US Senators To Introduce Bill To Secure 'Internet of Things'

Dustin Volz, reporting for Reuters: A bipartisan group of U.S. senators on Tuesday plans to introduce legislation seeking to address vulnerabilities in computing devices embedded in everyday objects -- known in the tech industry as the "internet of things" -- which experts have long warned poses a threat to global cyber security. The new bill would require vendors that provide internet-connected equipment to the U.S. government to ensure their products are patchable and conform to industry security standards. It would also prohibit vendors from supplying devices that have unchangeable passwords or possess known security vulnerabilities. Republicans Cory Gardner and Steve Daines and Democrats Mark Warner and Ron Wyden are sponsoring the legislation, which was drafted with input from technology experts at the Atlantic Council and Harvard University. A Senate aide who helped write the bill said that companion legislation in the House was expected soon.

Devil is in the details

[Lord_Byron]

It's good they're trying to do something, but the devil is in the details. For example, define "vulnerability". Anyone who's tried to remediate Nessus findings knows what I mean - those Low findings that just. won't. go. away. And do they mean internal or external vulns? etc, etc. And these things won't be determined in the law, they'll be decided by the bureaucrats implementing it. Pray that they're smart.

Re:Devil is in the details

[ctilsie242]

My question about "securing". Is this more to secure the device against the user wanting to do stuff with it (anti-jailbreak), or secure it against remote bad guys? I worry every time I see anything government based going into security, because I expect more DMCA type stuff, and not stuff that actually keeps the bad guys out.

Re:Devil is in the details

[DickBreath]

. . . for the last thirty five years since it was connected to CompuServe.

Re:Devil is in the details

[Chris+Mattern]

For example, define "vulnerability". Anyone who's tried to remediate Nessus findings knows what I mean - those Low findings that just. won't. go. away.

And all this is being decided by people with no clue what Nessus is or what it does, and wouldn't understand it if you explained it to them. Oh yeah, this is going to turn out well.

Re:Devil is in the details

[sjames]

That and the findings that amount to user can do odd thing that screws up his own login (equivalent to clicking logout but much harder) but because that's not very exciting we'll say that with extreme handwaving a hurricane could blow up and allow some minor security violation we haven't even imagined yet, much less actually managed to pull off.

Re:Devil is in the details

It'll will be called the annual Purge. All destructive actions against the unsecured IoT equipment will be legal, including murder.

Re:Devil is in the details

[Aighearach]

This is about devices sold to the US Government, so it has nothing to do with jailbreaking consumer devices.

Re:Devil is in the details

[Aighearach]

For example, define "vulnerability".

That isn't a big problem, and it isn't something where bureaucrats need to be particularly smart.

This is only about devices sold to the US government; this means that if the government thinks the device you sold them continues to have known security problems, they have a code to write down that means no agency can buy that device from you anymore, until they're happier with your response.

This just gives the government the needed purchasing responsiveness to deal with this, without relying on each purchasing clerk to know which devices are secure are which are not. This way they'll end up with a list.

Re:Devil is in the details

[KingBenny]

Well, i wast thinking about the same , along the lines of : if these people get involved its about control, not protection. I can understand the need to put your hancock on a piece of paper no one looks at five years from now in the illusion that its legacy (they seem to be big on that ... making history and all, while we all know history, at best for a few thousand years is reserved for only the greatest mass murderers and direct descendants of representatives of one of the one true gods, otherwise if you're lucky your name can live a few hundred ... thats like isaac newton lucky then) So in effect this comes down to,lets spend million on committees (happen to be filled with experts (as its called) who happen to be, each and every one of them connected to some holding or megacorp in one way or anothers ... superlounging lobby lizzards) so the flaw in the system starts there. Bias and favoritism Its always scary when people like that try to "regulate" a system that is actually constantly regulating itself. Devcon the latest isnt even cold yet, its constantly working netflix ddosses itself to check on how to prevent it, all without regulation, two guys with a drone set off a whole street of "smart bulbs", a dude with a magnet hacks a smartgun ... no one asked them too ... in the end these guys might end up being criminals because they "didnt folllow protocol" ... i think maybe they should stick to having coctail parties with tax money and looking good in that 10k suit cos this is not gonna end up for the better (as usual) ... o , sirs and madams, ask around, preferably with people who would be "respected" in the scene and have a bit of an attitude problem (meaning they dont lick your ass to get ahead cos you dont pay them and they wouldnt take your money anyway) dont take my word for it ... :)

Instead of Perimeter Security

[Bing+Tsher+E]

Instead of encouraging robust perimeter security and a well thought out security model, let's just require expensive and ineffective security on every single little thing.

Re:Instead of Perimeter Security

[Bengie]

Most professionals are too incompetent to properly implement perimeter security, what makes you think a typical end user can? There was a discussion in a firewall forum about how someone purchased some VOIP device for their business because it's standard in their industry, and the official support said they need to forward TCP and UDP ports 4,000-60,000. Why not just drop it in the DMZ while we're at it? This user has no choice but to use this device, otherwise they alienate all of their customers.

Re:Instead of Perimeter Security

[EndlessNameless]

You can't legislate perimeter security. IoT devices run on home networks too, and no sane person is going to start arresting people for misconfiguring their wifi routers.

If each device implements basic hardening and gets security updates, we eliminate 99% of the current problems. Since manufacturers will probably ship the same firmware to home users, that unregulated wasteland will get a little better over time.

