Ricochet is the best place on the internet to discuss the issues of the day, either through commenting on posts or writing your own for our active and dynamic community in a fully moderated environment. In addition, the Ricochet Audio Network offers over 50 original podcasts with new episodes released every day.
Securing the Internet of Things
Last Friday’s attack was apparently caused by the Mirai botnet, which targeted unprotected IoT devices, including Internet-ready cameras. In its wake, the inevitable has happened. There have been calls for more government regulation:
A U.S. Senator has joined security officials calling for stiffer cybersecurity for Internet of Things (IoT) devices following a major attack last Friday.
In a letter to three federal agencies, Sen. Mark Warner (D-Va.) on Tuesday called for “improved tools to better protect American consumers, manufacturers, retailers, internet sites and service providers.”
People (including Ricochet members) have been warning about the risks of the IoT for ages, but this hasn’t stopped manufacturers from flooding the market with cheap, unsecured devices — nor has it stopped consumers from purchasing them. The consensus of most of the experts I’ve read is that this is indeed a classic tragedy of the commons problem, as Senator Warner suggests, and that the only solution is for the government to step in to solve the problem.
It’s certainly true that no industry could have been warned more often that it had a problem. I read the warnings, and I sure wasn’t keen to buy any of those devices. Frankly, everything I read about the IoT creeps me out and reminds me of this:
But I seem to be an outlier in my instinctive aversion. And it seems to be true that neither manufacturers nor consumers paid those warnings much mind, either out of greed, laziness, or incomprehension. It’s also true that the cost of their error was borne by everyone, not just the specific manufacturers and consumers.
Bruce Schneier, who’s always interesting to read, thinks there’s no conceivable market solution to the problem:
The market can’t fix this because neither the buyer nor the seller cares. Think of all the CCTV cameras and DVRs used in the attack against Brian Krebs. The owners of those devices don’t care. Their devices were cheap to buy, they still work, and they don’t even know Brian. The sellers of those devices don’t care: they’re now selling newer and better models, and the original buyers only cared about price and features. There is no market solution because the insecurity is what economists call an externality: it’s an effect of the purchasing decision that affects other people. Think of it kind of like invisible pollution.
What this all means is that the IoT will remain insecure unless government steps in and fixes the problem. When we have market failures, government is the only solution. The government could impose security regulations on IoT manufacturers, forcing them to make their devices secure even though their customers don’t care. They could impose liabilities on manufacturers, allowing people like Brian Krebs to sue them. Any of these would raise the cost of insecurity and give companies incentives to spend money making their devices secure.
So is this genuinely a situation where government must step in? And if so, is it reasonable to expect the government to be any good at regulating this industry?
Also, a question for the lawyers: Why do we need the government to “impose liabilities” on the manufacturers? That’s to say, what’s preventing Brian Krebs from suing them right now? What prevents the people who were inconvenienced by last Friday’s attack from joining a class action suit against the companies in question?
Published in General, Science & Technology
A context-aware firewall can do the job. The technology to make somthing like this work isn’t quite ready for prime time yet, but it’s close.
response to anonymous’s comment #159
John,
Very very interesting. Would you agree with me that the industry consortium, unaffected by government, would do the least intrusive job that would preserve both the character of the net and its future growth? The heavy hand of government kills what it tries to control. As an example, the ACA is multilating the health insurance industry. Health insurance is now more expensive with poorer quality and looks to be getting much worse.
I had an additional thought. The paradigm of the Bluetooth network, “pairing”, may be what we are missing here. Let us assume the protocol internal to the device had a strict pairing mechanism which once paired to your cell phone would automatically refuse any other request for remote access. This would isolate the particular problem of the internet of things. Your digital imprimatur could then be kept to a minimum.
Please comment John.
Regards,
Jim
Very plausible indeed. The left has a problem distinguishing dystopian stories from instruction manuals. /-:
John,
Thanks John. Sounds like a plan.
Regards,
Jim
“The net”? So you are suggesting that all network devices that pass traffic across “the net” will require a new protocol (by I assume you mean replacing TCP/IP). Which naturally means that the computer I am typing on, or at least my router, will need to talk that new talk, not just my IoT devices. Right?
Spin,
Let me make a disclaimer at this point. Both you and John are far in advance of my specific technical abilities. I recommend John’s take on all of this. However, to answer your question, I would suspect that a new router is in the mix to get this done right. That isn’t the worst outcome. I suspect that for the home or small business user they could acquire the router for the less than the price of a single months net service. Yes, heavy business users will spend more but they have more dollars to spend, not to mention plenty of security concerns worth nailing down properly.
