Ricochet is the best place on the internet to discuss the issues of the day, either through commenting on posts or writing your own for our active and dynamic community in a fully moderated environment. In addition, the Ricochet Audio Network offers over 50 original podcasts with new episodes released every day.
Securing the Internet of Things
Last Friday’s attack was apparently caused by the Mirai botnet, which targeted unprotected IoT devices, including Internet-ready cameras. In its wake, the inevitable has happened. There have been calls for more government regulation:
A U.S. Senator has joined security officials calling for stiffer cybersecurity for Internet of Things (IoT) devices following a major attack last Friday.
In a letter to three federal agencies, Sen. Mark Warner (D-Va.) on Tuesday called for “improved tools to better protect American consumers, manufacturers, retailers, internet sites and service providers.”
People (including Ricochet members) have been warning about the risks of the IoT for ages, but this hasn’t stopped manufacturers from flooding the market with cheap, unsecured devices — nor has it stopped consumers from purchasing them. The consensus of most of the experts I’ve read is that this is indeed a classic tragedy of the commons problem, as Senator Warner suggests, and that the only solution is for the government to step in to solve the problem.
It’s certainly true that no industry could have been warned more often that it had a problem. I read the warnings, and I sure wasn’t keen to buy any of those devices. Frankly, everything I read about the IoT creeps me out and reminds me of this:
But I seem to be an outlier in my instinctive aversion. And it seems to be true that neither manufacturers nor consumers paid those warnings much mind, either out of greed, laziness, or incomprehension. It’s also true that the cost of their error was borne by everyone, not just the specific manufacturers and consumers.
Bruce Schneier, who’s always interesting to read, thinks there’s no conceivable market solution to the problem:
The market can’t fix this because neither the buyer nor the seller cares. Think of all the CCTV cameras and DVRs used in the attack against Brian Krebs. The owners of those devices don’t care. Their devices were cheap to buy, they still work, and they don’t even know Brian. The sellers of those devices don’t care: they’re now selling newer and better models, and the original buyers only cared about price and features. There is no market solution because the insecurity is what economists call an externality: it’s an effect of the purchasing decision that affects other people. Think of it kind of like invisible pollution.
What this all means is that the IoT will remain insecure unless government steps in and fixes the problem. When we have market failures, government is the only solution. The government could impose security regulations on IoT manufacturers, forcing them to make their devices secure even though their customers don’t care. They could impose liabilities on manufacturers, allowing people like Brian Krebs to sue them. Any of these would raise the cost of insecurity and give companies incentives to spend money making their devices secure.
So is this genuinely a situation where government must step in? And if so, is it reasonable to expect the government to be any good at regulating this industry?
Also, a question for the lawyers: Why do we need the government to “impose liabilities” on the manufacturers? That’s to say, what’s preventing Brian Krebs from suing them right now? What prevents the people who were inconvenienced by last Friday’s attack from joining a class action suit against the companies in question?
Published in General, Science & Technology
Millions are made from individual pennies and nickels. Also, there’s no reason to believe a particular AP is being targeted; the efforts generally are shotgun efforts.
Any end object, including an otherwise unconnected AP, can be a source of requests for information that are at the heart of a DDoS. No one individual participant is much of a threat.
Eric Hines
True. But this old dude does not have his fridge sharing his debit card with the Russian Mafia either.
One more thing on this matter. Here is one outcome, from the WSJ, from letting government have the first say on regulating this sort of thing.
Eric Hines
Or taking part in a DDoS attack.
My fridge works just fine without connecting to the Internet. My DVR records my desired programming just fine without being connected to the Internet. My fancy programmable–by the day and by the hour within the day–thermostat manages my house’s climate just fine without being connected to the Internet.
Eric Hines
I submit the main reason a DDoS attack is successful is not the number of participants, per se, but the total bandwidth those participants have available to them. I could launch a DOS attack from my home desktop computer that’d be limited by the bandwidth of my ISP connection long before my desktop ran out of CPU cycles or RAM.
Bridging another access point through an internet circuit you already have access to doesn’t increase the bandwidth you have available to your attack, it just adds another CPU to the effort.
But this is getting pretty far into the weeds, so I’m going to leave it here.
You might be surprised. If you’re hooked up to a commercial cable system, your DVR almost certainly has an active Internet connection. When I still had one, I could access my recorded programs directly from my phone because of this.
Almost everything that has an active two-way communications capability does it through the internet – it’s just simpler nowadays.
John,
This again makes the case for industry technical standards. If a new net protocol is created which will not accept devices that do not follow the protocol with an announced implementation date, then after the implementation date the bad devices won’t work and that will be the end of that worldwide.
The industry system has worked incredibly well, Gd forbid government gets involved.
Regards,
Jim
The point is that we don’t live in world where we can say “Fridges shouldn’t have wifi.” We live in a world were people very much want this technology in their homes. And we have to figure out how to make it secure.
That doesn’t work if you live outside the range of OTA signals. The switch to digital left many people on the fringe of the B & C analogue rings with no service.
I don’t think this genie is going back into Pandora’s box on this one. Your fridge may keep your food cold, but it won’t know to reorder your cheese or flash some coupons for half-off steaks at the store. Your thermostat can’t alert your phone when your home appears unoccupied but is sitting at 68 degrees in July. The conveniences–and marketing potential–of connected devices are too great to halt production now.
