Slashdot Mirror

← Back to Stories (view on slashdot.org)

Experts Propose Standard For IoT Firmware Updates (bleepingcomputer.com)

Posted by BeauHD on from the over-the-air dept.

An anonymous reader quotes a report from Bleeping Computer: Security experts have filed a proposal with the Internet Engineering Task Force (IETF) that defines a secure framework for delivering firmware updates to Internet of Things (IoT) devices. Filed on Monday by three ARM employees, their submission has entered the first phase of a three-stage process for becoming an official Internet standard. Titled "IoT Firmware Update Architecture," their proposal -- if approved -- puts forward a series of ground rules that device makers could implement when designing the firmware update mechanism for their future devices. The proposed rules are nothing out of the ordinary, and security experts have recommended and advocated for most of these measures for years. Some hardware vendors are most likely already compliant with the requirements included in this IETF draft. Nonetheless, the role of this proposal is to have the IETF put forward an official document that companies could use as a baseline when designing the architecture of future products. This document could also serve as a general guideline for lawmakers who could draft regulations forcing manufacturers to adhere to this baseline. Some of the main requirements put forward by three ARM engineers in their IETF draft include: The update mechanism must work the same even if the firmware binary is delivered via Bluetooth, WiFi, UART, USB, or other mediums; The update mechanism must work in a broadcast type of delivery, allowing updates to reach multiple users at once; End-to-end security (public key cryptography) must be used to verify and validate firmware images.

61 comments

  1. frosty MAB psot by Hognoxious · · Score: 1

    Slight flaw: even if this costs 0.00000001 cents per device that's 0.00000001 cents too much.

    --
    Confucius say, "Find worm in apple - bad. Find half a worm - worse."
    1. Re: frosty MAB psot by Anonymous Coward · · Score: 1

      As usual, your post isn't correct. While the value placed on security is very low, definitely far too low, it isn't zero as your post suggests. There has to be some consideration of the risk of fines or a lawsuit because of improper security on IoT devices. If the risk is deemed low, the value placed on security will also be disproportionately low, but it is nonzero. When the lack of security results in substantial fines and/or forced recalls that significantly cut into a business's profits, the value placed on security will rise. I'd suggest a law that seems any device with a security hole discovered within five years from the initial release is defective and must either be fixed (such as with a software patch) or recalled with a full refund of the purchase price to the customer. For companies outside of the US that don't comply with these orders, block any products from that country from being imported until they comply. Increase the risk to the companies and they will place a greater value on security.

    2. Re: frosty MAB psot by Hognoxious · · Score: 1

      As usual, your post isn't correct.

      Whatever. At least it's not pure fantasy...

      When the lack of security results in substantial fines and/or forced recalls that significantly cut into a business's profits

      --
      Confucius say, "Find worm in apple - bad. Find half a worm - worse."
    3. Re: frosty MAB psot by Anonymous Coward · · Score: 1

      Following industry standard security procedures probably shields the vendor from a lot of liability both from consumers claiming the devices are defective and from others harmed by DDoS attacks from IoT botnets. Following these standards reduces the risk, and if the risk is substantial enough, there will be plenty of incentive to implement them. Establishing regulatory standards for what constitutes a defective device and implementing procedures for handling such defects raises the risk for companies that don't follow those standards. Following industry standard security practices basically allow the vendor to say they weren't aware they were shipping a defective device, so they're probably more shielded from liability as long as they fix the devices or recall them and refund consumers. Would you like to add anything to this?

    4. Re: frosty MAB psot by Hognoxious · · Score: 1

      "Establishing regulatory standards" is the single point of failure.

      I won't say that it can't happen. After all, new cars come with seatbelts now.

      --
      Confucius say, "Find worm in apple - bad. Find half a worm - worse."
    5. Re: frosty MAB psot by Anonymous Coward · · Score: 1

      As usual, your post isn't correct. While the value placed on security is very low, definitely far too low, it isn't zero as your post suggests. There has to be some consideration of the risk of fines or a lawsuit because of improper security on IoT devices. If the risk is deemed low, the value placed on security will also be disproportionately low, but it is nonzero. When the lack of security results in substantial fines and/or forced recalls that significantly cut into a business's profits, the value placed on security will rise.