@JohnWalker, please help us out here and respond to spin’s enquiry with greater depth than I possess.
Regards,
Jim
So your scheme doesn’t really address my point, which was, simply, you cannot introduce some system that affects only IoT end points. The scheme has to address all devices.
It’s not just a new router for you and I at home. That cell tower over there? It’s backhaul is essentially the Internet. Which means that in this new scheme where there is a new protocol, the switch to which the cell tower connects must be updated to support the new protocol. The switches in my office that connect all of my remote sites have to be changed. The firewall that manages my client based VPN connectivity must be changed. My wireless APs must be changed. All of my computers must be changed.
Now, we created a new protocol to address a lot of the deficiancies in the TCP/IP stack. It’s called IPv6. It was formerly introduced in the late 90s. And it still is not widely used. Most modern networking gear as well as end points can do IPv6. But we have not deployed it.
I’m not trying to throw cold water on your idea, I’m just saying that it is unrealistic to suggest that we could simply create a new protocol and require it be used.
I know that’s what you said. I was just addressing what Jim said which was that we’d create some protocol specific to IoT devices. That’s all. It would have to apply to all devices. Which means you might as well forget it.
Which simply must live in the cloud. ;-)
Spin,
Flexibility thy name is the free market. Inflexibility thy name is the government.
cont.
cont. from #175
Let’s assume that we are faced with a massive cost and as you say if we require the new protocol’s implementation on a specific date we will meet major resistance. What are the incentives for the participants to absorb the cost and keep going without force. As an example, 1) How many of the recent costly government & corporate security breaches might have been avoided by the new protocol? 2) Hardware is constantly improving in power and decreasing in price. Could the new protocol be just phased in during an already justified hardware upgrade? 3) You say IPv6 has not been deployed. Has there been any great incentive to deploy it?
I don’t think that the “pairing” solution would require any of this. The burden would be shifted to the devices themselves. It might only be a band-aid but maybe the problem isn’t that great yet.
Regards,
Jim
John I wasn’t chastising you. I was just reflecting on a PC incident from a few years back.
In retrospect, it’s a good thing I didn’t have a chance to mention that the outgoing cables needed their connectors converted from female to male. I’d probably still be in Sensitivity Training hell.
Yes, it’s genuinely better than IPv4 for a number of reasons….but…
It’s very complex to implement in an environment that already runs IPv4. Which is why it hasn’t been done yet.
With HTTPS, we could deploy it over time, and it could co-exist with HTTP. But how many websites deployed it with self-signed certs, at first? Why did they stop doing that? Because it was a good idea? Or because major browsers started throwing hissyfits when a cert could not be verified? I say the second.
Spin,
So you’d rather hold off and then do the whole upgrade at once. I suspect that all the new equipment that you buy is already good for IPv6 deployment but you are using it as IPv4. At some point, going to far more powerful and less expensive to maintain equipment will be desirable enough for you to move. At that point, you’ll turn on the IPv6 too. Nothing surprising about your strategy it’s just solid business sense.
Spin, I suspect that there are many solutions that are way less than the total rerigging we are discussing (example: “pairing”). The fact that we are discussing them is progress in itself. Do you remember all the screaming about Y2K and it was resolved by simple low-cost solutions without any disruption in service at all. I think that the internet of things is going to get the same treatment with some minor inconveniences to the owners of the devices in question as it should be.
Regards,
Jim
In other words, cultural pressure rather than government mandate.
A thousand times this.
I wouldn’t call it cultural pressure so much as industry pressure. Users neither knew nor care about SSL. But browser manufacturers did, and they felt the need to keep a user secure. So they finally said “Well we’ll fix your wagons, you web admins who don’t want to do what is right.”
We still use that terminology in factory automation. I haven’t heard of a replacement.
Master/slave is still around in the industrial automation world because that is the best description of the relationship between the devices. The protocol specs even use “owner” for the master device of a specific slave when multiple masters are present. Masters tell slaves what to do and when.
I guess I’ll have to keep some smelling salts on hand in the office for the fragile snowflakes who incidentally find out about these terrible technologies.
The problem with snowflakes is they have a bad tendency to run to HR and legal which some reason take this stuff seriously. I have yet seen anybody fired over such events but have been in meeting called for these purposes where it was suggested not to use such terms.