Not so much. My DVR is hooked up to my TV, not to the Internet. My TV has no Internet capability beyond an ability to receive television programming via my cable box. My cable box has not even the capability to store TV guide information; it has to go to the head end to get that stuff. Neither my DVR nor my TV have the CPUs necessary for Internet interaction, either. Even the on-board ROMs are just that; they’re not PROMs or EPROMs.
My landline phone is on my cable system as a VoIP phone, but its capability is similarly limited, and it exists solely as a honeypot, anyway.
Eric Hines
The conveniences certainly are real. That just puts a premium on holding users accountable for their negligence here, just as we do in other venues.
Eric Hines
Exactly. And we also live in a world in which having the Internet go down for three hours has significant economic costs. It’s not “no big deal.”
Yeah but unless I can place limit orders on my cheese or steaks it’ll buy them at a price I’m not willing to pay.
Surely the legally relevant cause is the driver of the botnet, not the owners of the hardware misappropriated by that driver. If no one ever made a knife there would be no knife crime. No stock markets, no insider trading. No reproduction, no murder. Finding a “but for” cause of a harm is not the end but the beginning of analysis.
I’ve got to object to this. The V22 was a very tough development, as it was truly revolutionary. It’s now a valuable asset on the battlefield, having unique capabilities. I’ve talked to a number of Osprey Marine pilots here in NC and they love it.
The users were likely given no instruction on how to safeguard their devices since the manufacturers didn’t consider security implications in the first place. If the instructions begin with “setup your network firewall”, you may as well tell them to install Linux for all the good it will do.
If by users, you mean manufacturers, then I would agree. If a manufacturer produces an internet connected device with no intention of investigating security vulnerabilities and remotely updating those devices, they should be held liable. That’s a manufacturer’s defect.
Right. But it was not clear, so I just wanted to point it out. Lest someone run out and get Linux on their iPad. ;-)
flag on the play. 5 yard penalty for improper spelling of the word “centers”. Repeat first down.
I fail to see how carbon credits will help.
This is perfect, but we both know that most people reading this, and indeed most people out there haven’t the foggiest idea what you just said.
Well, my company is not Google nor Microsoft nor Amazon, but we do depend in some areas on the Internet. When it’s down, it costs us money, and though the cost is hard to quantify, it is not insignificant.
The danger is much greater if these gadgets give you some kind of accessibility from outside your network.
If you have a device, say a DVR that has to go out and grab the new TV listings or get software updates, and all it does is that, and goes only to the one site it needs to go to, it’s not much of a danger. This assumes you can’t get to its content from elsewhere, like with Slingbox.
If you have a security camera that you can access from your phone no matter where you are, that’s a different level of risk.
And of course, if you have any device on your network that accessible from the outside, that may open up a way for someone to get to all the other devices, since that one will put them inside.
That means a chain of events (what could go wrong) and someone has your updated address and payment info (what could go wrong) – frig techs have told me numerous times the frig is programmed to go red after 6 months – but filter change is not needed and they are expensive. I’ll buy my own and decide when to change it. I’m ok with indicator but that’s it. We give too much info and control to others…
Claire,
https://youtu.be/UgkyrW2NiwM
Regards,
Jim
This largely has to do with how the firewall is configured. There are inbound rules and outbound rules. That has nothing to do with which way the traffic is flowing, but which device initiates the traffic. If the device is outside the firewall initiates the traffic, then it must be allowed by an inbound rule. It remains a question whether one’s firewall is capable of these kinds of rules (not all are). Also, I don’t have a good enough understanding of UPnP to know if this kind of thing would be allowed by it.
Another way this might work is if a public service brokers the connection between the iPhone and the baby monitor. Say the baby monitor is configured to initiate a connection with a server and download configuration changes. And the iPhone is configured to make those changes on the server. It would appear to the user as if they were making changes to the baby monitor directly.
The fridge wouldn’t have my account information. It would send a signal to some kind of web service that is designed to do one thing: get a signal from a device and put it somewhere. Amazon would then read the signal where it is stored and interpret it as “This is Spin’s fridge saying ship him a water filter and charge it to the credit card on file”. My account would have an entry that says “If you get that signal, it is ok to process.” And I’d get an email saying it was done. And if they did it right, it would be configured to not process this more than say once every 6 months. It would not be hard to make it convenient and secure.
As far as how the red light is programmed, I get that. I mean, this is exactly how I change the oil in my truck, too. The odometer reaches a certain point, and then I know it needs to be changed. That is to say, I think it needs to be changed. I don’t actually inspect my oil to determine if it needs to be changed.
In the end, I’m giving no additional information nor control to anyone. I’m simply automating drudgery.
Keep in mind that most of the harm to your devices occurs under three conditions:
You’ve received a few good suggestions already, but I wouldn’t obsess over your router and Wi-Fi hardware. Most consumer routers are adequate. They differ mostly in the advanced features, and if you’re asking this question you’re unlikely to exploit advanced features. I recommend the following widely-available measures to protect your network from unsolicited internet access:
As for securing your network from local access, I suggest the following:
So many people suggest the Linux panacea sincerely that sarcasm can be hard to spot.
To put it in layman’s terms, most consumer routers would refer to this as a guest network.