Slashdot Mirror
Who's Responsible For IoT Security? (networkworld.com)
"It is much too easy to connect devices and industrial equipment to the internet," writes an anonymous Slashdot reader. But what's the solution -- and who's to blame for the abundance of insecure IoT devices? Network World examined the conclusions in a paper titled "The Internet of Hackable Things" [PDF].
The authors say the IoT security problem is not a technological one; it's cultural... "A security culture is nearly non-existent in our society... developers must be educated to adopt the best practices for securing their IoT devices within the particular application domain; the general public must be educated to take security seriously, too, which among other things will fix the problem of not changing default password."
The anonymous reader who submitted this story argued that "IoT product makers do not need a deeply skilled team because component makers have made it so easy to connect anything to the internet. Maybe the responsibility for strong security should rest with chip makers like Intel, Freescale and Qualcomm." Leave your own opinions in the comments. Who is ultimately responsible for IoT security?
The anonymous reader who submitted this story argued that "IoT product makers do not need a deeply skilled team because component makers have made it so easy to connect anything to the internet. Maybe the responsibility for strong security should rest with chip makers like Intel, Freescale and Qualcomm." Leave your own opinions in the comments. Who is ultimately responsible for IoT security?
Who's Responsible For IoT Security?
Shit... I think it was me. Sorry guys- the whole thing is my fault. I'll get on it ASAP.
But seriously, if you have one IoT device selling for $59 and an equivalent one with better security selling for $65, I can tell you which people are going to buy.
Responsible? That would obviously be whoever is making the products, selling them, and turning a profit on it, period.
But who should care about it is an entirely other matter... everyone from chip makers, to product developers, assembly lines, government, stores that are buying and selling the stuff as well as costumers/businesses that are getting the products should be looking into it.
Unfortunately, there's no easy answer as to solve the entire conundrum. This might be one case were we'll eventually need government interference and regulation there to safeguard public privacy and security just as much as we have quality standards and aproval processes regarding radiation levels, what sorts of materials were used in electronics, and stuff like that.
And I think soon we'll end up with independent businesses whose sole purpose is do independent testing for security and privacy... I mean, they are already there seem as security analysts and whatnot, but things will probably ramp up as businesses have more to lose.
It's not a great route to go through, but I really can't think of anything else that would do the job. At some point, the overall Cyberwarfare will escalate to a point that electronics in general will need to go through extensive testing before entering the country.
Only worse.
Here you find a pretty good summary of the phenomenon. In a nutshell, given the choice between "ohhh shiny!" and security, the vast majority will go for the former without even considering the latter. People don't know and I have the creeping suspicion that they don't want to know what security implications their actions have.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Who is responsible for physical security? Is it home depot? The lumber yard? The miner who extracted the ore used in the nails for construction? How about the plumber who connected the faucet? Or is it the person who leaves something outside, say a gold chandelier, unchained and hanging from the mailbox at the end of the driveway?
I mean bleep shitty code but you have to dmz and direwwllw that stuff behind your own vpn.
We read about TVs that ceased to function after firmware upgrades, IP cameras that build botnets, virus like stuxnet that were drafted for specific targets, massive DDOS attacks... The world out there surely does not look pretty. If you need me, I will be at the internet attack shelter.
Hacked devices are the result of a "tragedy of the commons" because the internet is shared. The only real resolution to these problem has been proven to be regulation. Now, some people find the "dreaded r-word" to be too offensive to consider but the reality is that the free market cannot solve this problem because it doesn't have a strong enough feedback loop that would compel companies to invest in strong security. So, if you follow this logic, it's ultimately the lack of regulation by lawmakers that is responsible. Then again, we could go even further and say it's the fault of the people who voted them into power. In conclusion, it's the fault of idiots, likely the same idiots buying this insecure shit.
Anons need not reply. Questions end with a question mark.
I have been predicting that at some point in the future, all switches, routers, etc will have a firewall per port so you can control access to well everything but especially this proliferation of IOT.
Make them easily configurable so your tv and refrigerator can talk to each other but nothing else etc.
No matter what its going to be another wild wild west of security problems going forward, so many things have zero support after being shipped, it just works without any regard to security.
