Slashdot Mirror
Who's Responsible For IoT Security? (networkworld.com)
"It is much too easy to connect devices and industrial equipment to the internet," writes an anonymous Slashdot reader. But what's the solution -- and who's to blame for the abundance of insecure IoT devices? Network World examined the conclusions in a paper titled "The Internet of Hackable Things" [PDF].
The authors say the IoT security problem is not a technological one; it's cultural... "A security culture is nearly non-existent in our society... developers must be educated to adopt the best practices for securing their IoT devices within the particular application domain; the general public must be educated to take security seriously, too, which among other things will fix the problem of not changing default password."
The anonymous reader who submitted this story argued that "IoT product makers do not need a deeply skilled team because component makers have made it so easy to connect anything to the internet. Maybe the responsibility for strong security should rest with chip makers like Intel, Freescale and Qualcomm." Leave your own opinions in the comments. Who is ultimately responsible for IoT security?
The anonymous reader who submitted this story argued that "IoT product makers do not need a deeply skilled team because component makers have made it so easy to connect anything to the internet. Maybe the responsibility for strong security should rest with chip makers like Intel, Freescale and Qualcomm." Leave your own opinions in the comments. Who is ultimately responsible for IoT security?
Janit0r is responsible because he bricks your insecure devices. ;)
Anons need not reply. Questions end with a question mark.
Who's Responsible For IoT Security?
Shit... I think it was me. Sorry guys- the whole thing is my fault. I'll get on it ASAP.
But seriously, if you have one IoT device selling for $59 and an equivalent one with better security selling for $65, I can tell you which people are going to buy.
Responsible? That would obviously be whoever is making the products, selling them, and turning a profit on it, period.
But who should care about it is an entirely other matter... everyone from chip makers, to product developers, assembly lines, government, stores that are buying and selling the stuff as well as costumers/businesses that are getting the products should be looking into it.
Unfortunately, there's no easy answer as to solve the entire conundrum. This might be one case were we'll eventually need government interference and regulation there to safeguard public privacy and security just as much as we have quality standards and aproval processes regarding radiation levels, what sorts of materials were used in electronics, and stuff like that.
And I think soon we'll end up with independent businesses whose sole purpose is do independent testing for security and privacy... I mean, they are already there seem as security analysts and whatnot, but things will probably ramp up as businesses have more to lose.
It's not a great route to go through, but I really can't think of anything else that would do the job. At some point, the overall Cyberwarfare will escalate to a point that electronics in general will need to go through extensive testing before entering the country.
Only worse.
Here you find a pretty good summary of the phenomenon. In a nutshell, given the choice between "ohhh shiny!" and security, the vast majority will go for the former without even considering the latter. People don't know and I have the creeping suspicion that they don't want to know what security implications their actions have.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Betteridge's law says no one is.
says they're not responsible for anything under any circumstances.
We read about TVs that ceased to function after firmware upgrades, IP cameras that build botnets, virus like stuxnet that were drafted for specific targets, massive DDOS attacks... The world out there surely does not look pretty. If you need me, I will be at the internet attack shelter.
Hacked devices are the result of a "tragedy of the commons" because the internet is shared. The only real resolution to these problem has been proven to be regulation. Now, some people find the "dreaded r-word" to be too offensive to consider but the reality is that the free market cannot solve this problem because it doesn't have a strong enough feedback loop that would compel companies to invest in strong security. So, if you follow this logic, it's ultimately the lack of regulation by lawmakers that is responsible. Then again, we could go even further and say it's the fault of the people who voted them into power. In conclusion, it's the fault of idiots, likely the same idiots buying this insecure shit.
Anons need not reply. Questions end with a question mark.
I have been predicting that at some point in the future, all switches, routers, etc will have a firewall per port so you can control access to well everything but especially this proliferation of IOT.
Make them easily configurable so your tv and refrigerator can talk to each other but nothing else etc.
No matter what its going to be another wild wild west of security problems going forward, so many things have zero support after being shipped, it just works without any regard to security.
Security is everybody's responsibility. That's why I only use OpenBSD. The developers of OpenBSD have shown us that they care about security. They understand security. They take security very seriously. They do their part by creating a secure OS. I do my part by using the secure OS they've created, and ensuring I follow their recommended practices to keep it secure.
... it's the manufacturer's responsibility.
"Enter an administrative password and click Next to continue ..."
I don't expect an award or stuff.
It little behooves the best of us to comment on the rest of us.
First, the vendor provides a default password.
Second, the device need's it's password changed before it works.
The other option is for the default password to be the serial number of the device, which will probably cause vendors $0.01 more but save on customer support calls.
