Slashdot Mirror

← Back to Stories (view on slashdot.org)

US Think Tank Wants To Regulate The Design of IoT Devices For Security Purposes (theregister.co.uk)

Posted by BeauHD on from the trial-and-error dept.

New submitter mikehusky quotes a report from The Register: Washington D.C. think tank the Institute for Critical Infrastructure Technology is calling for regulation on "negligence" in the design of internet-of-things (IoT) devices. If the world wants a bonk-detecting Wi-Fi mattress, it must be a malware-free bonk-detecting Wi-Fi mattress. The report adds: "Researchers James Scott and Drew Spaniel point out in their report Rise of the Machines: The Dyn Attack Was Just a Practice Run [PDF] that IoT represents a threat that is only beginning to be understood. The pair say the risk that regulation could stifle market-making IoT innovation (like the Wi-Fi cheater-detection mattress) is outweighed by the need to stop feeding Shodan. 'Regulation on IoT devices by the United States will influence global trends and economies in the IoT space, because every stakeholder operates in the United States, works directly with United States manufacturers, or relies on the United States economy. Nonetheless, IoT regulation will have a limited impact on reducing IoT DDoS attacks as the United States government only has limited direct influence on IoT manufacturers and because the United States is not even in the top 10 countries from which malicious IoT traffic originates.' State level regulation would be 'disastrous' to markets and consumers alike. The pair offer their report in the wake of the massive Dyn and Mirai distributed denial of service attacks in which internet of poorly-designed devices were enslaved into botnets to hammer critical internet infrastructure, telcos including TalkTalk, routers and other targets."

8 of 87 comments (clear)

  1. No mention of the internet architecture of course by Pinky's+Brain · · Score: 4, Interesting

    This is the danger our resident experts create by going along with the IoT scare ...

    The disease is the unpunished insecure practices by ISPs and the complete lack of cooperation in cutting off DDOS's at the source. The IoT mess is a symptom, a symptom laws won't help ... the programmers will still be using C after all (another root cause which must not be named).

  2. Politics vs. Reality by Lemmeoutada+Collecti · · Score: 3, Insightful

    Regulate all you want. Malware authors won't care; they are already breaking the law. International corporations won't care, they just won't sell to the US. Users won't care, their thing works. So who are the targets of the regulation?

    --

    You can have it fast, accurate, or pretty. Pick any 2.
    1. Re:Politics vs. Reality by Dutch+Gun · · Score: 3, Insightful

      It's an issue of critical mass. Previous DDoS attacks were often due to exploits, some sort of reflection attack. Now, with IoT devices, there's sufficient bandwidth and enough devices to overwhelm a system with 100% legitimate and non-spoofed attacks, and that's a new and worrying trend. We're seeing a flood of *very* easy to compromise devices hit the market, along with sufficient outgoing consumer bandwidth to make them truly damaging even in the thousands, let alone in the hundreds of thousands or even millions.

      We're going to be seeing even more of these devices on the market. If they don't improve their security, we'll be seeing connectivity drop to the reliability of a third-world power grid, and that's going to have a huge impact on a lot of people and businesses who now absolutely rely on that infrastructure being ubiquitous and reliable.

      There's already an Underwriters Laboratories stamp (the best known of several Nationally Recognized Testing Laboratories) on the bottom of most electrical or electronic devices you purchase. Why not a set of security requirements similar to that for internet connected devices? Let private industry and organizations develop and certify the specifics of the safety requirements, and the government can simply oversee the process. We already have a clear precedent on how to do this, and it doesn't appear to have stifled innovation in any sense.

      And of course, this not a license to connect to the internet (it shouldn't affect hobbyists or software), but a requirement to ensure basic security when someone wants to mass-produce and sell hardware devices that connect to the internet. Just saying "but... internet" doesn't make shitty products immune from reasonable regulations that permeate every other aspect of business for the greater good.

      --
      Irony: Agile development has too much intertia to be abandoned now.
  3. Re:Be careful by Pinky's+Brain · · Score: 4, Insightful

    That will help very little, approval doesn't make the device secure.

    The network needs to be robust against insecure devices.

  4. no regulation, but liability by ooloorie · · Score: 3, Insightful

    There shouldn't be "regulation" of these devices, but there should be legal standards and legal liability.

    However, bonk-detecting mattresses aren't where we need to start. Where we actually need to start is by holding financial institutions, corporations, and governments responsible, when they leak information.

    And we need to change the culture of making excuses; politicians like Clinton shouldn't be able to get away with "Russia diddit", when they are stupid enough to expose their E-mails. Rather, such errors should be sufficient for people to consider them incompetent and unsuitable for public office.

  5. Re:No mention of the internet architecture of cour by Pinky's+Brain · · Score: 4, Insightful

    Well that's the problem isn't it, how to create economic incentives for security.

    We are poor at making developers and users bear the cost of insecurity in a way our Pavlovian reflexes will respond to (hence why we are still massively using C after decades of pointer fuck ups, even when efficiency can't possibly be an excuse for the massive economic damage caused 99% of the time). We are also poor at incentivizing backbones and ISPs at helping prevent/mitigate DDOS's.

  6. Re: I think this whole idea stinks by EmeraldBot · · Score: 3, Interesting

    The best approach for the general consumer is to have a set of standards that, if met, reduce security risks to an acceptable level from a hardware/software perspective. Products can choose to prove compliance with those standards. Educated consumers can require that compliance in their product choice. Regulation could come in regarding how product can claim compliance. Many or all of those standards may already exist, but they likely need some motherhood standards to tie them together. All easier said than done because there is not simple answer to 'the right way to do it', and a huge and varied scope of things under the umbrella.

    I agree with this mostly, but I do think there need to be some minimum standards for regulation. Some IOT stuff - automated stoves or heating / cooling or whatever - isn't just obnoxious if hacked, it can be downright dangerous if somebody makes the oven set itself on fire while you're asleep. Using a hardcoded check of PASSWORD, for example, is something I think we can all agree is unacceptable, and that shouldn't be tolerated.

    If we do make those standards too, they shouldn't be compromises, they should be seriously tough, and come in shades or grades instead of compromise. You can always let people pass lower, but no company is ever going to do better than the minimum required of them, so "A" had better mean pretty solid protection from hacking...

    --
    "Set a man a fire, he'll be warm for the rest of the night. Set a man afire, he'll be warm for the rest of his life."
  7. Re:No mention of the internet architecture of cour by swb · · Score: 3, Interesting

    AFAIK the only thing that ISPs could reasonably do is not filter outbound traffic that couldn't have originated within their network, ie, bogus addresses.

    The challenge with DDOS though is that it seems to work best and be hardest to mitigate when the number of sources is high and the requests are legitimate.

    What's the ISP to filter then?