... it's the manufacturer's responsibility.
"Enter an administrative password and click Next to continue ..."
I don't expect an award or stuff.
It little behooves the best of us to comment on the rest of us.
First, the vendor provides a default password.
Second, the device need's it's password changed before it works.
The other option is for the default password to be the serial number of the device, which will probably cause vendors $0.01 more but save on customer support calls.
"It is much too easy to connect devices and industrial equipment to the internet,"
No, that misses the point entirely. It's not that it's too easy to connect devices to the Internet, but rather that, at least sometimes, it is very difficult, if not nearly impossible, to prevent devices from connecting to the Internet. Some Smart TV sets (it might have been Samsung, but I'm not sure) actively seek out open WiFi connections to connect to the Internet even if you tell it not to. It's not enough to block ports in your firewall as maybe your neighbor doesn't have those ports blocked. Or maybe the Starbucks down the street doesn't. And with integrated GPS in many devices (and probably more in the future) the fact that devices connect on someone else's IP address won't protect your privacy/anonymity, since they'll be able to locate the device down to the house or apartment that it's in. Expect to see more of this in the future.
If I can be modded down for being a troll, can I be modded up for being an orc, or a balrog?
Ultimately the responsibility is the purchaser. I don't necessarily mean from a legal sense, but from a "why it is the way it is" sense. Security (when compared to convenience) is expensive, it always has been and likely always will be. The cost of security must be included in the product and paid for by the purchaser. People generally want to spend as little as possible for a product and will chose the less expensive option if everything else appears equal or near equal. Since people in general don't understand the complexities and costs of a secure product, they don't feel the need to pay for it. Producers of products ultimately aim to please their customers and if customers don't want to pay for security, baring external regulation, they won't put security features in their products. Some day customers may demand security and when that happens manufacturers will oblige. I mentioned regulation as in "the government forces it". While this may happen, if it happens it will happen only if consumers get tired of insecure products and ask their governmental representatives to make the regulations. Either way the purchasers ultimately have the responsibility for why we don't have security in our products.
I was always taught that if it has sensitive data, it's got to be secured. If it connects to anything else, it must be protected. If you don't want people doing things they aren't supposed to with it, you have to guard it against all inappropriate access and input.
Mind you, that was from pre-internet days, so who freaking dropped the ball and completely lost it when it comes to the basics with these kids?
In the United States IoT (Internet of Things) has no legal definition.
Microwave ovens on the other hand are legally defined and have several federal regulations concerning them. USC Title 21, Chapter 9, Subchapter V as well as Subchapter J, parts 1000 through 1005., 1010 and 1030.10.
Manufacturers and individuals get "a pass" unless there is a specific law regulating their behavior.
Please excuse my lack of understanding, but what is the relevance of whether the "IoT" is the local hardware or the network over which the data is shared, or the services on which the data is stored and services provided by the vendor?
No one.
Next question?
Seriously, manufacturers are in a hurry to get product to market, IoT security is an afterthought, that hopefully can be updated with firmware upgrades OTA.
Awk! Pieces of eight. Pieces of eight. Pieces of seven... ERROR: General Protection Fault. [Paroty Error.]
Interviewer: Mr. Ghandi, what do you think about security for the Internet of Things?
Mahatma Ghandi: I think it would be a good idea.
I'm not repeating myself
I'm an X window user; I'm an ex-Windows user
THE PEOPLE SELLING THIS INSECURE SHIT!!
Full stop. End of story.
You build a gadget that connects to the Internet, you fail to properly secure it, your boss puts it up for sale, YOU ARE CULPABLE! You are at fault, it is YOUR PROBLEM, that is the end of it! Do not try to fucking weasel out of it. Nuremburg settled that for our entire species, "following orders" is not an excuse. You did it, you are responsible. You built an insecure device and offered it up to your boss so he could sell it, you MUST be liable for the breaches you caused.
This is not a "buyer beware" excuse situation, this is not a "clickthrough license shields me from responsibility", this is flat-out assholes offering known faulty goods for sale. They are responsible, nobody else. The only way to FIX this is to force the people building these shitty devices to take LEGAL responsibility. Nothing else will do. Period.
the oem of the device as well as the isp that connects it to the Internet. the end user does not care or understand what IoT even is.
