Securing the Internet of Things

 

Last Friday’s attack was apparently caused by the Mirai botnet, which targeted unprotected IoT devices, including Internet-ready cameras. In its wake, the inevitable has happened. There have been calls for more government regulation:

A U.S. Senator has joined security officials calling for stiffer cybersecurity for Internet of Things (IoT) devices following a major attack last Friday.

In a letter to three federal agencies, Sen. Mark Warner (D-Va.) on Tuesday called for “improved tools to better protect American consumers, manufacturers, retailers, internet sites and service providers.”

People (including Ricochet members) have been warning about the risks of the IoT for ages, but this hasn’t stopped manufacturers from flooding the market with cheap, unsecured devices — nor has it stopped consumers from purchasing them. The consensus of most of the experts I’ve read is that this is indeed a classic tragedy of the commons problem, as Senator Warner suggests, and that the only solution is for the government to step in to solve the problem.

It’s certainly true that no industry could have been warned more often that it had a problem. I read the warnings, and I sure wasn’t keen to buy any of those devices. Frankly, everything I read about the IoT creeps me out and reminds me of this:

But I seem to be an outlier in my instinctive aversion. And it seems to be true that neither manufacturers nor consumers paid those warnings much mind, either out of greed, laziness, or incomprehension. It’s also true that the cost of their error was borne by everyone, not just the specific manufacturers and consumers.

Bruce Schneier, who’s always interesting to read, thinks there’s no conceivable market solution to the problem:

The market can’t fix this because neither the buyer nor the seller cares. Think of all the CCTV cameras and DVRs used in the attack against Brian Krebs. The owners of those devices don’t care. Their devices were cheap to buy, they still work, and they don’t even know Brian. The sellers of those devices don’t care: they’re now selling newer and better models, and the original buyers only cared about price and features. There is no market solution because the insecurity is what economists call an externality: it’s an effect of the purchasing decision that affects other people. Think of it kind of like invisible pollution.

What this all means is that the IoT will remain insecure unless government steps in and fixes the problem. When we have market failures, government is the only solution. The government could impose security regulations on IoT manufacturers, forcing them to make their devices secure even though their customers don’t care. They could impose liabilities on manufacturers, allowing people like Brian Krebs to sue them. Any of these would raise the cost of insecurity and give companies incentives to spend money making their devices secure.

So is this genuinely a situation where government must step in? And if so, is it reasonable to expect the government to be any good at regulating this industry?

Also, a question for the lawyers: Why do we need the government to “impose liabilities” on the manufacturers? That’s to say, what’s preventing Brian Krebs from suing them right now? What prevents the people who were inconvenienced by last Friday’s attack from joining a class action suit against the companies in question?

Published in General, Science & Technology
Like this post? Want to comment? Join Ricochet’s community of conservatives and be part of the conversation. Join Ricochet for Free.

There are 172 comments.

Become a member to join the conversation. Or sign in if you're already a member.
  1. Eric Hines Inactive
    Eric Hines
    @EricHines

    Terry Mott:

    Eric Hines:

    Terry Mott:

    Hank Rhody:

    I get why you’d do this but… isn’t that still leaving it open to be used in a botnet?

    No. He said he doesn’t plug it into the network, so it’s just a WiFi point with no connection to the Internet, either in or out.

    You’re suggesting war drivers can’t interact with an AP. Of course, they can. The WiFi is broadcasting a radio signal, and it’s receiving one. It just can’t interact with the Internet via the LAN in his house.

    The lack of (easy) availability for a botnet is from his wiping the thing.

    Eric Hines

    I concede it would be theoretically possible to do. A war driver could conceivably connect to the AP and bridge it to the Internet via another nearby AP, cellular data connection, or hardline they have access to. But how many such bridged APs would it take to be a significant portion of an average botnet? And if they already have access to another Internet connection to bridge this AP to, why bother hooking this one to it?

    Millions are made from individual pennies and nickels.  Also, there’s no reason to believe a particular AP is being targeted; the efforts generally are shotgun efforts.