This bill only applies to equipment that vendors intend to sell to the US government. More sweeping regulation is warranted, in my opinion, but this will probably get most of the benefits without a heavy regulatory footprint---in time, anyway.

Re:Instead of Perimeter Security

[Bing+Tsher+E]

But you can legislate greater security for wifi routers. You're right that you can't punish people for not doing something they shouldn't need to know how to do. They can even be marketed as 'more secure wifi routers' and I bet people will buy them. Plus cheap IoT devices to plug into them.

Securing at the endpoint drives up the price of said endpoint devices. It creates a regulatory environment with a high barrier to entry for new businesses.

Re:Instead of Perimeter Security

[bluefoxlucid]

I've actually thought a lot about IoT security, as well as independence from service providers.

I had at some point started this but uh. Was ... diverted.

The idea was to have an IoT hub that acts as the gateway to your IoT device. An IoT device or client would connect to an IoT hub via some system (e.g. Bluetooth) that's not flat-out open (e.g. you have to push a button and confirm pairing). The IoT hub uses a self-signed TLS certificate and exchanges it with a newly-generated certificate on the device or client. Viola: identity.

It works with self-signed certificates because you have to be physically present to exchange them: you've verified face-to-face with the issuer, so the certificate is valid. Because of this trust, the IoT hub can sign extra certificates, acting as a CA.

The IoT hub can get itself an IPv6 Internet address. If so, it can exchange that address to your client (e.g. phone, Yubikey) or IoT device (which might now be in another building, communicating over the Internet to your hub!). Now your devices know how to talk to the hub, and can tell it their address if they so desire when they're somewhere off in another network or on the local LAN.

When your phone, computer, or anything else tries to talk to the IoT Hub, the HTTPS connection initiates over TLS using the exchanged keys: each device authenticates the other by validating certificates first. Your entire attack surface is the Kernel's network stack and facilities it uses; the code paths in the Web server that handle the request; and the code paths in your encryption library that validate e.g. Curve 25519 ECC (TLS 1.3 required). If you have an exploitable vulnerability and it's not in that set of code, then your IoT Hub and your IoT devices are patently unhackable, period.

Let's face it: You can't hack what you can't access. The surface I describe above is equivalent to the air gap when you unplug a network cable, except this air gap might be hackable. If you can't hack that air gap, you can't hack what's behind it.

That leaves you one big, important piece of security: key management. You have to keep those private keys on the client devices away from malicious actors (hackers, worms, trojans). Pass-through to a Yubikey U2F would be great, but ...tricky. The only way to use a hardware security key is to validate the certificate, then do a U2F validation, enlarging the attack surface. In theory, the client software could send a challenge to the Yubikey, get a response, and send a signed session key down the pipe encrypted with the IoT Hub's public key; but you can't use the Yubikey to decrypt something sent encrypted by the certificate, so it's a no-go.

This is actually app-to-app 2-factor if you're doing it by TLS exchange, then U2F: the app "knows" (permanently stores) its TLS key, and it "has" (is running on a machine physically capable of accessing) the Yubikey.

So, yeah. Unhackable IoT proxy, for some reasonable definition of "unhackable" (that being the reduction of probability of hackability by restricting the portion of running code in which vulnerabilities will enable a successful exploit).

The other part was to provide service, either in proxy or right on the IoT hub, packaged as Docker containers. You'd have to provide authentication per-app, validated by IoT device identity (i.e. your Nest Cams each have a separate key, and those keys identify them, and those devices are given access only to the Nest Cam service) or by Client identity (each client application would have a separate key) both at the front-end Web server and by the service itself. Services may be clients of each other.

So what have we got?

You can access your IoT devices through your own public IP, rather than bouncing through a cloud service.

You may be able to disconnect your IoT from the cloud. Google has a lot of stuff with the Ne

Re:Instead of Perimeter Security

[phantomfive]

Your idea has promise, but it isn't the lack of ideas that is causing problems. It's vendors leaving their telnet port open without a password. They are not following best practices from decades ago, how can we expect them to implement a modern standard?

Re:Instead of Perimeter Security

[ctilsie242]

This. I'd like IoT devices to communicate to a hardened hub (or perhaps hubs for redundancy), and the hubs do the work. Each device would have a manifest of what servers it talks to as well, so any communication outside of the pre-arranged files gets blocked.

This is so simple, it is just crazy that this hasn't been made into a standard.

Re:Instead of Perimeter Security

[apoc.famine]

They can even be marketed as 'more secure wifi routers' and I bet people will buy them.

I highly doubt that will happen if they cost any more than the insecure ones. Most non-techie people I know use the router that their cable company bundles with their modem. They connect to free wifi everywhere, no matter how dodgy it is. I watched someone the other day having issues with the "Starbucks" free wireless in a coffee shop which was not Starbucks, and nowhere near a Starbucks.
 
Most people are terrible at interneting, and cheap as hell. They're going to buy the cheapest router, and they're going to connect the dodgiest IoT things to it. If you want to make a dent, legislate that the telecos have to provide properly secured routers with monthly security updates, with idiot friendly UIs. That will impact more people than just having more expensive routers available.

Re:Instead of Perimeter Security

[bluefoxlucid]

Standards require organization, or you get 14 standards.

Re:Instead of Perimeter Security

[bluefoxlucid]

Implementing a modern standard is easier than implementing general security. The vendors aren't leaving telnet ports open (most of them, anyway); they're implementing Web applications with shitty validation, listening and processing unauthenticated requests from anywhere and then simply not taking action because the (now-fully-processed) request wants to access a resource that requires authentication. You find a validation bug, you get fun stuff to happen.

