    What's the ISP to filter then?

  12. Re:No mention of the internet architecture of cour by currently_awake · · Score: 2

    How to secure Iot: 1-have experts make a chip that securely does Iot stuff. 2-make it cheap. 3-Secure!

  13. Re:No mention of the internet architecture of cour by Pinky's+Brain · · Score: 2

    One option is filter the traffic from a customer suspected at participating in a DDOS on request from an ISP which owns the destination IP range. Easy to authenticate that the request is genuine and an ISP would be unlikely to abuse the power to remotely block users from reaching one of their IPs, since they could do that themselves locally in the first place.

    Once an ISP has a ton of rules for a single customer screwing up their router they might feel the need to talk with him about taking his fucking IoT off his network.

  14. Re:No mention of the internet architecture of cour by Opportunist · · Score: 2

    How to create an economic incentive for security? Easy. Remember Part 15 of the FCC Rules? That sticker nobody reads anymore that says
    1. This device may not cause harmful interference.
    2. This device must accept any interference received, including interference that may cause undesired operation.

    Create the same for the IoT rubbish.

    Failure to comply makes YOU liable for any damage the device you created caused.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  15. Re:No mention of the internet architecture of cour by afgam28 · · Score: 2

    Being part of a botnet engaging in a DDoS attack is just one of many things that could go wrong with IoT devices.

    I'd be more worried about hackers disabling my IoT-enabled alarms (e.g. smoke alarms, burglar alarms) or IoT-enabled door locks and garage door opener. ISPs can't do anything to help with that.

    As a point of comparison, many Android handset manufacturers refuse to even provide security updates during the two-year contract period. I expect IoT device manufacturers to be even worse.

    It should be illegal for companies to sell devices if they won't provide security updates for a reasonable period. It should be illegal to sell a device that cannot be patched if security flaws are found - this is just negligence.