      Mind citing for me all those lawsuits and fines that have been against IoT manufacturers due to shitty security practices?

      Yeah, I thought so. Shitty security isn't something that was invented with IoT. As indicated in TFA, security experts have been recommending these practices for years. And for years they've been ignored because of the sheer lack of impact.

      I'd suggest a law that seems any device with a security hole discovered within five years from the initial release is defective and must either be fixed (such as with a software patch) or recalled with a full refund of the purchase price to the customer.

      95% of consumer electronics these days has a 1-year warranty. You expect to mandate a manufacturer's give-a-shit level beyond that? Talk about fucking delusional...

    6. Re: frosty MAB psot by sjames · · Score: 1

      Now, name any case where a crappy IOT device faced a fine or forced recall for any reason.

    7. Re: frosty MAB psot by Anonymous Coward · · Score: 0

      "Establishing regulatory standards" is the single point of failure.

      I won't say that it can't happen. After all, new cars come with seatbelts now.

      But there are still vehicles on the road that do not have seat belts due to "grandfathering" in the law. Thus, those vehicles are still "unsafe" from that POV.

      Any law that mandates security updates has to mandate a "sunset" provision to remove the unsecure devices from use in order to be truly effective.

      And the likelihood of that happening is practically nil.

      And then we have to worry about where all of those unsecure are gathered up once they are "decommissioned"....

    8. Re: frosty MAB psot by Anonymous Coward · · Score: 0

      But there are still vehicles on the road that do not have seat belts due to "grandfathering" in the law. Thus, those vehicles are still "unsafe" from that POV.

      Which part of "new cars" confused you?

    9. Re: frosty MAB psot by arglebargle_xiv · · Score: 1

      And that's the problem with this proposal. IoT doesn't get updated because of a lack of standards for doing so (there's been firmware-update standards around for a lot longer than IoT, e.g. this one), but because the vendors don't care about it, or the device can't be updated. Proposing a standard isn't going to change this.

      In any case this isn't a standard, it's a bunch of ruminations jotted down on paper. To be a standard, it has to be at least 100 pages long, include XML, HTTP, TCP, and LDAP, and require five different parsing engines for different portions of the protocol in order to work.

  2. Lock-in by isj · · Score: 2

    End-to-end security (public key cryptography) must be used to verify and validate firmware images.

    Sounds good to prevent bootloader trojans etc. But it does mean you cannot tinker with the device yourself unless the vendor allows the mechanism to be bypassed. And what happens if the vendor goes out of business - then noone can create new firmware?

    Overall, I think it is a reasonable measure to prevent massive botnets running on all kinds of devices, but I do hope there is a physical bypass of the verification.

    1. Re: Lock-in by Anonymous Coward · · Score: 1

      It seems like there ought to be a second key paid unique to each device and the private key is distributed to the end-user when the device is sold. That key allows the user to sign custom firmware. Upon doing so, the user assumes all liability for damage caused to others by the custom firmware (if it's vulnerable and is exploited to harm others) and the warranty won't cover damage to the device caused by using such firmware but otherwise remains in effect.

    2. Re: Lock-in by isj · · Score: 1

      If the device private key is distributed in electronic form the the user then a trojan could scour their computer looking for it. I'd prefer a physical mechanism as that prevents remote manipulation. A sticker on the device with the private key would work. A dip switch or similar inside the device would work too.

    3. Re: Lock-in by Anonymous Coward · · Score: 1

      Just put a physical switch or jumper on the device that tells it to allow unsigned firmware that can be switched back to safe mode once your custom firmware is applied. 99% of people won't ever know it's there or use it.

    4. Re: Lock-in by Anonymous Coward · · Score: 1

      That switch costs money. Besides manufacturers do not like people with will.

    5. Re:Lock-in by Aighearach · · Score: 1

      Well, they've got "public key cryptography" and also "broadcast" so this is just another libdvdcss situation and the encryption is meaningless.

    6. Re:Lock-in by Anonymous Coward · · Score: 0

      Did you read the proposal? https://tools.ietf.org/html/dr...