The vendors are implementing standards. Poorly. Implementing this standard in any functional way makes them untouchable, so it doesn't matter how shitty their code is.

Re:Instead of Perimeter Security

[BlueStrat]

But you can legislate greater security for wifi routers.

As long as you don't secure devices from US law enforcement and TLAs. Gotta have a "secure backdoor" for law enforcement and the TLAs because somebody might smoke a joint, start organizing political opposition to an incumbent, or even become a whistle-blower and expose illegal government actions without good old Uncle Stal...err...Uncle Sam...monitoring everything. /s

Strat

Re:Instead of Perimeter Security

[phantomfive]

The vendors aren't leaving telnet ports open

A huge chunk of them are. There was a talk at defcon last week (titled "All Your Things Are Belong To Us") where they showed exploits for a couple dozen devices. A good number of them had ports open. The Mirai botnet spread through devices that not only had telnet open, but also had them connected to the internet (which is where your idea would be helpful). You can see the source code and a list of passwords used starting on line 124.

Re:Instead of Perimeter Security

Instead of encouraging robust perimeter security and a well thought out security model, let's just require expensive and ineffective security on every single little thing.

Relying on a secure perimeter to protect your devices/network is a guaranteed failure in the making.

Defense in depth. It is not a new concept.

Re:Instead of Perimeter Security

[bluefoxlucid]

Fair enough. I haven't run into that as an issue, although I tend to not buy arbitrary IoT stuff. I know it was a problem with printers for a while--FTP and HTTP, not telnet--and otherwise only heard of routers having Telnet open.

Still. The strategy I describe would put the IoT hub on the Internet, but not the IoT devices. Any such vulnerability would be ... rapidly exploited by the first laptop you used to brows Internet Web sites, ad-blocker or not, because of course it would.

It's still a good first step, and the god damned front door is iron-clad and bolted into a reinforced frame and wall. So there are windows; let's worry about that next.

A good idea

Not requiring standards for the entire industry, but for vendors to the Federal government which, if they work, will then propagate as de facto requirements for the private sector.

Hopefully...

[thegreatbob]

Not holding my breath, but hopefully this will result in something resembling sanity. Tired of the pollution of the internet with crap configurations that would have smelled funny even in 1997. In addition to regulations for manufacturers, the end user REALLY needs to become educated about the dangers of connecting stuff all willy-nilly.

Re:Hopefully...

[thegreatbob]

It is a terrifying prospect indeed...

I always feel so much safer when...

[spikenerd]

...legislators get busy solving technical problems they don't understand. We all know they will direct us toward more superfluous complexity that we need to work around, but at least that produces more job security for me. So, in a way, those popular people are the experts at creating security!

A non-legislative approach

[MobyDisk]

He added that the legislation was intended to remedy an "obvious market failure" that has left device manufacturers with little incentive to build with security in mind.

This guy gets it. But I was hoping for a market solution. The government could start by requiring vendors of US government products to meet certain guidelines. States could require that police and government tech meets a standard. That typically makes civilian companies jump on board and require similar guidelines. Then individuals start to say "Oh, I only buy IP cameras that meet FIPS-12345 standards."

This approach is nice because it is flexible, and allows the market to decide what standards to apply. I fear Senators trying to write tech legislation.

Re:A non-legislative approach

[exabrial]

Yep, "light touch" approach usually works out in practice better. If the Goverment would do that with net neutrality, we'd be much better off too ("Sorry, we only buy bandwidth from vendors that don't shape the traffic beyond reasonable measures accordings to FIPS-11231")

Re:A non-legislative approach

[R3d+M3rcury]

The government could start by requiring vendors of US government products to meet certain guidelines.

But-but-but-that makes things cost more! Stupid government spending $10,000 for a device that I can buy for $100. The government is wasting taxpayer dollars, etc., etc.

Re:A non-legislative approach

[erapert]

If people aren't willing to pay extra money for "secure" IoT devices then in what meaningful sense can you say that the people really need it?

I often hear of the notion that sometimes things aren't all black-and-white, sometimes there's a gradation. Well, that's what price is: a gradation of how valuable something is.

If people don't want to pay for it, or don't want to pay extra for it, then they literally don't find it that valuable.

Folks may find it much more important in the future, but let's cross that bridge when we get to it, eh? (That's partly why the market value of goods fluctuates, isn't it?)

Re:A non-legislative approach

[MobyDisk]

If people don't want to pay for it, or don't want to pay extra for it, then they literally don't find it that valuable.

True. I think they just don't know.

They see the headlines about how some ISP went down for 2 days causing a massive outage, but they don't know that it was because a million Americans bought compromised IOT devices. But if we had labels and guidelines, they could at least know. Retailers might refuse to carry devices that don't meet the guidelines. Companies like Microsoft or Sony or Nintendo or Google would tout how their devices meet the guidelines. The public would become aware. We just need a brand or a label to get behind.

Lots of people know what "Energy Star" is or "MPAA ratings" are. Even if it is meaningless, at least they are aware.

Re:A non-legislative approach

[JoePete]

The market will correct once the courts start permitting businesses and individuals to sue on the grounds of negligence. This remedied problems in the auto industry fairly quickly. If an automaker is liable for the safety errors in its vehicles, then software manufacturers should be liable for their shoddy programming.