    Any end object, including an otherwise unconnected AP, can be a source of requests for information that are at the heart of a DDoS.  No one individual participant is much of a threat.

    Eric Hines

    • #61
  2. EJHill Podcaster
    EJHill
    @EJHill

    Spin: That’s because you are an old dude.

    True. But this old dude does not have his fridge sharing his debit card with the Russian Mafia either.

    • #62
  3. Eric Hines Inactive
    Eric Hines
    @EricHines

    Eric Hines:

    Claire Berlinski, Ed.: Is it not the proper role of government to protect property rights?

    There are good and bad ways to achieve this. One good way is to apply sanctions to careless users. “You knew your fridge/thermostat wasn’t secured against intrusion, yet you plugged it into the Internet anyway. Here’s a nice sanction for you.” And: “you knew that driving your car in that fashion exposed others to risk, yet you drove carelessly anyway and damaged that…. Here’s a nice sanction for you.”

    Don’t forget that among those bozos who make and buy inherently insecure are those buyers/users.

    There are instances where manufacturers are at fault and also need to be sanctioned. But automatically looking to government to fault the other guy instead of the proximate actor is one of the ways we got to where we are today.

    Eric Hines

    One more thing on this matter.  Here is one outcome, from the WSJ, from letting government have the first say on regulating this sort of thing.

    Eric Hines

    • #63
  4. Eric Hines Inactive
    Eric Hines
    @EricHines

    EJHill:

    Spin: That’s because you are an old dude.

    True. But this old dude does not have his fridge sharing his debit card with the Russian Mafia either.

    Or taking part in a DDoS attack.

    My fridge works just fine without connecting to the Internet.  My DVR records my desired programming just fine without being connected to the Internet.  My fancy programmable–by the day and by the hour within the day–thermostat manages my house’s climate just fine without being connected to the Internet.

    Eric Hines

    • #64
  5. Terry Mott Member
    Terry Mott
    @TerryMott

    Eric Hines:Millions are made from individual pennies and nickels. Also, there’s no reason to believe a particular AP is being targeted; the efforts generally are shotgun efforts.

    Any end object, including an otherwise unconnected AP, can be a source of requests for information that are at the heart of a DDoS. No one individual participant is much of a threat.

    Eric Hines

    I submit the main reason a DDoS attack is successful is not the number of participants, per se, but the total bandwidth those participants have available to them.  I could launch a DOS attack from my home desktop computer that’d be limited by the bandwidth of my ISP connection long before my desktop ran out of CPU cycles or RAM.

    Bridging another access point through an internet circuit you already have access to doesn’t increase the bandwidth you have available to your attack, it just adds another CPU to the effort.

    But this is getting pretty far into the weeds, so I’m going to leave it here.

    • #65
  6. cirby Inactive
    cirby
    @cirby

    Eric Hines: My DVR records my desired programming just fine without being connected to the Internet.

    You might be surprised. If you’re hooked up to a commercial cable system, your DVR almost certainly has an active Internet connection. When I still had one, I could access my recorded programs directly from my phone because of this.

    Almost everything that has an active two-way communications capability does it through the internet – it’s just simpler nowadays.

     

    • #66
  7. James Gawron Inactive
    James Gawron
    @JamesGawron

    anonymous: So, it doesn’t matter what Sen. Warner and his accomplices do in their marble palaces, because it won’t affect the billions of these devices which are already installed all around the world (the overwhelming majority of which cannot be upgraded), nor devices sold outside the U.S., which, in a global network, work just as well to mount an attack as those inside the border, which is even more porous to Internet traffic than it is to illegal aliens and terrorists.

    John,

    This again makes the case for industry technical standards. If a new net protocol is created which will not accept devices that do not follow the protocol with an announced implementation date, then after the implementation date the bad devices won’t work and that will be the end of that worldwide.

    The industry system has worked incredibly well, Gd forbid government gets involved.

    Regards,

    Jim

    • #67
  8. Spin Coolidge
    Spin
    @Spin

    EJHill:

    Spin: That’s because you are an old dude.