And software is also the only product where you get away with something like this.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
By default, it seems that your home firewall should restrict any packets from whatever stupid crap you put on your network.
That way such devices can't spy on you or hack the rest of your home network, unless you explicitly allow them in your firewall.
If you push the responsibility to dozens of different device vendors, you'll never be able to adequately vet them all.
Bruce wrote a cryptology book back when nobody else would. He's a security journalist.
Security is everybody's responsibility.
Indeed. With the prevalent binary thinking of today, people seem to fall into the trap of thinking that if the manufacturer is responsible, the user is not.
But responsibility and guilt are not finite resources. Adding it to one party does not reduce it elsewhere; not an iota.
the end user does not care or understand what IoT even is.
That is a problem and needs to change. If someone assists in running a botnet through negligence, they need to be taken to court for that. That the devices should be more secure does not reduce their responsibility to do their part.
Much like a landlord who turns a blind eye to what goes on on their property, they are willfully negligent and should be found guilty of aiding and abetting.
Once a few ordinary people get convicted, then perhaps the rest will start being careful.
The percentage of people capable of configuring their home router to do this is negligible, totally irrelevant to the conversation.
With the currently available crop of consumer oriented operating systems, it is simply NOT POSSIBLE to make a secure device. None of them offer capability based security.... the operating system equivalent to modern electrical standards... imagine trying to hook up every appliance everywhere, with no circuit breakers, no standard outlets, no grounding, no conduit, all supported by post and spool insulators.
Once a program is run, it gets trusted with all authority of the user running it. There are no effective measures to limit the side effects (and thus risk/damage) that a given chunk of code can do.
Another equivalent is like building a Fort out of stacks of C4 explosives.
Until we get HURD, Genode, or a modern replacement for KeyKOS, we can't make secure devices. Stop blaming the developers, or users, or chip makers... it's not their fault. It's the fault of every Linux, MacOS, or Windows fanboy in the world.
ISP control of your internal address range is an bad idea but that seems to be IPv6 pushes.
Now What if I need servers on the inside network with fixed ip's and I don't want them to have direct Internet links?
and concast cable has there own WIFI network running on the system at your home.
I say make the user responsible. After a few get locked up for attacks perpetrated by their light bulbs, they'll wise up and stop buying insecure shit products.
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
Many IoT devices are locked so that only the manufacturer can update them - if even they can. Some have firmware on OTP proms and the only way to increase security is to replace the device. But they can still be abused.
Ultimately if an IoT device is insecure it shall be the manufacturer of the device that shall be responsible for correcting the problem.
Also realize that your devices on the net at home may need to be segmented. One segment for devices you can't configure like TV, dishwasher and other mundane stuff that today is "smart". One for your PC and other stuff with personal information. Basic security sanitation operation.
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
Possibly, people have installed it in stranger places.
Alternatively, you could have it connect to your *BSD box and manage it from there, without needing to allow it to connect to the Internet at large.
"So long and thanks for all the fish."
No. Not the ISP. The ISP should be just a dumb pipe.
"So long and thanks for all the fish."
Unfortunately, security is ultimately going to lead to locked-down devices. Which means only the manufacturers and the government will be able to determine what the device will actually allow you to do with it. Which means that they effectively own it. As such, they will end up owning every piece of consumer goods with a computer in it, and be able to direct it to do what they want, when they want, and obey their "owner" (re: the person who paid for the device but otherwise doesn't own a single thing about it) only when these entities see fit.
I hope I'm wrong, but I seriously doubt I am. This is a fantastic way to bring about 1984, even though we're already seeing plenty of that these days just with what's available now.
This one's pretty easy to figure out. It's the manufacturer ... or in the modern world, the company that creates the product, sent out for manufacturing ... who is responsible for IoT security.
But there is a problem. There is the rush to get the product to market, which means bad code is "good enough", and the lack of any repercussions if security is an afterthought, or worse.
Consumers have a responsibility to insist companies make an effort with security. They simply don't, as they aren't generally sophisticated enough to see a problem exists.