Run a vulnerability scan against your customers at random.
"It is much too easy to connect devices and industrial equipment to the internet,"
No, that misses the point entirely. It's not that it's too easy to connect devices to the Internet, but rather that, at least sometimes, it is very difficult, if not nearly impossible, to prevent devices from connecting to the Internet. Some Smart TV sets (it might have been Samsung, but I'm not sure) actively seek out open WiFi connections to connect to the Internet even if you tell it not to. It's not enough to block ports in your firewall as maybe your neighbor doesn't have those ports blocked. Or maybe the Starbucks down the street doesn't. And with integrated GPS in many devices (and probably more in the future) the fact that devices connect on someone else's IP address won't protect your privacy/anonymity, since they'll be able to locate the device down to the house or apartment that it's in. Expect to see more of this in the future.
If I can be modded down for being a troll, can I be modded up for being an orc, or a balrog?
Ultimately the responsibility is the purchaser. I don't necessarily mean from a legal sense, but from a "why it is the way it is" sense. Security (when compared to convenience) is expensive, it always has been and likely always will be. The cost of security must be included in the product and paid for by the purchaser. People generally want to spend as little as possible for a product and will chose the less expensive option if everything else appears equal or near equal. Since people in general don't understand the complexities and costs of a secure product, they don't feel the need to pay for it. Producers of products ultimately aim to please their customers and if customers don't want to pay for security, baring external regulation, they won't put security features in their products. Some day customers may demand security and when that happens manufacturers will oblige. I mentioned regulation as in "the government forces it". While this may happen, if it happens it will happen only if consumers get tired of insecure products and ask their governmental representatives to make the regulations. Either way the purchasers ultimately have the responsibility for why we don't have security in our products.
It depends. Is the vulnerability a hardware/firmware flaw? A software bug? A configuration without checks? Misuse?
Answer that, and it'll be clear who's responsible. Companies should audit their hardware and software. Vendors should educate their customers. And the last one: customers need to listen to people who understand the domain better than they do.
None of those will happen, but one can dream.
trump obvs
I was always taught that if it has sensitive data, it's got to be secured. If it connects to anything else, it must be protected. If you don't want people doing things they aren't supposed to with it, you have to guard it against all inappropriate access and input.
Mind you, that was from pre-internet days, so who freaking dropped the ball and completely lost it when it comes to the basics with these kids?
The developers are taking orders from the people paying their salaries. When the people who sign the checks demand unreasonable deadlines and refuse to pay extra in development costs for security then how is that the developers' fault? We want to write secure software, but that requires extra care in the craftsmanship of the code and the QA and testing effort. There isn't money in the budget for those things, so our desire for security is denied by the people signing the checks. Assuming that most developers don't know or don't care about security is incorrect. It's management's fault that IoT devices have crappy security because they don't want to pay for better security. That's more or less the truth of it.
No one.
Next question?
Seriously, manufacturers are in a hurry to get product to market, IoT security is an afterthought, that hopefully can be updated with firmware upgrades OTA.
Awk! Pieces of eight. Pieces of eight. Pieces of seven... ERROR: General Protection Fault. [Paroty Error.]
Interviewer: Mr. Ghandi, what do you think about security for the Internet of Things?
Mahatma Ghandi: I think it would be a good idea.
I'm not repeating myself
I'm an X window user; I'm an ex-Windows user
I suppose we could authorize the Department of Homeland Security to hack-to-disable all devices which are hackable by some collection of techniques, and then manufacturers would be required to at least meet those requirements.
THE PEOPLE SELLING THIS INSECURE SHIT!!
Full stop. End of story.
You build a gadget that connects to the Internet, you fail to properly secure it, your boss puts it up for sale, YOU ARE CULPABLE! You are at fault, it is YOUR PROBLEM, that is the end of it! Do not try to fucking weasel out of it. Nuremburg settled that for our entire species, "following orders" is not an excuse. You did it, you are responsible. You built an insecure device and offered it up to your boss so he could sell it, you MUST be liable for the breaches you caused.
This is not a "buyer beware" excuse situation, this is not a "clickthrough license shields me from responsibility", this is flat-out assholes offering known faulty goods for sale. They are responsible, nobody else. The only way to FIX this is to force the people building these shitty devices to take LEGAL responsibility. Nothing else will do. Period.
By default, it seems that your home firewall should restrict any packets from whatever stupid crap you put on your network.
That way such devices can't spy on you or hack the rest of your home network, unless you explicitly allow them in your firewall.
If you push the responsibility to dozens of different device vendors, you'll never be able to adequately vet them all.
The percentage of people capable of configuring their home router to do this is negligible, totally irrelevant to the conversation.