    True. But this old dude does not have his fridge sharing his debit card with the Russian Mafia either.

    The point is that we don’t live in world where we can say “Fridges shouldn’t have wifi.”  We live in a world were people very much want this technology in their homes.  And we have to figure out how to make it secure.

    • #68
  9. EJHill Podcaster
    EJHill
    @EJHill

    Eric Hines: My DVR records my desired programming just fine without being connected to the Internet.

    That doesn’t work if you live outside the range of OTA signals. The switch to digital left many people on the fringe of the B & C analogue rings with no service.

    • #69
  10. Matt Upton Inactive
    Matt Upton
    @MattUpton

    Eric Hines: My fridge works just fine without connecting to the Internet. My DVR records my desired programming just fine without being connected to the Internet. My fancy programmable–by the day and by the hour within the day–thermostat manages my house’s climate just fine without being connected to the Internet.

    I don’t think this genie is going back into Pandora’s box on this one. Your fridge may keep your food cold, but it won’t know to reorder your cheese or flash some coupons for half-off steaks at the store. Your thermostat can’t alert your phone when your home appears unoccupied but is sitting at 68 degrees in July. The conveniences–and marketing potential–of connected devices are too great to halt production now.

    • #70
  11. Eric Hines Inactive
    Eric Hines
    @EricHines

    cirby:

    Eric Hines: My DVR records my desired programming just fine without being connected to the Internet.

    You might be surprised. If you’re hooked up to a commercial cable system, your DVR almost certainly has an active Internet connection. When I still had one, I could access my recorded programs directly from my phone because of this.

    Almost everything that has an active two-way communications capability does it through the internet – it’s just simpler nowadays.

    Not so much.  My DVR is hooked up to my TV, not to the Internet.  My TV has no Internet capability beyond an ability to receive television programming via my cable box.  My cable box has not even the capability to store TV guide information; it has to go to the head end to get that stuff.  Neither my DVR nor my TV have the CPUs necessary for Internet interaction, either. Even the on-board ROMs are just that; they’re not PROMs or EPROMs.

    My landline phone is on my cable system as a VoIP phone, but its capability is similarly limited, and it exists solely as a honeypot, anyway.

    Eric Hines

    • #71
  12. Eric Hines Inactive
    Eric Hines
    @EricHines

    Matt Upton:

    Eric Hines: My fridge works just fine without connecting to the Internet. My DVR records my desired programming just fine without being connected to the Internet. My fancy programmable–by the day and by the hour within the day–thermostat manages my house’s climate just fine without being connected to the Internet.

    I don’t think this genie is going back into Pandora’s box on this one. Your fridge may keep your food cold, but it won’t know to reorder your cheese or flash some coupons for half-off steaks at the store. Your thermostat can’t alert your phone when your home appears unoccupied but is sitting at 68 degrees in July. The conveniences–and marketing potential–of connected devices are too great to halt production now.

    The conveniences certainly are real.  That just puts a premium on holding users accountable for their negligence here, just as we do in other venues.

    Eric Hines

    • #72
  13. Claire Berlinski, Ed. Editor
    Claire Berlinski, Ed.
    @Claire

    Spin:

    EJHill:

    Spin: That’s because you are an old dude.

    True. But this old dude does not have his fridge sharing his debit card with the Russian Mafia either.

    The point is that we don’t live in world where we can say “Fridges shouldn’t have wifi.” We live in a world were people very much want this technology in their homes. And we have to figure out how to make it secure.

    Exactly. And we also live in a world in which having the Internet go down for three hours has significant economic costs. It’s not “no big deal.”

    • #73
  14. Matt Balzer Member
    Matt Balzer
    @MattBalzer

    Matt Upton:

    Eric Hines: My fridge works just fine without connecting to the Internet. My DVR records my desired programming just fine without being connected to the Internet. My fancy programmable–by the day and by the hour within the day–thermostat manages my house’s climate just fine without being connected to the Internet.