Re:A non-legislative approach

[Gavagai80]

The people with the compromised products don't care, of course. That's why we need a law to prevent people from buying IoT botnets that spend their days attacking the rest of the world.

Re:A non-legislative approach

[Dutch+Gun]

The problem is that those devices are actively harming others on the internet. No one would care as much if it was just inconveniencing the people that bought the shitty devices.

Re:A non-legislative approach

[organgtool]

So we should just wait for enough people to be violated and then let the courts handle it? Based on the current laws, the courts will require you to prove that you personally were harmed which means that you can't sue unless you've personally suffered damage as a result of their negligence. Instead of being reactive, let's be proactive. There are many obvious flaws in the products that make up the Internet of Shit. These can be resolved by doing things such as specifying a minimum period of time that products must be supported as well as levying stiff penalties against companies who sell products with universal passwords enabled. Users should also have the ability to upgrade their devices without relying on third parties (I'm looking at you, manufacturers of broadband modems). I'm sure the first pass of legislation won't fix all of the problems, but life is all about iteratively learning from prior experiences and making the proper adjustments. At this point, something is far better than nothing.

Re:A non-legislative approach

[erapert]

So your solution is to mandate a label of some kind to indicate how secure a product is?

I believe this would improve awareness, but overall would be a weak solution. I would prefer a stronger one.

Re:A non-legislative approach

[erapert]

How about this: if my device that I bought and that I have control over is attacking other people's property (i.e. their servers) then I should pay a fine.
The key here is that it must be proved that I have control over my device i.e. I built the device myself and have full access to the works, or it's an open source project and I have the ability to configure it etc.
If I don't have control over the device (i.e. it's closed source or locked in some way so that I can't configure it) then the entity which has control of (i.e. the creator of the device) must be held responsible and must pay the fine.

This would motivate IoT developers to release well-made products instead of half-assed crap with security holes bigger than barn doors.
Yes, this might slow down the adoption of IoT, but wouldn't that be better than charging headlong into a terrible situation where there's millions of insecure little turds out there botnetting everything?

Also:
1. This would preserve the liberty of people to create, buy, and sell whatever they want and it wouldn't raise the barrier to entry arbitrarily like requiring some kind of inspection the standards of which would be kept about as up to date as anything else the government ever does (i.e. too little and too late)

2. It wouldn't really give the government power to misuse and abuse because they must prove that I have control over the device in order to fine me (they must prove that I caused damage through malice or negligence) rather than just mandating from on high and getting corp kick-backs to relax the rules at their capricious whim

3. It would allow open source solutions to compete because, if the project is done right, then it'll allow users to take control over their own devices if they want to without jeopardizing the project itself if something goes wrong-- just tweak the source code or a config file and you're all done (you may have to pay the fines first of course but that's what DIY is all about)

It would allow closed-source solutions to compete because maybe customers don't want to expose themselves to liability they'd rather let the corp take the hit if something goes wrong

4. Both open source projects and closed source products would have motivation to keep their loops closed and stay off the internet because nobody wants to expose themselves to liability-- this would be a huge win for privacy as a default side-effect of making IoT secure in this way.

5. Last, but most importantly, it would actually put some teeth into the idea that IoT should be secure. If nobody wants to go through the bother of securing their devices and IoT dies out then, ipso facto it wasn't such a great idea to begin with was it?

Re:A non-legislative approach

[MobyDisk]

Yes, that is a key part of my suggestion. Consider this: it works for electronics. Almost every product sold in the US has the "UL" mark of Underwriters Laboratories. In Europe and Japan they require the "CE" mark. It's really an industry thing. Retailers won't sell electronics that don't have the mark. Homeowners insurance won't pay for your burnt down house if the fire was caused by a non-uL approved device. I have that issue because my 3D printer was a kit so it isn't ul approved.

Re:A non-legislative approach

[MobyDisk]

Many of those businesses are located in China. We won't be able to sue them.

Re:A non-legislative approach

[MobyDisk]

then the entity which has control of (i.e. the creator of the device) must be held responsible and must pay the fine.

So what if that entitiy is in China? Or Russia?

Re:A non-legislative approach

[Dutch+Gun]

It's impractical to prosecute or fine individuals with IoT devices, because all there is is an IP address that's flooding the internet with crap. It's not trivial to prove an IP address belongs to an individual, and the investigatory burden you're imposing with your proposed scheme would be too much for any investigatory system to bear.

I don't think home-built or open-source devices are really an issue. Moreover, this sort of regulation is typically only applied to devices that are *sold* commercially. And it's these commercial IoT devices sold by the millions with shit for security, many of which can't be automatically patched, that's the real issue. The IoT industry had their chance, and they blew it, big time. That means it's time for legislation and regulation to step in to protect common interests. This is how ALL government regulation and oversight comes to pass.

1) New industry emerges
2) Reckless practices in a drive for market dominance
3) Profit!
4) Government steps in to regulate the industry when industry fails to regulate itself

The good news is that by forcing a minimum level of security standards, it forces ALL companies to adhere to these standards if they want access to the lucrative US market, and so it should likely improve safety levels across the entire industry (similar to cars and airliners).

Re:A non-legislative approach

[mentil]

My universal constructor is UL approved, but the identical copy isn't. Good luck proving which is which!

Re:A non-legislative approach

[erapert]

I want to agree with you, because regulation seems like such an obvious and straight forward solution... if it works.

But government regulation didn't actually make VW diesel cars comply with emissions regulations. Instead, VW sneaked around it for quite some time before being caught. Who knows how many other car manufacturers are doing the same thing?