With the currently available crop of consumer oriented operating systems, it is simply NOT POSSIBLE to make a secure device. None of them offer capability based security.... the operating system equivalent to modern electrical standards... imagine trying to hook up every appliance everywhere, with no circuit breakers, no standard outlets, no grounding, no conduit, all supported by post and spool insulators.
Once a program is run, it gets trusted with all authority of the user running it. There are no effective measures to limit the side effects (and thus risk/damage) that a given chunk of code can do.
Another equivalent is like building a Fort out of stacks of C4 explosives.
Until we get HURD, Genode, or a modern replacement for KeyKOS, we can't make secure devices. Stop blaming the developers, or users, or chip makers... it's not their fault. It's the fault of every Linux, MacOS, or Windows fanboy in the world.
ISP control of your internal address range is an bad idea but that seems to be IPv6 pushes.
Now What if I need servers on the inside network with fixed ip's and I don't want them to have direct Internet links?
and concast cable has there own WIFI network running on the system at your home.
I say make the user responsible. After a few get locked up for attacks perpetrated by their light bulbs, they'll wise up and stop buying insecure shit products.
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
Maybe there will be a Landru to look over us and our things? We do seem to be kind of 'absorbed' at times in this technology we created from our own brains.
You are not of the body!
Unfortunately, security is ultimately going to lead to locked-down devices. Which means only the manufacturers and the government will be able to determine what the device will actually allow you to do with it. Which means that they effectively own it. As such, they will end up owning every piece of consumer goods with a computer in it, and be able to direct it to do what they want, when they want, and obey their "owner" (re: the person who paid for the device but otherwise doesn't own a single thing about it) only when these entities see fit.
I hope I'm wrong, but I seriously doubt I am. This is a fantastic way to bring about 1984, even though we're already seeing plenty of that these days just with what's available now.
This one's pretty easy to figure out. It's the manufacturer ... or in the modern world, the company that creates the product, sent out for manufacturing ... who is responsible for IoT security.
But there is a problem. There is the rush to get the product to market, which means bad code is "good enough", and the lack of any repercussions if security is an afterthought, or worse.
Consumers have a responsibility to insist companies make an effort with security. They simply don't, as they aren't generally sophisticated enough to see a problem exists.
That leaves Government ... yeah, I know ... to protect consumers with legislation. That's how consumer protection works, and it's the only way we know to make it work.
Which brings up another issue ... Government is not very good at technology, and in the current fast-paced digital landscape, they are inclined to let the market sort itself out.
You can see the problem here ... it's a circular situation. No-one is willing, and you can make a good argument that no-one is able (that is, amongst either Consumer watchdogs or the buying public), to identify security as a priority. /. readers might be aware of the problem, but we are not the majority. Tech writers, whom are generally not very good at anything beyond cheerleading for the latest gadget, need to step up and make consumers aware that security should be a buying criteria.
They should be shaming manufacturers (putting aside that the term has changed in meaning) into hiring competent code developers and creating secure products. And maybe then at least the problem could be minimized.
I say brick remotely the insecure ones and then let the (l)users themselves sort out who is to blame for the fiasco.
End-users whose hardware is used to run a botnet should be liable say some. The manufacturers of the IoT device should secure their devices aver others. ISP's should not be allowed to just provide dumb pipes chime in some. It's a cultural issue says the paper referred to in the article.
To make things interesting, for each candidate scape-goat there are apologists. End-users are too clueless, you can't expect them to take responsibility say some. The market precludes manufacturers from putting money in (security) features nobody wants say some. ISP's shouldn't be press-ganged to play network cop say others,
All of them are both right and wrong I think. There are areas of responsibility for everyone. Just like with driving a car. Car manufacturer are responsible for providing a car with certain minimum quality and safety features.They're liable if the brakes don't work or if the turn indicators are shoddy. Dealerships that do shoddy or incompetent maintenance may face liability claims too. Road owners (municipal, county state, and federal) can all be held liable for unsafe situations if they're careless. And nothing protects individuals drivers from making mistakes or driving under influence.
So it's not a contradiction to say that every actor is liable for a subset of the risks.
The government can do a lot by adopting a law that all and any IoT devices must be capable of being secured among others against unauthorised access. No more no less. No specifics, no technicalities: the market will figure that one out. That gets the manufacturers in a position where they can afford to put minimum levels of security in because nobody is going to undercut them on that. ISP's shouldn't be saddled with police duty, but they might be obligated to detect and report port scans and widespread probes for open ports. And finally, consumers could be held liable if they install hardware that's not "approved".
