Ricochet is the best place on the internet to discuss the issues of the day, either through commenting on posts or writing your own for our active and dynamic community in a fully moderated environment. In addition, the Ricochet Audio Network offers over 50 original podcasts with new episodes released every day.
Securing the Internet of Things
Last Friday’s attack was apparently caused by the Mirai botnet, which targeted unprotected IoT devices, including Internet-ready cameras. In its wake, the inevitable has happened. There have been calls for more government regulation:
A U.S. Senator has joined security officials calling for stiffer cybersecurity for Internet of Things (IoT) devices following a major attack last Friday.
In a letter to three federal agencies, Sen. Mark Warner (D-Va.) on Tuesday called for “improved tools to better protect American consumers, manufacturers, retailers, internet sites and service providers.”
People (including Ricochet members) have been warning about the risks of the IoT for ages, but this hasn’t stopped manufacturers from flooding the market with cheap, unsecured devices — nor has it stopped consumers from purchasing them. The consensus of most of the experts I’ve read is that this is indeed a classic tragedy of the commons problem, as Senator Warner suggests, and that the only solution is for the government to step in to solve the problem.
It’s certainly true that no industry could have been warned more often that it had a problem. I read the warnings, and I sure wasn’t keen to buy any of those devices. Frankly, everything I read about the IoT creeps me out and reminds me of this:
But I seem to be an outlier in my instinctive aversion. And it seems to be true that neither manufacturers nor consumers paid those warnings much mind, either out of greed, laziness, or incomprehension. It’s also true that the cost of their error was borne by everyone, not just the specific manufacturers and consumers.
Bruce Schneier, who’s always interesting to read, thinks there’s no conceivable market solution to the problem:
The market can’t fix this because neither the buyer nor the seller cares. Think of all the CCTV cameras and DVRs used in the attack against Brian Krebs. The owners of those devices don’t care. Their devices were cheap to buy, they still work, and they don’t even know Brian. The sellers of those devices don’t care: they’re now selling newer and better models, and the original buyers only cared about price and features. There is no market solution because the insecurity is what economists call an externality: it’s an effect of the purchasing decision that affects other people. Think of it kind of like invisible pollution.
What this all means is that the IoT will remain insecure unless government steps in and fixes the problem. When we have market failures, government is the only solution. The government could impose security regulations on IoT manufacturers, forcing them to make their devices secure even though their customers don’t care. They could impose liabilities on manufacturers, allowing people like Brian Krebs to sue them. Any of these would raise the cost of insecurity and give companies incentives to spend money making their devices secure.
So is this genuinely a situation where government must step in? And if so, is it reasonable to expect the government to be any good at regulating this industry?
Also, a question for the lawyers: Why do we need the government to “impose liabilities” on the manufacturers? That’s to say, what’s preventing Brian Krebs from suing them right now? What prevents the people who were inconvenienced by last Friday’s attack from joining a class action suit against the companies in question?
Published in General, Science & Technology
Amen. and Amen.
This.
Suggestion to manufacturers: at the very least, make sure users have to change the default password! At least there wouldn’t be stuff on the Internet you can get into with username “admin” and password “password” or whatever. For any device, it’s easy to search and find the default login.
Questions for anonymous
What should the average consumer do to protect himself and others?
I have AT&T UVerse. That’s IP tv and wifi.
Devices connected directly to the router:
Devices latched wirelessly as needed:
PCs are all running ESET antivirus.
Is this setup avoiding or contributing to the problem?
Unhelpful advice from every non-JW computer geek I’ve ever talked to:
I get why you’d do this but… isn’t that still leaving it open to be used in a botnet?
Like security and liberty are competing values in politics, security and accessibility are competing values in software and electronics. Increasing security generally means decreasing the consumer’s ease of use and breadth of options. There are markets for both security-concerned buyers and risk takers.
But, as usual, it doesn’t matter what we think about the destructive potential of regulation. Congressional representatives are elected on a balance of dozens of issues, among which this isn’t even primary. And the actual regulators are unelected. Work around government, not through it.