      PKI is being applied for end-to-end security (i.e.:signing the payloads and verifying them before install) so that the payloads can be transported over insecure HTTP, USB keys, etc. without compromising them (including broadcast updates).

      While I'm not against securing the payloads with PKI there are three glaring problems with the proposal in this regard:

      1. They don't recommend timestamping the PKI signatures. Without timestamps the payloads are only usable for as long as all keys in the chain are *not* expired. With timestamps the keys and payload are guaranteed valid at the point of timestamping and can continue to be used for installation after one or more keys in the chain have expired.
      2. They recommend rejecting updates if they are older than the active firmware. This prevents security researchers from installing older versions for pentesting and regression analysis.
      3. They fail to recommend a path for users installing their own PKI private keys so that they can install their own firmware. This means IoT devices will only be useful for as long as manufacturers provide updates. Look how well that works for owners of Lenovo devices - typically Lenovo provides NO UPDATES EVER for any of their Android devices.
    7. Re:Lock-in by Darinbob · · Score: 1

      I work on IoT, and don't want this faux standard solution. There's going to be a fight though; the standards fans who insist we adopt this instantly so that they can add another buzzword to the marketing literature, and the implementors who will point out that it won't fit, will use up too much battery life, and so forth. It's one thing to have security guidelines that everyone should follow, but making this a standard that applies equally to 8-bit sensors all the way up to 64 bit phones is pointless.

      Most of these IoT standards are just a lot of me-too people jumping on bandwagons.

  3. How about a standard for IoT security by Opportunist · · Score: 4, Insightful

    I'm thinking of something akin to the FCC Title 47 CFR Part 15. You know, the "this gadget can handle interference and doesn't broadcast interference" sticker you find on every piece of equipment sold in the US. By law, these things have to comply to this.

    How about a "this gadget can handle malformed and malicious signals from the internet and does not broadcast any" sticker? And noncompliance gets you slapped with a fine from here to Albuquerque.

    You can't do that? Then stop putting an internet connection on your fucking toaster and you're fine!

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    1. Re:How about a standard for IoT security by Anonymous Coward · · Score: 0

      Does not matter.

      You can have a crack team who are dedicated to building these things. Full on glorious update structure your customer never touches. It just works and is nicely updated. You have a 100% coverage rate.

      Then
      Sorry your device is EOL no updates.
      or
      Sorry company went out of business 3 years ago no updates.

    2. Re:How about a standard for IoT security by Hognoxious · · Score: 1

      Not sure how putting stickers on them will help.

      --
      Confucius say, "Find worm in apple - bad. Find half a worm - worse."
    3. Re:How about a standard for IoT security by bws111 · · Score: 5, Informative

      Except you have completely misread that FCC notice. The notice puts zero requirements or liability on the manufacturer of the device, it is about the requirements and limitations on the USE of the device. 'Must accept interference' does not mean 'can handle interference', it means that if the device does not work because of interference, you have no legal recourse. 'Must not cause harmful interference' means that if the device is interfering with a licensed service, even if the device is operating perfectly, you must stop using it. If you continue using it, YOU, not the manufacturer, will be fined.

      So a similar thing thing on the Internet would be: this gadget may malfunction if it receives bad data. If it does, too bad. If this device is sending out harmful packets you must stop using it. If you don't, you will be fined.

    4. Re:How about a standard for IoT security by Anonymous Coward · · Score: 0

      I'm thinking of something akin to the FCC Title 47 CFR Part 15. You know, the "this gadget can handle interference and doesn't broadcast interference" sticker you find on every piece of equipment sold in the US. By law, these things have to comply to this.

      That's kind of a horrible idea, and will only encourage IoT manufacturers to get more sloppy with their security!

      Instead of punishing the end-user and giving the manufacturer legal immunity, like you suggested, instead we really need to punish the manufacturer for the manufacturers poor decisions.

      After all, if Acme made a lightbulb with a backdoor password yet claims on the box it is secure, the end-user hasn't done anything wrong beyond believing the manufacturers claims. The fault of the backdoor password is completely on the manufacturers head.