It will take awhile to get that far, but it looks like a stable and sensible equilibrium. As long as people agree it's not an "either or" but an "and and" proposition.
Besides, there could well be money in it too.
What if we can come up with a legal framework for a realistic apportionment of responsibility, strike a sensible balance between cost and security, introduce an "FTC-approved IoT device" stamp and market that entire framework as a solution. I think it will find takers in the EU, Japan, Korea, Taiwan at least.
Then we could start putting diplomatic pressure on "irresponsible" countries that don't have this framework in place. Ought to generate a market for "FTC-approved" gear, consultancy, and perhaps even assistance in adopting equivalent legal frameworks, no?
Of course China would rush to copy it, but they'd be copying us again (not the other way round) and lots of countries (especially those with purchasing power) might have reservations about installing a PRC-approved communications infrastructure as opposed to an FTC-approved one.
"IoT security"
These words are incompatible.
aaaaaaa
>> Make them easily configurable so your tv and refrigerator can talk to each other but nothing else etc.
That's not the purpose of IOT.
IOT has two purposes :
1) for manufacturers to reduce the cost of return by allowing cheap software upgrades instead.
2) collect data to be selled.
IOT devices were never meant to talk to each other.
aaaaaaa
Comment removed based on user account deletion
The user. One can sell the consumer all sorts of defective product, it is the consumer that uses them - possibly to detrimental effect. If you want to use insecure IoT appliances that violate your security or privacy then go ahead but STOP COMPLAINING about being burned by that. Your alternative is to not buy them or turn them off or inform yourself BEFORE buying and using them.
ruurd
The manufacturer of the IoT device? Don't want to be responsible for security? Don't include it in your product!
We'll make great pets
See subject: Vs. AMT/Intel Mgt. Engine security woes - ports 16992-16995 so filter those ports in a modem/router external to OS/PC. It's what AMT uses.
Once you disable the AMT engine's software interface (ez)? A malware to 'repatch' this = impossible (bios updaters require it in usermode ware, e.g. ASUS).
(Per links in my 'p.s.' below - I only allow 80, 8080 & 443 in/out here on a SINGLE stand-alone system (no home LAN but TCP/IP connected online in BOTH my modem or router port filters or software firewalls))
HOWEVER - Be CERTAIN your modem/router's internal ware is "solid" as well (turn off things like UPnP etc. & CHECK router/modem HAS NO KNOWN BACKDOOR EXPLOITS (tons do unfortunately)) - get it patched ASAP if it's KNOWN exploited & TONS of routers, ARE https://it.slashdot.org/comments.pl?sid=9995967&cid=53488785/
GOOD ROUTERS/MODEMS HAVE PORT FILTERING OPTIONS (crappy ones do not)!
* Good luck - it's the BEST EASIEST & CHEAPEST DEFENSE using what you already have (hopefully, again as not ALL modems have port filtering but most do & certainly GOOD ONES DO) vs. this threat by stopping it being able to communicate in/out period, outside of the INTEL chipset, & stopped external to it via a router/firewall hardware.
APK
P.S.=> Per my subject line above - I've LONG suggested port filtering & even farther back than these security guides of mine from 2006 actually https://www.google.com/search?hl=en&source=hp&biw=&bih=&q=%22How+to+Secure+Windows+2000%2FXP%22&btnG=Google+Search&gbv=1/ ... apk
You're responsible for your own network. I don't mean you're responsible for your IoTs, i mean you're responsible to not get DDoSed by them.
The problem indeed, is half cultural; as I wrote in my book High Assurance Design,
At this point, I think that the only way to change the culture on this issue is to make software writers partly or fully liable for the security breaches that result from vulnerabilities in the code. Nothing else will cause security to rise to the top of the priority list.
On the other hand, the problem is partly technical: the procedural Von Neuman programming paradigm leads to terrible design. Alternatives such as data flow, event-driven, and functional design are much more robust; but one needs to use languages that support those, and the popular languages are primarily procedural, so again, it comes down to culture.
Manufacturer should be held liable for bugs in firmware and default passwords/no password at all practises... Heck security researchers might find massive hole in system, reports in to manufacturer and they newer release fixed firmware/ actually fix thebug... Then theres user, user should be help liable for hes actions, like setting weak password, etc...
Whoever turns it on and hooks it up to a network. THAT person is responsible.
Developers create devices, such as IoT thermostats, garage door openers, baby monitors, access points, cars, and more using Linux and Unix as a starting point. Much of the problem is that they set default usernames and passwords. When the consumer receives these devices, they are not prompted to set up a new password. Since the usernames and passwords are well documented, all that is needed is a program which scans for open ports, combined with user / password combinations. Root accomplished.