    I don’t think this genie is going back into Pandora’s box on this one. Your fridge may keep your food cold, but it won’t know to reorder your cheese or flash some coupons for half-off steaks at the store. Your thermostat can’t alert your phone when your home appears unoccupied but is sitting at 68 degrees in July. The conveniences–and marketing potential–of connected devices are too great to halt production now.

    Yeah but unless I can place limit orders on my cheese or steaks it’ll buy them at a price I’m not willing to pay.

    • #74
  15. genferei Member
    genferei
    @genferei

    Claire Berlinski, Ed.: Their negligence took Ricochet down for a few minutes: That’s a violation of our property rights.

    Surely the legally relevant cause is the driver of the botnet, not the owners of the hardware misappropriated by that driver. If no one ever made a knife there would be no knife crime. No stock markets, no insider trading. No reproduction, no murder. Finding a “but for” cause of a harm is not the end but the beginning of analysis.

    • #75
  16. Kozak Member
    Kozak
    @Kozak

    anonymous: Indeed…in the Aviation Week article I cited in #30 supra, the last half is basically a puff piece for defense contractor Raytheon, who is doing the security upgrades to the V-22 Boondoggle Osprey tiltrotor aircraft.

    I’ve got to object to this.  The V22 was a very tough development, as it was truly revolutionary.  It’s now a valuable asset on the battlefield,  having unique capabilities.   I’ve talked to a number of Osprey Marine pilots here in NC  and they love it.

    • #76
  17. Matt Upton Inactive
    Matt Upton
    @MattUpton

    Eric Hines: The conveniences certainly are real. That just puts a premium on holding users accountable for their negligence here, just as we do in other venues.

    The users were likely given no instruction on how to safeguard their devices since the manufacturers didn’t consider security implications in the first place. If the instructions begin with “setup your network firewall”, you may as well tell them to install Linux for all the good it will do.

    If by users, you mean manufacturers, then I would agree. If a manufacturer produces an internet connected device with no intention of investigating security vulnerabilities and remotely updating those devices, they should be held liable. That’s a manufacturer’s defect.

    • #77
  18. Spin Coolidge
    Spin
    @Spin

    Austin Murrey:

    Spin:

    Austin Murrey:

    • Switch everything to Linux.
    • Your problem is solved.

    This is nonsense.

    That’s the joke.

    Right.  But it was not clear, so I just wanted to point it out.  Lest someone run out and get Linux on their iPad.  ;-)

    • #78
  19. Spin Coolidge
    Spin
    @Spin

    anonymous: centres

    flag on the play.  5 yard penalty for improper spelling of the word “centers”.  Repeat first down.

    • #79
  20. Chuck Enfield Inactive
    Chuck Enfield
    @ChuckEnfield

    Front Seat Cat:

    Six Days Of The Condor:Who created the Internet? Isn’t that the answer right there?

    You’re right – make Gore fix it!

    I fail to see how carbon credits will help.

    • #80
  21. Spin Coolidge
    Spin
    @Spin

    anonymous: I don’t have any so-called “Internet of Things” devices, but if I did, I would put them all on a separate subnet which was not allowed to initiate connections to the LAN on which the computers live. I do this with the DHCP network that visitors use; they can get to the Internet, but not to the subnets containing my development machines or servers.

    This is perfect, but we both know that most people reading this, and indeed most people out there haven’t the foggiest idea what you just said.

    • #81
  22. Spin Coolidge
    Spin
    @Spin

    anonymous:

    Claire Berlinski, Ed.: And we also live in a world in which having the Internet go down for three hours has significant economic costs. It’s not “no big deal.”

    But the people who bear those economic costs are mostly those who operate large data centres or are customers of companies who do. Firms such as Amazon, Google, Microsoft, and other players in the cloud space both have the incentive and the resources to research and deploy mitigation strategies for attacks that might damage them.

    For example, customers who host their sites on Amazon AWS (such as Ricochet and this ink-stained wretch) benefit from Amazon’s investment in keeping their data centres up, running, and not clogged with denial of service attacks. A tiny fraction of what we pay for the service goes toward Amazon’s efforts to defend the platform. (This is equally true of other cloud vendors; I cite Amazon because that’s the one with which I have personal experience.)

