Slashdot Mirror
Who's Responsible For IoT Security? (networkworld.com)
"It is much too easy to connect devices and industrial equipment to the internet," writes an anonymous Slashdot reader. But what's the solution -- and who's to blame for the abundance of insecure IoT devices? Network World examined the conclusions in a paper titled "The Internet of Hackable Things" [PDF].
The authors say the IoT security problem is not a technological one; it's cultural... "A security culture is nearly non-existent in our society... developers must be educated to adopt the best practices for securing their IoT devices within the particular application domain; the general public must be educated to take security seriously, too, which among other things will fix the problem of not changing default password."
The anonymous reader who submitted this story argued that "IoT product makers do not need a deeply skilled team because component makers have made it so easy to connect anything to the internet. Maybe the responsibility for strong security should rest with chip makers like Intel, Freescale and Qualcomm." Leave your own opinions in the comments. Who is ultimately responsible for IoT security?
The anonymous reader who submitted this story argued that "IoT product makers do not need a deeply skilled team because component makers have made it so easy to connect anything to the internet. Maybe the responsibility for strong security should rest with chip makers like Intel, Freescale and Qualcomm." Leave your own opinions in the comments. Who is ultimately responsible for IoT security?
Who's Responsible For IoT Security?
Shit... I think it was me. Sorry guys- the whole thing is my fault. I'll get on it ASAP.
But seriously, if you have one IoT device selling for $59 and an equivalent one with better security selling for $65, I can tell you which people are going to buy.
Responsible? That would obviously be whoever is making the products, selling them, and turning a profit on it, period.
But who should care about it is an entirely other matter... everyone from chip makers, to product developers, assembly lines, government, stores that are buying and selling the stuff as well as costumers/businesses that are getting the products should be looking into it.
Unfortunately, there's no easy answer as to solve the entire conundrum. This might be one case were we'll eventually need government interference and regulation there to safeguard public privacy and security just as much as we have quality standards and aproval processes regarding radiation levels, what sorts of materials were used in electronics, and stuff like that.
And I think soon we'll end up with independent businesses whose sole purpose is do independent testing for security and privacy... I mean, they are already there seem as security analysts and whatnot, but things will probably ramp up as businesses have more to lose.
It's not a great route to go through, but I really can't think of anything else that would do the job. At some point, the overall Cyberwarfare will escalate to a point that electronics in general will need to go through extensive testing before entering the country.
Only worse.
Here you find a pretty good summary of the phenomenon. In a nutshell, given the choice between "ohhh shiny!" and security, the vast majority will go for the former without even considering the latter. People don't know and I have the creeping suspicion that they don't want to know what security implications their actions have.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Hacked devices are the result of a "tragedy of the commons" because the internet is shared. The only real resolution to these problem has been proven to be regulation. Now, some people find the "dreaded r-word" to be too offensive to consider but the reality is that the free market cannot solve this problem because it doesn't have a strong enough feedback loop that would compel companies to invest in strong security. So, if you follow this logic, it's ultimately the lack of regulation by lawmakers that is responsible. Then again, we could go even further and say it's the fault of the people who voted them into power. In conclusion, it's the fault of idiots, likely the same idiots buying this insecure shit.
Anons need not reply. Questions end with a question mark.
"It is much too easy to connect devices and industrial equipment to the internet,"
No, that misses the point entirely. It's not that it's too easy to connect devices to the Internet, but rather that, at least sometimes, it is very difficult, if not nearly impossible, to prevent devices from connecting to the Internet. Some Smart TV sets (it might have been Samsung, but I'm not sure) actively seek out open WiFi connections to connect to the Internet even if you tell it not to. It's not enough to block ports in your firewall as maybe your neighbor doesn't have those ports blocked. Or maybe the Starbucks down the street doesn't. And with integrated GPS in many devices (and probably more in the future) the fact that devices connect on someone else's IP address won't protect your privacy/anonymity, since they'll be able to locate the device down to the house or apartment that it's in. Expect to see more of this in the future.