That leaves Government ... yeah, I know ... to protect consumers with legislation. That's how consumer protection works, and it's the only way we know to make it work.
Which brings up another issue ... Government is not very good at technology, and in the current fast-paced digital landscape, they are inclined to let the market sort itself out.
You can see the problem here ... it's a circular situation. No-one is willing, and you can make a good argument that no-one is able (that is, amongst either Consumer watchdogs or the buying public), to identify security as a priority. /. readers might be aware of the problem, but we are not the majority. Tech writers, whom are generally not very good at anything beyond cheerleading for the latest gadget, need to step up and make consumers aware that security should be a buying criteria.
They should be shaming manufacturers (putting aside that the term has changed in meaning) into hiring competent code developers and creating secure products. And maybe then at least the problem could be minimized.
End-users whose hardware is used to run a botnet should be liable say some. The manufacturers of the IoT device should secure their devices aver others. ISP's should not be allowed to just provide dumb pipes chime in some. It's a cultural issue says the paper referred to in the article.
To make things interesting, for each candidate scape-goat there are apologists. End-users are too clueless, you can't expect them to take responsibility say some. The market precludes manufacturers from putting money in (security) features nobody wants say some. ISP's shouldn't be press-ganged to play network cop say others,
All of them are both right and wrong I think. There are areas of responsibility for everyone. Just like with driving a car. Car manufacturer are responsible for providing a car with certain minimum quality and safety features.They're liable if the brakes don't work or if the turn indicators are shoddy. Dealerships that do shoddy or incompetent maintenance may face liability claims too. Road owners (municipal, county state, and federal) can all be held liable for unsafe situations if they're careless. And nothing protects individuals drivers from making mistakes or driving under influence.
So it's not a contradiction to say that every actor is liable for a subset of the risks.
The government can do a lot by adopting a law that all and any IoT devices must be capable of being secured among others against unauthorised access. No more no less. No specifics, no technicalities: the market will figure that one out. That gets the manufacturers in a position where they can afford to put minimum levels of security in because nobody is going to undercut them on that. ISP's shouldn't be saddled with police duty, but they might be obligated to detect and report port scans and widespread probes for open ports. And finally, consumers could be held liable if they install hardware that's not "approved".
It will take awhile to get that far, but it looks like a stable and sensible equilibrium. As long as people agree it's not an "either or" but an "and and" proposition.
Besides, there could well be money in it too.
What if we can come up with a legal framework for a realistic apportionment of responsibility, strike a sensible balance between cost and security, introduce an "FTC-approved IoT device" stamp and market that entire framework as a solution. I think it will find takers in the EU, Japan, Korea, Taiwan at least.
Then we could start putting diplomatic pressure on "irresponsible" countries that don't have this framework in place. Ought to generate a market for "FTC-approved" gear, consultancy, and perhaps even assistance in adopting equivalent legal frameworks, no?
Of course China would rush to copy it, but they'd be copying us again (not the other way round) and lots of countries (especially those with purchasing power) might have reservations about installing a PRC-approved communications infrastructure as opposed to an FTC-approved one.
"IoT security"
These words are incompatible.
aaaaaaa
>> Make them easily configurable so your tv and refrigerator can talk to each other but nothing else etc.
That's not the purpose of IOT.
IOT has two purposes :
1) for manufacturers to reduce the cost of return by allowing cheap software upgrades instead.
2) collect data to be selled.
IOT devices were never meant to talk to each other.
aaaaaaa
Comment removed based on user account deletion
The user. One can sell the consumer all sorts of defective product, it is the consumer that uses them - possibly to detrimental effect. If you want to use insecure IoT appliances that violate your security or privacy then go ahead but STOP COMPLAINING about being burned by that. Your alternative is to not buy them or turn them off or inform yourself BEFORE buying and using them.
ruurd
The manufacturer of the IoT device? Don't want to be responsible for security? Don't include it in your product!
We'll make great pets
The problem indeed, is half cultural; as I wrote in my book High Assurance Design,
At this point, I think that the only way to change the culture on this issue is to make software writers partly or fully liable for the security breaches that result from vulnerabilities in the code. Nothing else will cause security to rise to the top of the priority list.
