US Senators To Introduce Bill To Secure 'Internet of Things'

Dustin Volz, reporting for Reuters: A bipartisan group of U.S. senators on Tuesday plans to introduce legislation seeking to address vulnerabilities in computing devices embedded in everyday objects -- known in the tech industry as the "internet of things" -- which experts have long warned poses a threat to global cyber security. The new bill would require vendors that provide internet-connected equipment to the U.S. government to ensure their products are patchable and conform to industry security standards. It would also prohibit vendors from supplying devices that have unchangeable passwords or possess known security vulnerabilities. Republicans Cory Gardner and Steve Daines and Democrats Mark Warner and Ron Wyden are sponsoring the legislation, which was drafted with input from technology experts at the Atlantic Council and Harvard University. A Senate aide who helped write the bill said that companion legislation in the House was expected soon.

Devil is in the details

[Lord_Byron]

It's good they're trying to do something, but the devil is in the details. For example, define "vulnerability". Anyone who's tried to remediate Nessus findings knows what I mean - those Low findings that just. won't. go. away. And do they mean internal or external vulns? etc, etc. And these things won't be determined in the law, they'll be decided by the bureaucrats implementing it. Pray that they're smart.

Re:Devil is in the details

[ctilsie242]

My question about "securing". Is this more to secure the device against the user wanting to do stuff with it (anti-jailbreak), or secure it against remote bad guys? I worry every time I see anything government based going into security, because I expect more DMCA type stuff, and not stuff that actually keeps the bad guys out.

Instead of Perimeter Security

[Bing+Tsher+E]

Instead of encouraging robust perimeter security and a well thought out security model, let's just require expensive and ineffective security on every single little thing.

Re:Instead of Perimeter Security

[Bing+Tsher+E]

But you can legislate greater security for wifi routers. You're right that you can't punish people for not doing something they shouldn't need to know how to do. They can even be marketed as 'more secure wifi routers' and I bet people will buy them. Plus cheap IoT devices to plug into them.

Securing at the endpoint drives up the price of said endpoint devices. It creates a regulatory environment with a high barrier to entry for new businesses.

Re:Instead of Perimeter Security

[bluefoxlucid]

I've actually thought a lot about IoT security, as well as independence from service providers.

I had at some point started this but uh. Was ... diverted.

The idea was to have an IoT hub that acts as the gateway to your IoT device. An IoT device or client would connect to an IoT hub via some system (e.g. Bluetooth) that's not flat-out open (e.g. you have to push a button and confirm pairing). The IoT hub uses a self-signed TLS certificate and exchanges it with a newly-generated certificate on the device or client. Viola: identity.

It works with self-signed certificates because you have to be physically present to exchange them: you've verified face-to-face with the issuer, so the certificate is valid. Because of this trust, the IoT hub can sign extra certificates, acting as a CA.

The IoT hub can get itself an IPv6 Internet address. If so, it can exchange that address to your client (e.g. phone, Yubikey) or IoT device (which might now be in another building, communicating over the Internet to your hub!). Now your devices know how to talk to the hub, and can tell it their address if they so desire when they're somewhere off in another network or on the local LAN.

When your phone, computer, or anything else tries to talk to the IoT Hub, the HTTPS connection initiates over TLS using the exchanged keys: each device authenticates the other by validating certificates first. Your entire attack surface is the Kernel's network stack and facilities it uses; the code paths in the Web server that handle the request; and the code paths in your encryption library that validate e.g. Curve 25519 ECC (TLS 1.3 required). If you have an exploitable vulnerability and it's not in that set of code, then your IoT Hub and your IoT devices are patently unhackable, period.

Let's face it: You can't hack what you can't access. The surface I describe above is equivalent to the air gap when you unplug a network cable, except this air gap might be hackable. If you can't hack that air gap, you can't hack what's behind it.

That leaves you one big, important piece of security: key management. You have to keep those private keys on the client devices away from malicious actors (hackers, worms, trojans). Pass-through to a Yubikey U2F would be great, but ...tricky. The only way to use a hardware security key is to validate the certificate, then do a U2F validation, enlarging the attack surface. In theory, the client software could send a challenge to the Yubikey, get a response, and send a signed session key down the pipe encrypted with the IoT Hub's public key; but you can't use the Yubikey to decrypt something sent encrypted by the certificate, so it's a no-go.

This is actually app-to-app 2-factor if you're doing it by TLS exchange, then U2F: the app "knows" (permanently stores) its TLS key, and it "has" (is running on a machine physically capable of accessing) the Yubikey.

So, yeah. Unhackable IoT proxy, for some reasonable definition of "unhackable" (that being the reduction of probability of hackability by restricting the portion of running code in which vulnerabilities will enable a successful exploit).