If I can be modded down for being a troll, can I be modded up for being an orc, or a balrog?
Ultimately the responsibility is the purchaser. I don't necessarily mean from a legal sense, but from a "why it is the way it is" sense. Security (when compared to convenience) is expensive, it always has been and likely always will be. The cost of security must be included in the product and paid for by the purchaser. People generally want to spend as little as possible for a product and will chose the less expensive option if everything else appears equal or near equal. Since people in general don't understand the complexities and costs of a secure product, they don't feel the need to pay for it. Producers of products ultimately aim to please their customers and if customers don't want to pay for security, baring external regulation, they won't put security features in their products. Some day customers may demand security and when that happens manufacturers will oblige. I mentioned regulation as in "the government forces it". While this may happen, if it happens it will happen only if consumers get tired of insecure products and ask their governmental representatives to make the regulations. Either way the purchasers ultimately have the responsibility for why we don't have security in our products.
NaT covers most of it. One of the benefits of the lack of available address space for IPv4 is that many sites are using NaT. This provides an excellent opportunity filter connections _into_ your local environment, as well as data _leaving_ your local environment.
I'm seeing companies, partners, and clients entirely disable IPv6 entirely on their local network because the increased address space encourages every device to be routable and accessible from the Intenet at large. And I'm in full agreement, and it's an approach I encourage. There should be almost _no_ home or workspace working networks that are routable from the Internet at large. I've seen the consequences repeatedly, and they are _dangerous_.
Botnets taking control of machines inside your local network are only one of the dangers, and they are a surprisingly frequent danger. Fools or abusers inside your local network hosting popular traffic of which you were not aware and consuming _enormous_ amounts of your network resource and your paid for bandwidth are another.
THE PEOPLE SELLING THIS INSECURE SHIT!!
Full stop. End of story.
You build a gadget that connects to the Internet, you fail to properly secure it, your boss puts it up for sale, YOU ARE CULPABLE! You are at fault, it is YOUR PROBLEM, that is the end of it! Do not try to fucking weasel out of it. Nuremburg settled that for our entire species, "following orders" is not an excuse. You did it, you are responsible. You built an insecure device and offered it up to your boss so he could sell it, you MUST be liable for the breaches you caused.
This is not a "buyer beware" excuse situation, this is not a "clickthrough license shields me from responsibility", this is flat-out assholes offering known faulty goods for sale. They are responsible, nobody else. The only way to FIX this is to force the people building these shitty devices to take LEGAL responsibility. Nothing else will do. Period.
By default, it seems that your home firewall should restrict any packets from whatever stupid crap you put on your network.
That way such devices can't spy on you or hack the rest of your home network, unless you explicitly allow them in your firewall.
If you push the responsibility to dozens of different device vendors, you'll never be able to adequately vet them all.
Security is everybody's responsibility.
Indeed. With the prevalent binary thinking of today, people seem to fall into the trap of thinking that if the manufacturer is responsible, the user is not.
But responsibility and guilt are not finite resources. Adding it to one party does not reduce it elsewhere; not an iota.
You want a Firewall, not NAT.
"First they came for the slanderers and i said nothing."
With the currently available crop of consumer oriented operating systems, it is simply NOT POSSIBLE to make a secure device. None of them offer capability based security.... the operating system equivalent to modern electrical standards... imagine trying to hook up every appliance everywhere, with no circuit breakers, no standard outlets, no grounding, no conduit, all supported by post and spool insulators.
Once a program is run, it gets trusted with all authority of the user running it. There are no effective measures to limit the side effects (and thus risk/damage) that a given chunk of code can do.
Another equivalent is like building a Fort out of stacks of C4 explosives.
Until we get HURD, Genode, or a modern replacement for KeyKOS, we can't make secure devices. Stop blaming the developers, or users, or chip makers... it's not their fault. It's the fault of every Linux, MacOS, or Windows fanboy in the world.
I say make the user responsible. After a few get locked up for attacks perpetrated by their light bulbs, they'll wise up and stop buying insecure shit products.