Also, how do we keep the security regulations up to date? The arms race between security and malicious attackers is pretty fast paced. I have a hard time believing the government will keep security regulations up to date enough.

And even more importantly: how do we make sure that the government doesn't use "security regulations think of the children" as an excuse to infiltrate all IoT devices and snoop on everyone? They're already basically doing just that and we don't even have IoT widely deployed yet.

So I hesitate to say that we should just have the government regulate IoT security.

Re:A non-legislative approach

[Dutch+Gun]

Yeah, I don't mean to make it sound like regulation is some panacea. Legislation can be just like anything else, good or bad. There's a risk you take in trusting legislation, because it can actually make things *worse* if it's bad, and yes, we've seen a lot of bad legislation. Still, in the case of VW (and colluding partners, allegedly), regulation was only temporarily thwarted, remember.

Generally speaking, I would propose that the best type of legislation is somewhat vague, declaring intent instead of specifics (e.g. "best industry practices"), and perhaps delegates the specifics to a certified third-party, such as UL. We already have a model for doing something like this for electrical safety. Why not delegate the specific rules to experts who can certify individual devices, and then license these companies for this specific purpose?

I'll certainly reserve my judgement on whether this is a good or bad thing depending on whether the legislation is written intelligently or not. But we can't continue as we have, with the wild west approach that's putting an undue burden on the internet infrastructure due to manufacturers obviously not giving a shit whether their devices are secure or not.

Please...

[kurkosdr]

Please... please... if some deity is listening, make it so this becomes a law. It's quite sad seeing my perfectly serviceable Nexus 4 and 5 not receive basic security patching, and this has already spread to TVs, and soon vaccum cleaners and smoke detectors are to follow.

Re:Please...

[XxtraLarGe]

It's quite sad seeing my perfectly serviceable Nexus 4 and 5 not receive basic security patching, and this has already spread to TVs....

I just bought a new TV for my bedroom. I specifically avoided getting a "smart" TV for exactly this reason.

Re:Please...

[TsuruchiBrian]

The batteries on older phones die after like 3 years. Google doesn;t want to spend money supporting older devices that few people still own and use. Maybe google is purposefully making them to fail after a few years, but I've had like 3 nexus 5's and a nexus 4 that are all broken now.

I don't really have that much of a problem buying a new phone every couple of years, and I'd rather Google focus their time and money on current devices.

I don't think I would appreciate this strategy for all devices (i.e. desktop computer components, routers, etc), but I think smartphones are in a different category. They are improving so rapidly. Maybe if the rate of their improvement slows down, it'll make more sense investing in longer lifespans for these devices.

Re:Please...

[thinkwaitfast]

I don't really have that much of a problem buying a new phone every couple of years

There are a lot of people who are not as rich as you.

Re:Please...

[Gavagai80]

The batteries on older phones die after like 3 years. Google doesn;t want to spend money supporting older devices that few people still own and use.

It's not even just older phones that run years old Android versions. It's brand new low-end phones. Which are the majority of phones on the market.

Re:Please...

[knorthern+knight]

> The batteries on older phones die after like 3 years.

Do you not check whether a phone has a user-replacable battery, before you buy it?

> I don't really have that much of a problem buying a new phone every couple of years,

I bet the greedy MBAs love you. Tell me, do you buy a new car every couple of years?

> I don't think I would appreciate this strategy for all
> devices (i.e. desktop computer components, routers, etc),

My desktop, is a 9-year-old Core2 duo with 3 gigs ram, running linux, and still going strong. My ADSL router will be 10 years old this fall.

> but I think smartphones are in a different category. They are improving
> so rapidly. Maybe if the rate of their improvement slows down, it'll
> make more sense investing in longer lifespans for these devices.

Right now, they're adding bling, and removing the good stuff...
* Apple removed the earphone jack
* Apple removed microSD slot
* Apple does everything it can to remove the possibility of jailbreaking

That's "deprovement", not "improvement".

Re:Please...

[TsuruchiBrian]

There certainly are. There are also a lot of people who are much poorer than me, spending more money on smartphones than I do.

Re:Please...

[TsuruchiBrian]

Why do low end phones run on older versions of android? Because it's cheaper. If we start requiring phones to be secure (i.e. running on versions of android that are not obsolete, either by forcing manufacturers to support newer android versions or forcing google to support older versions of android), then those phones will not be so cheap anymore.

Maybe it's a good idea to force people to buy more expensive phones by forcing them to pay the cost for better security. People don't always know what they want, and even when they do, they don't always want the right things.

Re:Please...

[TsuruchiBrian]

Do you not check whether a phone has a user-replacable battery, before you buy it?

No, but it's because I've never had the problem of being unable to replace a battery. My problem is usually that around the time the battery dies, something else also ends up breaking (e.g. the GPS, the Cell radio, etc).

I'm actually thinking about replacing the battery in my nexus 6p as we speak, but I might also just buy a new pixel 2 when those come out.

I bet the greedy MBAs love you. Tell me, do you buy a new car every couple of years?

I probably would if they were 100x cheaper, and every time I got a new one, it was twice as good as my last one. Wouldn't you? It's all about weighing the cost of fixing something vs. the cost of buying a new one, and the relative difference in value of those to propositions.

I actually do spend a lot of time recycling old things rather than buying new ones (e.g. washers, dryers, electronics with blown capacitors or broken solder joints, etc). Smartphones are just not something I think are worth repairing in most cases (there are of course exceptions).