The other part was to provide service, either in proxy or right on the IoT hub, packaged as Docker containers. You'd have to provide authentication per-app, validated by IoT device identity (i.e. your Nest Cams each have a separate key, and those keys identify them, and those devices are given access only to the Nest Cam service) or by Client identity (each client application would have a separate key) both at the front-end Web server and by the service itself. Services may be clients of each other.

So what have we got?

You can access your IoT devices through your own public IP, rather than bouncing through a cloud service.

You may be able to disconnect your IoT from the cloud. Google has a lot of stuff with the Ne

Re:Instead of Perimeter Security

[ctilsie242]

This. I'd like IoT devices to communicate to a hardened hub (or perhaps hubs for redundancy), and the hubs do the work. Each device would have a manifest of what servers it talks to as well, so any communication outside of the pre-arranged files gets blocked.

This is so simple, it is just crazy that this hasn't been made into a standard.

Hopefully...

[thegreatbob]

Not holding my breath, but hopefully this will result in something resembling sanity. Tired of the pollution of the internet with crap configurations that would have smelled funny even in 1997. In addition to regulations for manufacturers, the end user REALLY needs to become educated about the dangers of connecting stuff all willy-nilly.

A non-legislative approach

[MobyDisk]

He added that the legislation was intended to remedy an "obvious market failure" that has left device manufacturers with little incentive to build with security in mind.

This guy gets it. But I was hoping for a market solution. The government could start by requiring vendors of US government products to meet certain guidelines. States could require that police and government tech meets a standard. That typically makes civilian companies jump on board and require similar guidelines. Then individuals start to say "Oh, I only buy IP cameras that meet FIPS-12345 standards."

This approach is nice because it is flexible, and allows the market to decide what standards to apply. I fear Senators trying to write tech legislation.

Re:A non-legislative approach

[JoePete]

The market will correct once the courts start permitting businesses and individuals to sue on the grounds of negligence. This remedied problems in the auto industry fairly quickly. If an automaker is liable for the safety errors in its vehicles, then software manufacturers should be liable for their shoddy programming.

Re:A non-legislative approach

[erapert]

How about this: if my device that I bought and that I have control over is attacking other people's property (i.e. their servers) then I should pay a fine.
The key here is that it must be proved that I have control over my device i.e. I built the device myself and have full access to the works, or it's an open source project and I have the ability to configure it etc.
If I don't have control over the device (i.e. it's closed source or locked in some way so that I can't configure it) then the entity which has control of (i.e. the creator of the device) must be held responsible and must pay the fine.

This would motivate IoT developers to release well-made products instead of half-assed crap with security holes bigger than barn doors.
Yes, this might slow down the adoption of IoT, but wouldn't that be better than charging headlong into a terrible situation where there's millions of insecure little turds out there botnetting everything?

Also:
1. This would preserve the liberty of people to create, buy, and sell whatever they want and it wouldn't raise the barrier to entry arbitrarily like requiring some kind of inspection the standards of which would be kept about as up to date as anything else the government ever does (i.e. too little and too late)

2. It wouldn't really give the government power to misuse and abuse because they must prove that I have control over the device in order to fine me (they must prove that I caused damage through malice or negligence) rather than just mandating from on high and getting corp kick-backs to relax the rules at their capricious whim

3. It would allow open source solutions to compete because, if the project is done right, then it'll allow users to take control over their own devices if they want to without jeopardizing the project itself if something goes wrong-- just tweak the source code or a config file and you're all done (you may have to pay the fines first of course but that's what DIY is all about)

It would allow closed-source solutions to compete because maybe customers don't want to expose themselves to liability they'd rather let the corp take the hit if something goes wrong

4. Both open source projects and closed source products would have motivation to keep their loops closed and stay off the internet because nobody wants to expose themselves to liability-- this would be a huge win for privacy as a default side-effect of making IoT secure in this way.

5. Last, but most importantly, it would actually put some teeth into the idea that IoT should be secure. If nobody wants to go through the bother of securing their devices and IoT dies out then, ipso facto it wasn't such a great idea to begin with was it?

Re:A non-legislative approach

[MobyDisk]

Yes, that is a key part of my suggestion. Consider this: it works for electronics. Almost every product sold in the US has the "UL" mark of Underwriters Laboratories. In Europe and Japan they require the "CE" mark. It's really an industry thing. Retailers won't sell electronics that don't have the mark. Homeowners insurance won't pay for your burnt down house if the fire was caused by a non-uL approved device. I have that issue because my 3D printer was a kit so it isn't ul approved.

Re:A non-legislative approach

[MobyDisk]

Many of those businesses are located in China. We won't be able to sue them.

Please...