The remainder of the problem is that companies creating these devices don't support updates in an attempt to coerce users to purchase new devices. How many phones are stuck at an older version of Android or IOS? Often there is no reason for this other than that the developer chose not to release a patch or upgrade. All software contains holes which need to be patched. All that is necessary is a program which sends the packets required to take advantage of the vulnerability. Root accomplished.
To solve these problems, IoT vendors should be required to maintain support for devices for five years from the last date of sale. They should also be required to include a password setup screen during installation.
How do you let the stupid device's cloud service work? Too many devices are engineered so the smarts are in the "cloud" rather than local.
While I realize most and users neither know nor care about security enough to actually be entirely responsible for security, I believe that the end-user assuming such responsibility is the only answer that makes any real sense when looking at the big picture. Caveat: the manufacturer should make facilities available, and publish sufficient information about managing their device so that it is at least possible for the end-user to assume such responsibility. As a first prerequisite, this would mean that all Internet connected devices should have an option or facility to connect to the Internet through an end user controlled firewall instead of managing their own such connection.
File under 'M' for 'Manic ranting'
I'd argue:
* Ideally - you wouldn't, so manufacturers stop that stupidity. They're primarily doing it for spyware --- which is exactly what a home router should protect against.
* If for some reason a user really wants to be spied on in that way, they can provide instructions how to open whatever is necessary in a firewall.
* If it has to communicate with a cloud --- especially if it can update itself from the cloud -- that device should ***NOT*** be able to communicate with the rest of your network.
While humans are responsible for the IoH, it's clear who is responsible in the IoT.
Sent as ripples into the electromagnetic field. No single photon has been harmed in the process.
It's like asking who is responsible for your web app security?
Tired of my customary (Score:1)
We have two cases - For home devices, even though device manufacturers are responsible, the users need also to be vigilant, but it is hard to make them aware...They are not IT savvy...One easy solution is for the ISPs to watch these devices and make sure no one hijacks them and makes them part of a DDOS network or injects malware into those devices to capture information from other devices at home...ISPs do see all the traffic to/from these devices and it is an easy problem to solve with a monitoring software using some form of applied ML/AI... In the enterprise setting, putting a close wrapper on these devices at the point of connection on a switch/wireless-access-point is easy with a software driven solution and IT is responsible for it, closely working with the security department and the device management folks...
Things that use protocols like Z-Wave for home automation are pretty secure. They become insecure when a smart hub interfaces to the Internet usually through a cloud service.
Once SmartThings, Alexa or Google can talks to the devices all bets are off! But a Z-Wave network within a home with a edge router (probably running OpenWRT or LEDE) that accepts credentials inbound from the Internet is pretty hard to breach if properly set up with a VPN.
And there is no cloud. Just client access controlled at the edge.
Of course, that requires some knowledge on the consumer's part. Likely, at the minimum the ability to set up a port forward.
Alas, as a device maker, it's better to sell false security and collect all the meta data. It makes it a lot easier to sell to the Consumers Overlooking Working Security aka "cows."
I know the crackers think of them as "cows" like a cattle owner does. Something to round up, corral and slaughter.
Facebook is billions of individual "Skinner Boxes." And if you use it you are the pigeon!
she leaves her office unlocked and her computer on and logged in. She used to complain about people going into her office and looking through her computer, and other stuff, when she wasn't there.
I turned on her screen saver password and let her know the password. She screamed like a banshee at me until I turned the password back off.
Go figure... I'm pretty sure she uses nothing more than slide-to-unlock on her phone as well.
It feels too late to add security to IoT, the devices are too low cost, and there are too many manufacturers. The security horse has left the barn on this one.
It could have been different if there was a CSA/UL type of standards body right from the beginning. Now however...
Maybe we need to look at this differently. Mice have lots of baby mice. Their environment is dangerous for all sorts of reasons, not least of which is that many creatures like to eat baby mice. The mice have responded to these pressures by having more baby mice, to make up the losses. And that system works.
Maybe that's how we need to view IoT. These are throwaway devices in an insecure environment. When you deploy, deploy 100% or 200% more devices than you need because you anticipate very high losses.
It wouldn't have been my preferred IoT outcome but the security ship has sailed! And even now the IoT manufacturers are full of nothing but excuses for why their crap product offerings cannot be secured.
What would you define as "no direct Internet link" ? Unable to reach out to the Internet? Or unable to reach directly to the device from outside? NAT buys you "no direct access from outside", barring someone breaking your cable modem security or your activating port forwarding. That's true even if you set DHCP reservations for devices on your internal network. It's even possible to set up a firewall _behind_ your cable modem to block additional traffic.