    Well, my company is not Google nor Microsoft nor Amazon, but we do depend in some areas on the Internet.  When it’s down, it costs us money, and though the cost is hard to quantify, it is not insignificant.

    • #82
  23. Matt Bartle Member
    Matt Bartle
    @MattBartle

    The danger is much greater if these gadgets give you some kind of accessibility from outside your network.

    If you have a device, say a DVR that has to go out and grab the new TV listings or get software updates, and all it does is that, and goes only to the one site it needs to go to, it’s not much of a danger. This assumes you can’t get to its content from elsewhere, like with Slingbox.

    If you have a security camera that you can access from your phone no matter where you are, that’s a different level of risk.

    And of course, if you have any device on your network that accessible from the outside, that may open up a way for someone to get to all the other devices, since that one will put them inside.

    • #83
  24. Front Seat Cat Member
    Front Seat Cat
    @FrontSeatCat

    Spin:

    EJHill: I don’t understand why a refrigerator or any other appliance needs wifi.

    That’s because you are an old dude.

    I can think of a great reason: when the water filter in my fridge is getting to the end of it’s life, there is a funny light that gradually goes from green to orange to red. I don’t want that. I want my fridge to send a note to Amazon and order me a replacement filter and have it shipped to arrive at my house on the day that the light would have become completely red.

    That means a chain of events (what could go wrong) and someone has your updated address and payment info (what could go wrong) – frig techs have told me numerous times the frig is programmed to go red after 6 months – but filter change is not needed and they are expensive.  I’ll buy my own and decide when to change it. I’m ok with indicator but that’s it.  We give too much info and control to others…

    • #84
  25. James Gawron Inactive
    James Gawron
    @JamesGawron

    Claire,

    https://youtu.be/UgkyrW2NiwM

    Regards,

    Jim

    • #85
  26. Spin Coolidge
    Spin
    @Spin

    anonymous: What I don’t understand is how it’s possible for a mobile phone, from outside the local network, to initiate a connection to, say, the baby monitor. I can see how the baby monitor could, say, post images on a third party site which could be accessed by the phone, but not how a direct outside-to-inside connection could be established. Can anybody explain this?

    This largely has to do with how the firewall is configured.  There are inbound rules and outbound rules.  That has nothing to do with which way the traffic is flowing, but which device initiates the traffic.  If the device is outside the firewall initiates the traffic, then it must be allowed by an inbound rule.  It remains a question whether one’s firewall is capable of these kinds of rules (not all are).  Also, I don’t have a good enough understanding of UPnP to know if this kind of thing would be allowed by it.

    Another way this might work is if a public service brokers the connection between the iPhone and the baby monitor.  Say the baby monitor is configured to initiate a connection with a server and download configuration changes.  And the iPhone is configured to make those changes on the server.  It would appear to the user as if they were making changes to the baby monitor directly.

    • #86
  27. Spin Coolidge
    Spin
    @Spin

    Front Seat Cat:

    Spin:

    EJHill: I don’t understand why a refrigerator or any other appliance needs wifi.

    That’s because you are an old dude.

    I can think of a great reason: when the water filter in my fridge is getting to the end of it’s life, there is a funny light that gradually goes from green to orange to red. I don’t want that. I want my fridge to send a note to Amazon and order me a replacement filter and have it shipped to arrive at my house on the day that the light would have become completely red.

    That means a chain of events (what could go wrong) and someone has your updated address and payment info (what could go wrong) – frig techs have told me numerous times the frig is programmed to go red after 6 months – but filter change is not needed and they are expensive. I’ll buy my own and decide when to change it. I’m ok with indicator but that’s it. We give too much info and control to others…

    The fridge wouldn’t have my account information.  It would send a signal to some kind of web service that is designed to do one thing:  get a signal from a device and put it somewhere.  Amazon would then read the signal where it is stored and interpret it as “This is Spin’s fridge saying ship him a water filter and charge it to the credit card on file”.  My account would have an entry that says “If you get that signal, it is ok to process.”  And I’d get an email saying it was done.  And if they did it right, it would be configured to not process this more than say once every 6 months.  It would not be hard to make it convenient and secure.