[kurkosdr]

Please... please... if some deity is listening, make it so this becomes a law. It's quite sad seeing my perfectly serviceable Nexus 4 and 5 not receive basic security patching, and this has already spread to TVs, and soon vaccum cleaners and smoke detectors are to follow.

Re:Please...

[XxtraLarGe]

It's quite sad seeing my perfectly serviceable Nexus 4 and 5 not receive basic security patching, and this has already spread to TVs....

I just bought a new TV for my bedroom. I specifically avoided getting a "smart" TV for exactly this reason.

Spinning wheels

[ilsaloving]

It's more important to APPEAR that you're doing something, than it is to ACTUALLY do something.

How exactly do they propose to secure a marketing term? Cause that's all "Internet Of Things" is. It means absolutely nothing. While they're at it, why don't they also try to secure Big Data, The Cloud, and Web 2.0?

An Idea

[DickBreath]

I have suggested this plan before.

Make the manufacturer (not seller) of an IoT device liable for any actual damages that are caused by their IoT device getting hacked.

That's it. No government standards. No registration. No certification. No mandated testing facilities. (But the market could create certifications and testing facilities on its own.)

What this would do is change the perverse incentives that currently exist to the correct incentives. Suddenly manufacturers would be all about security! It would be Job #1. Manufacturers might standardize and cooperate on secure Linux distributions upon which they base their products. They might cooperate to improve everyone's security.

Suddenly manufacturers might consider whether they should have an update mechanism (or not).

Manufacturers might consider whether certain things should even be connected to the cloud at all!. Do we really need a cloud connected toy teddy bear?

Oh, yes. The retail price of some IoT devices might increase due to the manufacturer's cost of security measures. But that is as it should be. Right now the perverse incentive puts the costs on innocent parties that get DDOS'ed (or worse) by hacked IoT devices. This would fix that.

Re:An Idea

[MrEdofCourse]

I have a few problems with that idea.

One, as written, you'd have startups unable to afford the risk in whatever the end user does with the product/service.

For example, I have a WiFi connected power switch. Really, for me, it doesn't need any security at all. Worst case scenario, someone could turn off/off the nightlight attached to it.

However, someone else could take that same switch and connect it to something that if the power went out as a result of it getting hacked, the loss could be millions or more.

The other problem comes from determining who is actually to blame for a device being hacked. It could be the device, the user, another device (like the router) or some combination.

By trying to take it out of government regulation, you'd actually be increasing the reach of government. As it is now, manufactures are free to offer whatever warranty protection against hacking they want. They could protect the user for $100 in damages, $1,000, etc.. or nothing, which some people may be fine with depending on the use case. You're also getting the government involved (the judicial branch) when a device is hacked and the courts need to decide how much and who is to blame,

Re:An Idea

[AmiMoJo]

You are on the right path but I can see a few issues.

The liability could potentially be huge, and in some circumstances not entirely fair. For example, say the manufacturer used a well respected open source library. Did the right thing by not trying to roll their own security, followed the best available advice and practice... But someone finds a bug in it, and starts exploiting their devices.

Maybe they can patch it, assuming that the exploit doesn't disable the update mechanism. Even if they can, it takes time to identify the problem and develop and test the fix. It takes time to roll out to all devices. Is it really fair to hold them to potentially huge liabilities?

There is also the difficulty of holding foreign manufacturers to account, or handling the case where they simply declare bankruptcy and form a new company from the ashes.

I think the best solution is to make the seller deal with security issues the same way as warranty ones. If you have to disconnect it from your network because it's vulnerable, they either have to fix it under warranty or give you your money back. Any costs you suffer can be settled in the usual way via civil law.

The UK has a fairly good system for this. A typical crappy consumer grade router should last 5 years, that's a reasonable expectation. If it fails before then, even outside the warranty period, you can get part of your money back. If it fails after 3 years, you get 40% of the purchase price since it lasted only 60% of the expected lifetime.

Internet of Shit

[Darkness+Of+Course]

While I believe it's well intentioned this has zero chance of effecting any change. So a few in Congress are finally aware but the majority of both houses are clueless when it comes to tech (think: a series of tubes clueless). Either it will fail entirely (highest IMO) or it will be broken re something basic regarding the Constitution. It's almost as if half in Congress have never read the document.

Broken also covers the clear misses that are very likely regarding trying to lock down security for reason X but breaks it for everything else. I have no trust in the Republican controlled Congress and less belief in their ability to do the right thing for any reason at all.

Re:The most important thing...

The support window should be based on IP rights. As long as a company owns the IP, they should be responsible for patching it.
If they don't want the responsibility to support their property for the duration of their copyright (however many decades that is now), then they should have the option to make it public domain by making their source code public domain.