My desktop, is a 9-year-old Core2 duo with 3 gigs ram, running linux, and still going strong. My ADSL router will be 10 years old this fall.

Good for you. I also have a Core2 Duo running linux as my raid NAS. I don't have a bunch of old routers because they don't support high wifi speeds which have become standards recently.

Right now, they're adding bling, and removing the good stuff...
* Apple removed the earphone jack
* Apple removed microSD slot
* Apple does everything it can to remove the possibility of jailbreaking
That's "deprovement", not "improvement".

It sounds like maybe Apple is doing that. But I don't buy apple products. I bought 1 ipod like 15 years ago, and it was only after I found out I could hack to play unencrypted mp3s.

Spinning wheels

[ilsaloving]

It's more important to APPEAR that you're doing something, than it is to ACTUALLY do something.

How exactly do they propose to secure a marketing term? Cause that's all "Internet Of Things" is. It means absolutely nothing. While they're at it, why don't they also try to secure Big Data, The Cloud, and Web 2.0?

Re:Spinning wheels

[erapert]

On that point, it isn't the legislators nor their legislation which will secure squat.
It's the hard working engineers and developers of the world who'll do it-- in spite of the legislators and their virtue signalling bills.

Re:Spinning wheels

[Obfuscant]

How exactly do they propose to secure a marketing term? Cause that's all "Internet Of Things" is.

According to TFS, which is just the normal copy from TFA, the legislation says nothing about IoT. It deals with devices that connect to the internet purchased by the US Government. That's a vastly larger collection of things than just "IoT" (but includes IoT) and doesn't require the vendor to say anything about IoT in any marketing material. Your device has an internet port that uses internet protocols to communicate? Tag, this law's for you.

Re:Spinning wheels

[ilsaloving]

Okay, fair enough. But unless the legislation introduces something to the procurement process that isn't already there, then it's still pointless legislation. AFAIK the gov't is supposed to be *already* evaluating such things when they do their purchasing. It's still up to the buyer to verify that the vendor didn't cheat somehow.

Furthermore, this still leave out the consumers who are still getting shafted with shoddy insecure hardware.

Re:Spinning wheels

[Obfuscant]

AFAIK the gov't is supposed to be *already* evaluating such things when they do their purchasing.

It is a good bet that they do not.

Furthermore, this still leave out the consumers who are still getting shafted with shoddy insecure hardware.

Legislating technical standards for production of consumer products often, if not always, has unanticipated side effects. Some of those side effects are good, some are bad. EMI standards, for example, are a good idea in general, but often result in radiation above standards when a consumer uses a product in any way other than what was tested. Or the product costs more and radiates anyway. Or the second and subsequent production runs have what is considered to be a minor engineering change that changes the radiation.

Legislating government procurement standards, however, is a function of the government and has a much lower likelihood of consumer failure.

Patchable != Patched

[OzPeter]

If the end game of IoT is to be ubiquitous then there is no way that you can rely on manual intervention to keep things up to date and secure. So how will this all be enforced?

The most important thing...

[wbr1]

Any device with internet connectivity needs to have s reasonable support window where the manufacturer provides known security updates. The unfortunate side effect is that support has large costs and will either drive down profit, or drive up price. People will care less (anb buy less) when the magical IoT keyfob/light controller/toaster oven costs $500 instead of $99.

Re:The most important thing...

[Bing+Tsher+E]

The big manufacturers who can afford the expensive 'Regulatary Affairs' staff will be delighted to be able to produce $139 toasters instead of $129 toasters if it make it impossible for any upstarts to get into the market. In fact, I bet they would happily form a Trade Association to sit on the project and keep meddlesome startups out.

Re:The most important thing...

The support window should be based on IP rights. As long as a company owns the IP, they should be responsible for patching it.
If they don't want the responsibility to support their property for the duration of their copyright (however many decades that is now), then they should have the option to make it public domain by making their source code public domain.

Re:The most important thing...

[WolfgangVL]

+1 invisible modpoint. Say this again, LOUDER!

Smart people solving problems on both ends of the tool.

"...possess known security vulnerabilities."

[turkeydance]

this bill, as proposed, will not keep up.

$100K year pre site + 1K per device to HPE to mana

[Joe_Dragon]

$100K year per site + 1K / year per device to HPE to manage it. Labor costs extra

Consumer Protection

[QuadEddie]

Let's also add to the bill a minimum support time for internet connected things. This would protect consumers from buying the latest internet connected coffee pot and having it stop working just because they didn't want to run the servers any more after 6 months.

Re:Consumer Protection

[mikael]

They would just put you onto an automated answering system and lead you down a maze of different questions, before reading out a disclaimer, the latest news, then putting you on hold. They would claim that was customer support.

hammers will be billed at 25K each!

[Joe_Dragon]

hammers will be billed at 25K each!

What about redundant systems with rolling updates

[Joe_Dragon]

What about redundant systems with rolling updates so you can update an router with out taking the site down.

meaningless without...

[dAzED1]

Without laws that actual protect consumer information, privacy, etc - no law like this will mean anything. First because it doesn't cover all loses, second because if someone has information but wasn't the person that hacked you, then they're not in the "wrong." It must be made illegal to have the information in the first place. Start with something like the EU "right to be forgotten" and go from there.

auto drive car buy an new car each 4-5 years

[Joe_Dragon]

auto drive car buy an new car each 4-5 years as updates stop after about 4 years or you need an high labor cost (at the dealer) computer swap / or upgrade + the markup. Thing dell / hp like 300-400% markup on HDD's and ram before dealer labor changes.