    As far as how the red light is programmed, I get that.  I mean, this is exactly how I change the oil in my truck, too.  The odometer reaches a certain point, and then I know it needs to be changed.  That is to say, I think it needs to be changed.  I don’t actually inspect my oil to determine if it needs to be changed.

    In the end, I’m giving no additional information nor control to anyone.  I’m simply automating drudgery.

    • #87
  28. Chuck Enfield Inactive
    Chuck Enfield
    @ChuckEnfield

    EJHill:

    Questions for anonymous

    What should the average consumer do to protect himself and others?…

    Keep in mind that most of the harm to your devices occurs under three conditions:

    1. You download bad content.  This is most common from computers (Include tablets, phones, and AppleTV’s) and typically involves bad web sites, bad email attachments, or bad apps.  Antivirus helps with this, but it’s mostly up to the user to avoid this problem.
    2. Bad actors accessing your network by way of the internet connection.  This is not the same as your device accessing the internet.  If your IoT device initiates the connection it’s usually safe.  The problem is when the session is initiated from outside your network. This risk can be mitigated by setting up your router correctly.
    3. Bad actors accessing your network from the inside.  This is usually via weak Wi-Fi security and can be virtually eliminated by proper configuration.

    You’ve received a few good suggestions already, but I wouldn’t obsess over your router and Wi-Fi hardware.  Most consumer routers are adequate.  They differ mostly in the advanced features, and if you’re asking this question you’re unlikely to exploit advanced features.  I recommend the following widely-available measures to protect your network from unsolicited internet access:

    1. Change the login password, as well as the username if the router supports it.  Use a strong password.  Do this for all devices in your network.
    2. Update your firmware.  Always check when installing a new device, and check again every few months after.  Firmware updates for consumer networking devices are infrequent, but can be important.
    3. Disable remote management on your router.  This means you’ll have to be inside your network to log into the router and change settings. Traffic coming from the internet won’t be allowed to log in.
    4. Disable port forwarding on your router.
    5. Disable Universal Plug and Play (UPnP) on your router.  If your router includes network attached storage (NAS) or a media server, this may make it unusable.  Buy separate devices for those functions if needed.

    As for securing your network from local access, I suggest the following:

    1. Use wired connections when possible.  For example, if your printer is in your home office next to the router, plug it in.  If you have too few ports, buy a $20 unmanaged Ethernet switch.
    2. Disable the Wi-Fi on all devices with wired connections and any devices that don’t need network access.
    3. Use WPA2-PSK for your Wi-Fi security.  If your device asks you to choose between TKIP, AES, or both, select AES.  Use a strong PSK. (Google it if needed)  If any of your IoT garbage can’t support WPA2/AES, replace it or leave it off the network.
    4. Disable UPnP on everything and only turn it back on if something you need stops working.  Even better, get somebody to help you set up the devices manually without UPnP.
    • #88
  29. Chuck Enfield Inactive
    Chuck Enfield
    @ChuckEnfield

    Spin:

    Austin Murrey:

    • Switch everything to Linux.
    • Your problem is solved.

    This is nonsense.

    So many people suggest the Linux panacea sincerely that sarcasm can be hard to spot.

    • #89
  30. Chuck Enfield Inactive
    Chuck Enfield
    @ChuckEnfield

    Spin:

    anonymous: I don’t have any so-called “Internet of Things” devices, but if I did, I would put them all on a separate subnet which was not allowed to initiate connections to the LAN on which the computers live. I do this with the DHCP network that visitors use; they can get to the Internet, but not to the subnets containing my development machines or servers.

    This is perfect, but we both know that most people reading this, and indeed most people out there haven’t the foggiest idea what you just said.

    To put it in layman’s terms, most consumer routers would refer to this as a guest network.

    • #90
Become a member to join the conversation. Or sign in if you're already a member.