      If you give manufacturers immunity like you say, it would be in their benefit to sell insecure products intentionally.
      Just imagine the situation that would make: manufacturer sells a million insecure widgets for $20 each, so they make $20 million. Then when those devices are made into a botnet, the end-users need to pay yet again when the courts determine damages, despite the end-users not being the ones responsible for that lack of security, and the manufacturers walk away with a profit.

      You should never pay for the right to be a criminal due to someone elses actions.

    5. Re:How about a standard for IoT security by Anonymous Coward · · Score: 0

      So a similar thing thing on the Internet would be: this gadget may malfunction if it receives bad data. If it does, too bad. If this device is sending out harmful packets you must stop using it. If you don't, you will be fined.

      As opposed to now where if you have a malicious device then too-bad-so-sad for everyone else.

      Ideally it should be the manufacturer, but as a second-best option, if people find out that they'll be fined, they'll junk the device and never use that OEM again. News (true or false) spreads rapidly nowadays, and one's reputation can sink quickly (just ask Kevin Spacey).

    6. Re:How about a standard for IoT security by Anonymous Coward · · Score: 1

      The notice puts zero requirements or liability on the manufacturer of the device, it is about the requirements and limitations on the USE of the device.

      Then fine anyone who buys and uses these devices. The resulting bad press should have at least some effect on the sales.

    7. Re:How about a standard for IoT security by Anonymous Coward · · Score: 0

      I'm thinking of something akin to the FCC Title 47 CFR Part 15. You know, the "this gadget can handle interference and doesn't broadcast interference" sticker you find on every piece of equipment sold in the US. By law, these things have to comply to this.

      How about a "this gadget can handle malformed and malicious signals from the internet and does not broadcast any" sticker? And noncompliance gets you slapped with a fine from here to Albuquerque.

      You can't do that? Then stop putting an internet connection on your fucking toaster and you're fine!

      Let's assume you get what you want.

      What evidence do you have that the government is going to help you here?

      Do you really think cheap RF devices actually comply with that damn sticker? No one's checking.

    8. Re:How about a standard for IoT security by Anonymous Coward · · Score: 0

      If this device is sending out harmful packets you must stop using it. If you don't, you will be fined.

      Always funny when things are so convoluted and fucked up that the voice of reason shines out of what was intended as sarcasm.

      Of course the evil big money players would fuck it up and start with fines of $250,000, when in fact, starting with a fine of $0.25 is what would solve the problem over night.

    9. Re:How about a standard for IoT security by mea2214 · · Score: 1

      You can't do that? Then stop putting an internet connection on your fucking toaster and you're fine!

      Stop telling your Internet connected toaster the IP of your gateway router. Problem solved.

    10. Re:How about a standard for IoT security by Opportunist · · Score: 1

      Well, you may only put the sticker on if your system complies with its requirements.

      You may only sell your gadget if it has the sticker.

      See how it would help?

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    11. Re:How about a standard for IoT security by Opportunist · · Score: 1

      Works for me too, might make people think twice before buying crappy IoT junk if they suddenly get to pay for putting a bank out of business for a few days.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    12. Re:How about a standard for IoT security by Opportunist · · Score: 1

      You mean the gateway router that the ISP configured with a DHCP-Server that you do not have the password to so you could reconfigure it (provided you know how to, anyway)? That gateway router?

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    13. Re:How about a standard for IoT security by thegarbz · · Score: 1

      Except for the obvious problem: The lease secure devices are those pieces of Chinese shit that make it across the border yet can't even draw the FCC or CE logos correctly much less actually have proper certification.

      This is before you actually realise that the liability on Part 15 lies 100% with the user and not at all with the manufacturer.

  4. Can we not do this? by Anonymous Coward · · Score: 0

    IoT is completely useless, and while a few people will buy this (they'll buy anything), sales will be "disappointing" while the damage to the internet immense.
    As a society, we should just call the whole thing off.

    1. Re: Can we not do this? by Anonymous Coward · · Score: 0

      Fucking retard. Proper IoT has countless benefits to society. Just-in-time delivery of goods, services, and maintenance alone can save billions of dollars a year while reducing waste.