An Idea

[DickBreath]

I have suggested this plan before.

Make the manufacturer (not seller) of an IoT device liable for any actual damages that are caused by their IoT device getting hacked.

That's it. No government standards. No registration. No certification. No mandated testing facilities. (But the market could create certifications and testing facilities on its own.)

What this would do is change the perverse incentives that currently exist to the correct incentives. Suddenly manufacturers would be all about security! It would be Job #1. Manufacturers might standardize and cooperate on secure Linux distributions upon which they base their products. They might cooperate to improve everyone's security.

Suddenly manufacturers might consider whether they should have an update mechanism (or not).

Manufacturers might consider whether certain things should even be connected to the cloud at all!. Do we really need a cloud connected toy teddy bear?

Oh, yes. The retail price of some IoT devices might increase due to the manufacturer's cost of security measures. But that is as it should be. Right now the perverse incentive puts the costs on innocent parties that get DDOS'ed (or worse) by hacked IoT devices. This would fix that.

Re:An Idea

[TsuruchiBrian]

Aren't IoT manufacturers already liable for damages caused by their products? Are there any special exemptions from normal tort law for IoT devices?

Re:An Idea

[MrEdofCourse]

I have a few problems with that idea.

One, as written, you'd have startups unable to afford the risk in whatever the end user does with the product/service.

For example, I have a WiFi connected power switch. Really, for me, it doesn't need any security at all. Worst case scenario, someone could turn off/off the nightlight attached to it.

However, someone else could take that same switch and connect it to something that if the power went out as a result of it getting hacked, the loss could be millions or more.

The other problem comes from determining who is actually to blame for a device being hacked. It could be the device, the user, another device (like the router) or some combination.

By trying to take it out of government regulation, you'd actually be increasing the reach of government. As it is now, manufactures are free to offer whatever warranty protection against hacking they want. They could protect the user for $100 in damages, $1,000, etc.. or nothing, which some people may be fine with depending on the use case. You're also getting the government involved (the judicial branch) when a device is hacked and the courts need to decide how much and who is to blame,

Re:An Idea

[mentil]

The manufacturer could put a (difficult to access) update mechanism on the device, release a minor update shortly after each manufacturing run, and then claim the owner is responsible since they didn't update and their device is therefore unsupported and the shrinkwrap fine print made the owner liable anyhow.
Alternatively, they'd just increase the retail cost by the cost of liability insurance to cover that unit being hacked, which would almost certainly be cheaper than hiring competent devs and giving them time to actually secure the device.

We're talking about IoT devices, so by definition, they're connected to the internet. Even if the storage is local (rather than everything being uploaded to the cloud), if the device is hacked, there's potentially no difference.

Re:An Idea

[mvdwege]

One, as written, you'd have startups unable to afford the risk in whatever the end user does with the product/service.

And this is a problem how? We also make it impossible for startups to afford industrial development by just dumping their waste in the nearest convenient stream. This is just the digital equivalent.

Re:An Idea

[AmiMoJo]

You are on the right path but I can see a few issues.

The liability could potentially be huge, and in some circumstances not entirely fair. For example, say the manufacturer used a well respected open source library. Did the right thing by not trying to roll their own security, followed the best available advice and practice... But someone finds a bug in it, and starts exploiting their devices.

Maybe they can patch it, assuming that the exploit doesn't disable the update mechanism. Even if they can, it takes time to identify the problem and develop and test the fix. It takes time to roll out to all devices. Is it really fair to hold them to potentially huge liabilities?

There is also the difficulty of holding foreign manufacturers to account, or handling the case where they simply declare bankruptcy and form a new company from the ashes.

I think the best solution is to make the seller deal with security issues the same way as warranty ones. If you have to disconnect it from your network because it's vulnerable, they either have to fix it under warranty or give you your money back. Any costs you suffer can be settled in the usual way via civil law.

The UK has a fairly good system for this. A typical crappy consumer grade router should last 5 years, that's a reasonable expectation. If it fails before then, even outside the warranty period, you can get part of your money back. If it fails after 3 years, you get 40% of the purchase price since it lasted only 60% of the expected lifetime.

Re:An Idea

[painandgreed]

Make the manufacturer (not seller) of an IoT device liable for any actual damages that are caused by their IoT device getting hacked. ... What this would do is change the perverse incentives that currently exist to the correct incentives. Suddenly manufacturers would be all about security! It would be Job #1. Manufacturers might standardize and cooperate on secure Linux distributions upon which they base their products. They might cooperate to improve everyone's security.

Might do some good in some businesses that would be doing the proper thing anyway, but more than likely you'd just see something similar that you see in movie industry or home contractors. You buy Company X but when things go wrong, they're just the brander and seller and the liable company is Company Y. Company Y went out of business pretty much before the product hit the market because they went bankrupt because they licensed from Company Z who owns Company X and the licensing killed them. Meanwhile, there is now Company YY who is making the new model for Company X.

Re:An Idea

[painandgreed]

I have suggested this plan before.

My plan would be to make an actual certified computer engineer trade, and then require them to look at the code and sign off on it. Wouldn't make them liable for everything, but would dictate they have reviewed at the code for bare minimum of security diligence as dictated by the standards of a central authority.

Re:An Idea

[DickBreath]

They may be liable. But it would cost more time and trouble to pursue it than it is worth -- unless you had huge damages.