On the other hand, the problem is partly technical: the procedural Von Neuman programming paradigm leads to terrible design. Alternatives such as data flow, event-driven, and functional design are much more robust; but one needs to use languages that support those, and the popular languages are primarily procedural, so again, it comes down to culture.
We all should be conserned about everyone security.
If you see something insecure and you let it be without saying something then you are at fault.
Black hats are often worse because beyond seeing the volnerability and not reporting it they exploit it.
So your internet enabled tea kettle has a flaw and you know about it and you didn't do anything about it, such as putting it on a different network with strict firewall rules and you know how to do this then you are at fault.
If the store that sold it to you and they knew about the flaw and didn't alert you and kept selling it. Then they are at fault.
If the manufacturer knows about the flaw and doesn't attempt to fix it or recall it. They are at fault.
If the component maker knows their component used in a particular manner causes a flaw and fails to report it then they are at fault.
Legally the finger will point up the ladder until a particular group had no way to know it causes a problem or didn't try to reasonably fix it. But each step in the process may get some heat if they are knowing there was a problem.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
Manufacturer should be held liable for bugs in firmware and default passwords/no password at all practises... Heck security researchers might find massive hole in system, reports in to manufacturer and they newer release fixed firmware/ actually fix thebug... Then theres user, user should be help liable for hes actions, like setting weak password, etc...
Whoever turns it on and hooks it up to a network. THAT person is responsible.
How do you let the stupid device's cloud service work? Too many devices are engineered so the smarts are in the "cloud" rather than local.
While I realize most and users neither know nor care about security enough to actually be entirely responsible for security, I believe that the end-user assuming such responsibility is the only answer that makes any real sense when looking at the big picture. Caveat: the manufacturer should make facilities available, and publish sufficient information about managing their device so that it is at least possible for the end-user to assume such responsibility. As a first prerequisite, this would mean that all Internet connected devices should have an option or facility to connect to the Internet through an end user controlled firewall instead of managing their own such connection.
File under 'M' for 'Manic ranting'
I'd argue:
* Ideally - you wouldn't, so manufacturers stop that stupidity. They're primarily doing it for spyware --- which is exactly what a home router should protect against.
* If for some reason a user really wants to be spied on in that way, they can provide instructions how to open whatever is necessary in a firewall.
* If it has to communicate with a cloud --- especially if it can update itself from the cloud -- that device should ***NOT*** be able to communicate with the rest of your network.
While humans are responsible for the IoH, it's clear who is responsible in the IoT.
Sent as ripples into the electromagnetic field. No single photon has been harmed in the process.
It's like asking who is responsible for your web app security?
Tired of my customary (Score:1)
We have two cases - For home devices, even though device manufacturers are responsible, the users need also to be vigilant, but it is hard to make them aware...They are not IT savvy...One easy solution is for the ISPs to watch these devices and make sure no one hijacks them and makes them part of a DDOS network or injects malware into those devices to capture information from other devices at home...ISPs do see all the traffic to/from these devices and it is an easy problem to solve with a monitoring software using some form of applied ML/AI... In the enterprise setting, putting a close wrapper on these devices at the point of connection on a switch/wireless-access-point is easy with a software driven solution and IT is responsible for it, closely working with the security department and the device management folks...
Things that use protocols like Z-Wave for home automation are pretty secure. They become insecure when a smart hub interfaces to the Internet usually through a cloud service.
Once SmartThings, Alexa or Google can talks to the devices all bets are off! But a Z-Wave network within a home with a edge router (probably running OpenWRT or LEDE) that accepts credentials inbound from the Internet is pretty hard to breach if properly set up with a VPN.
And there is no cloud. Just client access controlled at the edge.
Of course, that requires some knowledge on the consumer's part. Likely, at the minimum the ability to set up a port forward.
Alas, as a device maker, it's better to sell false security and collect all the meta data. It makes it a lot easier to sell to the Consumers Overlooking Working Security aka "cows."
I know the crackers think of them as "cows" like a cattle owner does. Something to round up, corral and slaughter.