  5. Common Sense, isn't common. by geekmux · · Score: 1

    "...security experts have recommended and advocated for most of these measures for years."

    This tends to highlight the chances of security experts being heard this time around.

    I've come to the conclusion that manufacturers like burning themselves on the proverbial stove over and over again. It's reached a level of ignorance that is beyond reproach. Watch and see how proposed standards will be ignored due to a potential impact on profits. Greed is all that matters.

    1. Re:Common Sense, isn't common. by Anonymous Coward · · Score: 0

      It's not just greed. I mean, is "move fast enough to stay ahead of the competition", the alternative to which typically means becoming at best an also-ran, at worst going bankrupt, really "greed"? There's also "management lacks the relevant clue" and other stupidity, which is greed only in the eye of people who know better. So to make it greed you have to show they knew better, or ought to have known better because "everyone else" in the industry knows better and told them, making their ignorance wilful. Before that it's ignorance, or "doing the needful", not outright greed.

      Anyway, I'm curious how these three randos became "experts" except in the breathless bullshitting that is bleepingcomputer that beauhd and msmash love so much. Because, you know, public key cryptography is well and good, but they might just have ended up killing alternative firmwares for good. Be careful what you ask for; you might just get it.

  6. Not the problem by Anonymous Coward · · Score: 1

    Some hardware vendors are most likely already compliant ...

    The problem isn't an inability to upgrade the hardware; it is:

    1) Inadequate security built into the device
    2) Refusal to provide updates.

    Both of these problems extend from portable/IoT devices using a monolithic system. If plug-gable modules were used for middle-ware, anybody could write an update for all devices using that CPU. The OEM only has to convert that into an encrypted update, which is a lot less responsibility and means devices can be maintained for 6-10 years. Such a methodology has it's own security issues but they aren't complex. It's just no-one wants to develop a standard, even with a first-mover advantage: It's not the vendor who will be attacked because of poor device security.

    ... the firmware update mechanism ...

    Shoddy practices will continue as long as customers and service providers devalue security. It's necessary to win their 'hearts and minds', then vendors will be forced to follow.

  7. Right to be offline and unconnected from Internet. by Anonymous Coward · · Score: 0

    They will privately regulate your things from ex-your computer through Internet, dear ex-user.

    The remote cryptography is for lock/unlock the life that you can do to this signed genuine computer.

    So, don't waste your $$$ from this crap.

  8. Unfortunately.. by Junta · · Score: 1

    That would be frowned upon as it would be opening things up for supply chain attacks.

    --
    XML is like violence. If it doesn't solve the problem, use more.
    1. Re: Unfortunately.. by Anonymous Coward · · Score: 0

      dipswitch is the best idea, just like all computer bios updates should require a manual switch or jumper

    2. Re: Unfortunately.. by Anonymous Coward · · Score: 0

      ... all computer bios updates should require a manual switch or jumper

      This is the dictionary definition of "that doesn't scale".

    3. Re: Unfortunately.. by Anonymous Coward · · Score: 0

      Doesn't need to scale, duck scaling.

  9. More productive.. by Junta · · Score: 1

    Standard to identify devices and their vendors and automatically filter network access depending on vendor and vitality of vendor. If a vendor of your IoT device goes away, then no longer allow the device to reach out to the non-existant servers. If vendor is still around, limit connectivity based on addresses that would be relevant to said vendor.

    This is of course a terrible sort of thing, but the IoT devices and vendors are themselves already terrible and limited, so in that context, it's a matter of picking the lesser of the evils, and these devices security problems can ruin the experience of everyone, not just those who opt into the silly things.

    --
    XML is like violence. If it doesn't solve the problem, use more.
    1. Re:More productive.. by Orgasmatron · · Score: 1

      Egress control should have become a core feature of residential and small office firewall/router units back during the massive worm days, but it never did.

      Why am I letting random_device_03 make unlimited, unfiltered, unmanaged outgoing connections in the first place? Well, I'm not. But why does my neighbor's plug-and-play router do that?