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
Many IoT devices are locked so that only the manufacturer can update them - if even they can. Some have firmware on OTP proms and the only way to increase security is to replace the device. But they can still be abused.
Ultimately if an IoT device is insecure it shall be the manufacturer of the device that shall be responsible for correcting the problem.
Also realize that your devices on the net at home may need to be segmented. One segment for devices you can't configure like TV, dishwasher and other mundane stuff that today is "smart". One for your PC and other stuff with personal information. Basic security sanitation operation.
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
This one's pretty easy to figure out. It's the manufacturer ... or in the modern world, the company that creates the product, sent out for manufacturing ... who is responsible for IoT security.
But there is a problem. There is the rush to get the product to market, which means bad code is "good enough", and the lack of any repercussions if security is an afterthought, or worse.
Consumers have a responsibility to insist companies make an effort with security. They simply don't, as they aren't generally sophisticated enough to see a problem exists.
That leaves Government ... yeah, I know ... to protect consumers with legislation. That's how consumer protection works, and it's the only way we know to make it work.
Which brings up another issue ... Government is not very good at technology, and in the current fast-paced digital landscape, they are inclined to let the market sort itself out.
You can see the problem here ... it's a circular situation. No-one is willing, and you can make a good argument that no-one is able (that is, amongst either Consumer watchdogs or the buying public), to identify security as a priority. /. readers might be aware of the problem, but we are not the majority. Tech writers, whom are generally not very good at anything beyond cheerleading for the latest gadget, need to step up and make consumers aware that security should be a buying criteria.
They should be shaming manufacturers (putting aside that the term has changed in meaning) into hiring competent code developers and creating secure products. And maybe then at least the problem could be minimized.
End-users whose hardware is used to run a botnet should be liable say some. The manufacturers of the IoT device should secure their devices aver others. ISP's should not be allowed to just provide dumb pipes chime in some. It's a cultural issue says the paper referred to in the article.
To make things interesting, for each candidate scape-goat there are apologists. End-users are too clueless, you can't expect them to take responsibility say some. The market precludes manufacturers from putting money in (security) features nobody wants say some. ISP's shouldn't be press-ganged to play network cop say others,
All of them are both right and wrong I think. There are areas of responsibility for everyone. Just like with driving a car. Car manufacturer are responsible for providing a car with certain minimum quality and safety features.They're liable if the brakes don't work or if the turn indicators are shoddy. Dealerships that do shoddy or incompetent maintenance may face liability claims too. Road owners (municipal, county state, and federal) can all be held liable for unsafe situations if they're careless. And nothing protects individuals drivers from making mistakes or driving under influence.
So it's not a contradiction to say that every actor is liable for a subset of the risks.
The government can do a lot by adopting a law that all and any IoT devices must be capable of being secured among others against unauthorised access. No more no less. No specifics, no technicalities: the market will figure that one out. That gets the manufacturers in a position where they can afford to put minimum levels of security in because nobody is going to undercut them on that. ISP's shouldn't be saddled with police duty, but they might be obligated to detect and report port scans and widespread probes for open ports. And finally, consumers could be held liable if they install hardware that's not "approved".
It will take awhile to get that far, but it looks like a stable and sensible equilibrium. As long as people agree it's not an "either or" but an "and and" proposition.
Besides, there could well be money in it too.
What if we can come up with a legal framework for a realistic apportionment of responsibility, strike a sensible balance between cost and security, introduce an "FTC-approved IoT device" stamp and market that entire framework as a solution. I think it will find takers in the EU, Japan, Korea, Taiwan at least.
Then we could start putting diplomatic pressure on "irresponsible" countries that don't have this framework in place. Ought to generate a market for "FTC-approved" gear, consultancy, and perhaps even assistance in adopting equivalent legal frameworks, no?
Of course China would rush to copy it, but they'd be copying us again (not the other way round) and lots of countries (especially those with purchasing power) might have reservations about installing a PRC-approved communications infrastructure as opposed to an FTC-approved one.