Facebook is billions of individual "Skinner Boxes." And if you use it you are the pigeon!
she leaves her office unlocked and her computer on and logged in. She used to complain about people going into her office and looking through her computer, and other stuff, when she wasn't there.
I turned on her screen saver password and let her know the password. She screamed like a banshee at me until I turned the password back off.
Go figure... I'm pretty sure she uses nothing more than slide-to-unlock on her phone as well.
Security is everybody's responsibility.
Indeed. With the prevalent binary thinking of today, people seem to fall into the trap of thinking that if the manufacturer is responsible, the user is not.
But responsibility and guilt are not finite resources. Adding it to one party does not reduce it elsewhere; not an iota.
My previous television was secure from network attacks by virtue of not having any intelligence at all. My current television is hopefully secure, by virtue of me carefully trying to prevent it from connecting to the Internet. But that doesn't mean that the manufacturer hasn't cleverly included code to, say, connect to any insecure wifi access point it sees, just in case I didn't realize I wanted whatever crapware they are pushing today.
A lot of this is really on the manufacturer. You can build provably secure firmware update systems for that end of things, and beyond that, nothing should ship default insecure. It shouldn't automatically aim at my foot and shoot, I should have to explicitly aim it at my foot and explicitly pull the trigger before it shoots my foot off.
Security is everybody's responsibility.
Exactly. Security is my mom's responsibility because she bought a smart device that she saw advertised and so it's now up to her to figure out how to patch the copy of Linux 2.6.x with all ports open and all services enabled that it's running. It's definitely not the vendor's responsibility, they're just responsible for the shiny box, the advertising, and the long legal disclaimer saying everything is the customer's fault.
Many IoT devices are locked so that only the manufacturer can update them
Or anyone who can spoof an IP address, fake a DNS entry, feed in a particular filename, plug in a USB key, or exploit one of a dozen XSS or buffer overflow vulns.
So basically most of the Internet.
And with 'everybody' you need to include the government as well. Seatbelts are required. We have laws concerning food. We have rules on how to behave in traffic, building codes and a whole lot more rules and regulations that are there to look after our safety.
We often will discuss if these rules are too strict or not strict enough and they differ from country to country (and sometimes from city to city). We have also seen that if these are not enforced, it means nothing.
So what is needed is to set rules and enforce them. That can include specific rules for manufacturers, importers, stores, ISP's, customers and anybody else. e.g. the device needs to be sold with a random password set and the customer will be responsible for using a password. Deactivation would make them responsible.
I know it won't be enough as it does not include things like updates, yet it would be already much better than what we have now.
Don't fight for your country, if your country does not fight for you.
The Chinese manufacturer should be taken to American court. Got it.
A lot of this is really on the manufacturer. You can build provably secure firmware update systems for that end of things, and beyond that, nothing should ship default insecure.
Absolutely. But that it's on the manufacturer doesn't mean you aren't also required to take responsibility. If you know it's an internet enabled device, it's up to you to make its connection to the internet as safe as possible, including actually configuring your router and check the logs for suspicious activity, much as checking credit card statements for suspicious activity.
The Chinese manufacturer should be taken to American court. Got it.
No, you didn't get it. The post you replied to calls for taking the users who cause damage through negligence to court.
This will have an impact on manufacturers, as consumers will start looking for more secure devices. But until you give the consumers a reason to pick a more secure and slightly more expensive device, they won't.
I see. Must have mis-read. Regardless, even with a trail of evidence that follows all chain-of-custody rules, you STILL won't be able to impact the manufacturer NO MATTER HOW THE DEVICE WAS COMPROMISED. Acer was shown to be using a back-doored Marvell chipset in a bunch of phones. Punitive fine? Nope. Restitution to users? Nope. Sanctions imposed on Acer? Nope. Sales of pwned device banned or stopped? Nope. People are dumb, and security is unfortunately unfathomable to most.
What would you define as "no direct Internet link" ? Unable to reach out to the Internet? Or unable to reach directly to the device from outside? NAT buys you "no direct access from outside", barring someone breaking your cable modem security or your activating port forwarding. That's true even if you set DHCP reservations for devices on your internal network. It's even possible to set up a firewall _behind_ your cable modem to block additional traffic.