      --
      See that "Preview" button?
    2. Re:More productive.. by Anonymous Coward · · Score: 1

      Because they need to "just work" for non-technical folks which are 99% of their customers.

  10. Cryptographic signing? by Hal_Porter · · Score: 1

    As part of the IOT Botnet Operators' Guild, I'd like to point out that The Right To Tinker means that all keys for signing firmware should be made available to all users.

    --
    echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
    1. Re:Cryptographic signing? by Anonymous Coward · · Score: 0

      No. That would allow the bad guys to sign malicious firmware as official. Better option is to allow the device to accept custom signed firmware that you can upload your signing keys to.

    2. Re:Cryptographic signing? by Anonymous Coward · · Score: 0

      Woosh...

    3. Re:Cryptographic signing? by Anonymous Coward · · Score: 0

      IOTBOG thanks you for your support.

    4. Re: Cryptographic signing? by Anonymous Coward · · Score: 0

      All big IoT botnets run from ram, so this won't affect you.

  11. Hackers do not care about certifications. by Anonymous Coward · · Score: 0

    Hackers do not care about certifications.

    Reality does not care about certifications.

    1. Re:Hackers do not care about certifications. by Opportunist · · Score: 1

      Hackers don't.

      Companies trying to do business do.

      People potentially liable for operating faulty devices do.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  12. This'll work about as well... by Anonymous Coward · · Score: 0

    as getting timely Android updates for non-Google branded phones. Great to have a standard, but the cheap bastards aren't going to use it.

    1. Re: This'll work about as well... by Anonymous Coward · · Score: 0

      I don't even get timely updates for a google branded phone. what difference does it make?
      The problem here is that we aren't provided with updates for most devices.

  13. Ironically this is why I buy Apple products by goombah99 · · Score: 1

    For years I would only buy Apple Wifi Hubs (air ports). THe rationale was simple: there was a built in mechanism to update the firmware. Your Mac computer would detect the firmware update was available and let you know. then you okayed the download and provisioning. While I might have paid $40 extra got get the airport over a cheaper alternative without that, I knew I was getting a great service and peace of mind. It also meant i didn't have to learn any new archane processes for monitoring every different router or worry the company would stop supplying updates for the "cheap" router I bought. Indeed you can never even tell if a cheap router is even upgradable.

    Thus like the XKCD cartoon points out trying to unify standards is a temporary bussiness. But conversely it's a bussiness opportunity for companies that do provide peace of mind.

    --
    Some drink at the fountain of knowledge. Others just gargle.
  14. Missing requirement by Alain+Williams · · Score: 1

    that user settings should be preserved across an update. It can be frustrating when user choices are reset to default and allow the vendor access to things that you had closed off (Microsoft - I am looking at you).

  15. Sounded like a maybe at first, now it's a no vote by Anonymous Coward · · Score: 0

    I was already weary of this until I got to:

    "This document could also serve as a general guideline for lawmakers who could draft regulations forcing manufacturers to adhere to this baseline."

    Now I think we've gone past the maybe to it's a terrible idea. If this is where we are headed I don't want to take part. If users don't want to partake in purchasing crappy products stop buying crappy products. I don't use many many products/companies: Facebook anything, Microsoft anything, Apple anything, Google almost anything (except for search, when I'm desperate), Twitter, most "smart" devices (no smart TV here, but sadly I do have a "smart" phone, though did get away with a dumb phone for a long time, open source OS is the only selling point and crypto currencies), IoT devices, and plenty of other services/devices/operating systems/software/services/etc.

    I also avoid using the US dollar (it's easier to do in New Hampshire because crypto currencies have taken off here, more than a few dozen local businesses take it in my little town of just 25,000 people, ie Keene, NH), taking part in government except where I'm involved in dismantling it, etc.

  16. Too many words, too by davecb · · Score: 1
    Hognoxious said:

    Slight flaw: even if this costs 0.00000001 cents per device that's 0.00000001 cents too much.

    The proposed RFC tries to solve far too many problems at once, and is about as elegant as a bowl of spagetti. We don't like that in code any more, much less as a requirements statement

    Too many words, take some out!

    --
    davecb@spamcop.net