So, here’s the thing: These bozos who make and buy inherently insecure IoT refrigerators and fail to change the passwords end up inconveniencing me. Surprisingly, I didn’t die when I couldn’t access Twitter for 20 minutes, but however trivial my inconvenience, neither those manufacturers nor those consumers had a right to inflict it on me. Their negligence took Ricochet down for a few minutes: That’s a violation of our property rights. Is it not the proper role of government to protect property rights?
How will I and the hundreds of millions of other Internet users who are inconvenienced — in small ways or large — by third-party irresponsibility or incompetence be protected and if required compensated? If a particular kind of defective car were prone to stalling on the freeway and causing massive traffic jams, we would, I think, insist on regulating the sale of that kind of car. Attacks on these systems can and sooner or later will have consequences far more serious than a 20-minute Spotify blackout, too.
I’m willing to believe the USG will be no good at regulating this, but not so willing to believe it has no business regulating this. There is a public commons here; we all use it. And when it’s attacked, we all share the burden of it. Isn’t this the reason we form governments in the first place? To secure our property rights?
How much of a crisis is this, anyway?
The internet is down for three whole hours. One part of the internet. I don’t want to say that’s not bad, but it hardly rises to a catastrophe. Fix the problem, but don’t pretend it’s the sort of emergency that demands government respond right now (or at all.)
Considering that thanks to income taxes and property taxes we basically cede the ownership our own earnings and rent land from the government I’m going to say no. :)
Like other divisions of the administrative state, they believe that if you break windows, (with a lower case w, not Windows™, the upper case one does a fine job of breaking itself) it is an economic stimulus. Although I suppose that in Pentagon procurement land, it is… for the well connected companies that get hired to fix the problems that “without giving the slightest thought” created….
This seems a little contradictory to me. The government will likely be no good at finding a solution but they should anyway.
I think there should be more of a 2 part question before the government acts. 1) Is there a problem? 2) Does the government have a good fix that is both effective and not overly burdensome?
If the answer is not yes to both of these then there should be no action. We get into trouble with simply saying there is a problem, so there should be a law. The details of the government action matter.
I don’t understand why a refrigerator or any other appliance needs wifi.
Security cameras that provide owners with remote access is a different animal. So are DVRs since that’s the delivery platform to begin with.
No. He said he doesn’t plug it into the network, so it’s just a WiFi point with no connection to the Internet, either in or out.
That’s because you are an old dude.
I can think of a great reason: when the water filter in my fridge is getting to the end of it’s life, there is a funny light that gradually goes from green to orange to red. I don’t want that. I want my fridge to send a note to Amazon and order me a replacement filter and have it shipped to arrive at my house on the day that the light would have become completely red.
This is nonsense.
Economic pedantry: This is not a Tragedy of the Commons.
Tragedy of the Commons occurs when there’s no or insufficient property rights established over something, and thus people treat it poorly and squander it. The epynonymous Commons is overgrazed by everyone’s cows because it belongs to nobody, so nobody has the right to tell abusive people to stop this behavior.
This is not the case here with this alleged IoT crisis. There are clearly defined property owners everywhere. Dyn owned the servers that were attacked, people owned the devices that did the attacking, those devices were made by identifiable manufacturers. All of those people have very clearly defined property rights. Those rights are being transgressed by jerks not mentioned here, but those rights exist quite clearly.
It isn’t a Tragedy of the Commons if someone sold you a car with no locks and somebody else stole it to crash it into a Fox News studio. It’s quite clearly your car and Mr. Murdoch’s television studio, and both you and Mr. Murdoch are very clearly being transgressed against and can seek relief. There is no Tragedy of the Commons, and if there was, it would not justify legislation putting burdensome restrictions on Ford Motor Company (regardless of whether they were necessary for another reason).
There are good and bad ways to achieve this. One good way is to apply sanctions to careless users. “You knew your fridge/thermostat wasn’t secured against intrusion, yet you plugged it into the Internet anyway. Here’s a nice sanction for you.” And: “you knew that driving your car in that fashion exposed others to risk, yet you drove carelessly anyway and damaged that…. Here’s a nice sanction for you.”
Don’t forget that among those bozos who make and buy inherently insecure are those buyers/users.