Re:An Idea

[DickBreath]

Why would startups be unable to afford the risk? If a startup makes a new $500 cloud toaster, I have the same expectation of it not burning my house down while I'm gone than if I bought a $12 toaster at Target from a name brand.

Re:An Idea

[DickBreath]

This is exactly why it would provide a huge incentive for manufacturers to cooperate on security.

Re:An Idea

[TsuruchiBrian]

Right, so I don't see how making them liable for damages they are already liable for would help. It would seem that insecure IoT deviecs don't actually cause that much damage (yet), and maybe it's not really worth the added cost of regulation until there is more damage.

Re:An Idea

[Mike+Van+Pelt]

I have suggested this plan before.

Make the manufacturer (not seller) of an IoT device liable for any actual damages that are caused by their IoT device getting hacked.

But "the manufacturer" is some outfit somewhere in China that can't easily be served with a lawsuit from the US. As soon any serious effort is made, it disappears, and some company with a different names starts selling the same thing.

Re:An Idea

[Bengie]

Liability insurance has refused to pay out in cases where the client did not hire competent employees. Insurance is in the business of minimizing the amount they have to pay by legally protecting themselves and accurately assessing risk. Incompetent devs are high risk and if the client does not convey this, they're in breach of contact, zero pay out. Has happened more than once for high profile cases.

Re:regulations of job market

[DickBreath]

Due to a shortage of experienced people needed to fill those entry level security jobs that require no experience, the law will allow outsourcing these security jobs.

Internet of Shit

[Darkness+Of+Course]

While I believe it's well intentioned this has zero chance of effecting any change. So a few in Congress are finally aware but the majority of both houses are clueless when it comes to tech (think: a series of tubes clueless). Either it will fail entirely (highest IMO) or it will be broken re something basic regarding the Constitution. It's almost as if half in Congress have never read the document.

Broken also covers the clear misses that are very likely regarding trying to lock down security for reason X but breaks it for everything else. I have no trust in the Republican controlled Congress and less belief in their ability to do the right thing for any reason at all.

Oh goodie.

[Doc+Right]

Like home automation equipment isn't expensive enough already. Now we get to add on government red tape and delays to market while some inept bureaucracy looks over a new device. Your $50 light switch just doubled in price.

Why not just not buy them?

[Scarred+Intellect]

The new bill would require vendors that provide internet-connected equipment to the U.S. government to ensure their products are patchable and conform to industry security standards. It would also prohibit vendors from supplying devices that have unchangeable passwords or possess known security vulnerabilities.

"We can't be bothered to do our own research on what we buy, so you aren't allowed to sell us those. And to make sure you comply, we'll do our own research on what you sell us!"

Why not just mandate that the government can't buy those? That would be a lot simpler and accomplish the exact same thing. Neither addresses the real issue, but that's obviously not what this is about.

Support for out of date products.

[dschnur]

There are many IOT companies that market a product, sell it, design it, then die; in that order too.

A light switch can last decades. I'm going to use that has a hypothetical IOT device.

Let's say there is an orphaned brand of light switch that was installed in many places decades ago. It might have been "secure" when it was released, but encryption and systems security are only as good as the next few generations of computers. At some point in the future, everything will need to be patched.

All else being equal, we need to make sure that orphaned devices can be supported in the future via open source or have some form of insurance to replace expensive insecure systems when companies drop the ball.

IMHO it's not much of a problem now, but as IOT matures, there will be many orphaned, and possibly forgotten devices waiting to get breached.

  -D

Industry "security" standards are the problem

[gweihir]

These standards are pretty worthless. Unless you significantly exceed them, your products will suck at security.

Re:Industry "security" standards are the problem

[Opportunist]

Then don't use them. All they affect is your ability to sell to the US government.

âoepatchableâ

[bobmajdakjr]

lol yeah right. we notice your system sucks here is a little lib from the nsa so we can help you keep it âoeup to dateâ looooollllololol noooope

Waste of time

[WillAffleckUW]

In all the mil tests we found there was always an IoT backdoor.

Always.

Without exception.

It's the nature of forgetfullness. "Honey, did you remember to update the toaster and the fridge?"

End of Life?

[MrLogic17]

Requiring updates is good and all, but for how long?
Even Microsoft was reluctant to patch XP. Somone, somewhere is still running WIndows 95. Are they entitled to patches?

Say I buy a $50 IP camera for home security. Do I still demand patches in 2 years? 5 years? 10 years?

This might lead to a "kill switch" for cheap IoT devices once they go EOL. New model next year, no budget to patch both, so let's kill last year's. Otherwise, support costs will bring down any company.

For a car analogy, there's a time limit that manufacturers have to stock parts - Ford doesn't still offer parts for the Model-T. I just don't know what the IoT equivalent should be.

Re:End of Life?

[Opportunist]

Don't worry. This only applies if they want to sell to the government. If they only want to sell you their junk, they're fine.

Even Ireland scrapped voting computers.

[Neuronwelder]

They completely destroyed the voting computers and went to paper. Computers are great, but not for voting. https://en.wikipedia.org/wiki/...

Classic "screw you, we got ours" behaviour

[Opportunist]

Have you read TFS? They don't make it mandatory to make IoT devices patchable or even at least secure the moment they get shipped, all they do is say that if you want to sell your crap to the government it has to be.

So no, the Intelligently Designed Internet Of Things Systems can still be sold to their acronym.

Re:Could be good, could be bad

[Opportunist]

Yes. For themselves. Not for us.