There are instances where manufacturers are at fault and also need to be sanctioned. But automatically looking to government to fault the other guy instead of the proximate actor is one of the ways we got to where we are today.
Eric Hines
And, while I’m rambling more about economics, a “market failure” doesn’t immediately justify government intervention. Market failures can also be solved with entrepreneurship, and most are very successfully.
In this case, I wouldn’t be surprised if the bad press from this shames people into doing a better job and opens a space for better more secure IoT implementations. Concerns about safety often are used in other industries to differentiate products in a competitive fashion, so I don’t see why that can’t happen here.
So all audio devices should be required to be connected to the internet so the government can control their volume settings to provide comfortable aggregate decibel results in all relevant neighborhoods. A worthy goal, indeed.
That’s the joke.
Sure, the particular instance. Go without power or running water for three hours. For three days. Was this a test run? Probably not, but not certainly so. It could well have been just a demonstration against Biden’s promised, but secret, cyber response to the Russians’ messing with our election process and email systems.
Eric Hines
I’ll answer from my perspective and JW can weigh in with his. I don’t think your setup is avoiding or contributing the problem, per se. But I offer some guidelines for keeping yourself secure.
First, get yourself a good router. Here is an example of a good router. Secure that router based upon the manufacturers specs. Don’t rely upon AT&T’s combo modem / router.
For your WiFi, it’s pretty much a religious debate about how to keep it secure. I recommend you buy a solid wireless AP, separate from your router, and here is a good example of one. Keep that router up-to-date with firmware updates. You can rely upon the various security mechanisms,and everyone has their idea of what is best. Google this, and make a determination for yourself what is best. But check and see, regularly, what is connecting to your WiFi, and make sure you know everything. If you see something and you don’t know what it is, block it.
For all of your devices, make sure they are regularly patched and kept up to date. Whatever antivirus you use is better than none, and again, it is a religious debate among IT guys which is best. I like to keep a USB thumb drive with a series of cleanup tools on it, so that if a computer gets infected, it can be isolated from the network, and cleaned up.
Don’t plug anything in to the network if it doesn’t need it. Don’t plug your TV in just because it can be plugged in.
The most important thing to do is be smart about your passwords. Get a password manager like LastPass, and keep your non-critical passwords in there. Do not use the same password you use for Netflix as the password to your bank, or for the admin account on your PC. Do not use an admin account on your PC. Rather, login as a normal user, but have separate credentials that you use when an administrative function needs to be done.
On this subject, if you have any system (bank, Netflix, whatever) that requires you to set up verification questions, lie. Use wrong answers, but write those answers down and store them in a safe or something.
Let’s see, what else…I’m sure I’ll think of something….
You’re suggesting war drivers can’t interact with an AP. Of course, they can. The WiFi is broadcasting a radio signal, and it’s receiving one. It just can’t interact with the Internet via the LAN in his house.
The lack of (easy) availability for a botnet is from his wiping the thing.
Eric Hines
It’s not connected to anything. Someone doing a driveby (sitting in their car, stealing wireless) won’t get anywhere with it. Even if it gets botted all to hell, it’s talking to itself – until I wipe it and start over.
I concede it would be theoretically possible to do. A war driver could conceivably connect to the AP and bridge it to the Internet via another nearby AP, cellular data connection, or hardline they have access to. But how many such bridged APs would it take to be a significant portion of an average botnet? And if they already have access to another Internet connection to bridge this AP to, why bother hooking this one to it?
Far too many seem to be missing this point all together. It is absolutely irrelevant what the Federal government does in attempting to address this issue. Even if the US had nothing but 100% secure IoT devices sold in our markets that would still have a negligible effect on the problem.
Early reports are that the majority of the traffic directed by this botnet was from IPs located outside the United States:
The US portion accounted for approximately 10.9% as reported by Imperva.
The notion that some piece of legislation in the US will remediate this is completely irrational.
Paging @ejhill
Roberto,
This makes the case for maintaining the system that has held well for so long. Rather than looking for legislation, US or worse International, we should be looking to the net industry itself for standards that will bring real solutions.
Another reason not to give up internet control.
Regards,
Jim