Securing the Internet of Things

 

Last Friday’s attack was apparently caused by the Mirai botnet, which targeted unprotected IoT devices, including Internet-ready cameras. In its wake, the inevitable has happened. There have been calls for more government regulation:

A U.S. Senator has joined security officials calling for stiffer cybersecurity for Internet of Things (IoT) devices following a major attack last Friday.

In a letter to three federal agencies, Sen. Mark Warner (D-Va.) on Tuesday called for “improved tools to better protect American consumers, manufacturers, retailers, internet sites and service providers.”

People (including Ricochet members) have been warning about the risks of the IoT for ages, but this hasn’t stopped manufacturers from flooding the market with cheap, unsecured devices — nor has it stopped consumers from purchasing them. The consensus of most of the experts I’ve read is that this is indeed a classic tragedy of the commons problem, as Senator Warner suggests, and that the only solution is for the government to step in to solve the problem.

It’s certainly true that no industry could have been warned more often that it had a problem. I read the warnings, and I sure wasn’t keen to buy any of those devices. Frankly, everything I read about the IoT creeps me out and reminds me of this:

But I seem to be an outlier in my instinctive aversion. And it seems to be true that neither manufacturers nor consumers paid those warnings much mind, either out of greed, laziness, or incomprehension. It’s also true that the cost of their error was borne by everyone, not just the specific manufacturers and consumers.

Bruce Schneier, who’s always interesting to read, thinks there’s no conceivable market solution to the problem:

The market can’t fix this because neither the buyer nor the seller cares. Think of all the CCTV cameras and DVRs used in the attack against Brian Krebs. The owners of those devices don’t care. Their devices were cheap to buy, they still work, and they don’t even know Brian. The sellers of those devices don’t care: they’re now selling newer and better models, and the original buyers only cared about price and features. There is no market solution because the insecurity is what economists call an externality: it’s an effect of the purchasing decision that affects other people. Think of it kind of like invisible pollution.

What this all means is that the IoT will remain insecure unless government steps in and fixes the problem. When we have market failures, government is the only solution. The government could impose security regulations on IoT manufacturers, forcing them to make their devices secure even though their customers don’t care. They could impose liabilities on manufacturers, allowing people like Brian Krebs to sue them. Any of these would raise the cost of insecurity and give companies incentives to spend money making their devices secure.

So is this genuinely a situation where government must step in? And if so, is it reasonable to expect the government to be any good at regulating this industry?

Also, a question for the lawyers: Why do we need the government to “impose liabilities” on the manufacturers? That’s to say, what’s preventing Brian Krebs from suing them right now? What prevents the people who were inconvenienced by last Friday’s attack from joining a class action suit against the companies in question?

Published in General, Science & Technology
Like this post? Want to comment? Join Ricochet’s community of conservatives and be part of the conversation. Join Ricochet for Free.

There are 172 comments.

Become a member to join the conversation. Or sign in if you're already a member.
  1. Chuck Enfield Inactive
    Chuck Enfield
    @ChuckEnfield

    Eric Hines:

    anonymous: A firmware upgrade will normally install a new certificate.

    How would they get the upgrade without access to the Internet?

    Eric Hines

    A context-aware firewall can do the job.  The technology to make somthing like this work isn’t quite ready for prime time yet, but it’s close.

    • #151
  2. James Gawron Inactive
    James Gawron
    @JamesGawron

    response to anonymous’s comment #159

    John,

    Very very interesting. Would you agree with me that the industry consortium, unaffected by government, would do the least intrusive job that would preserve both the character of the net and its future growth? The heavy hand of government kills what it tries to control. As an example, the ACA is multilating the health insurance industry. Health insurance is now more expensive with poorer quality and looks to be getting much worse.

    I had an additional thought. The paradigm of the Bluetooth network, “pairing”, may be what we are missing here. Let us assume the protocol internal to the device had a strict pairing mechanism which once paired to your cell phone would automatically refuse any other request for remote access. This would isolate the particular problem of the internet of things. Your digital imprimatur could then be kept to a minimum.

    Please comment John.

    Regards,

    Jim

    • #152
  3. Phil Turmel Coolidge
    Phil Turmel
    @PhilTurmel

    anonymous: In fact, the introduction of IPv6 and the phase-out of IPv4 would provide precisely the opportunity they’re waiting for to roll out such a scheme.

    Very plausible indeed.  The left has a problem distinguishing dystopian stories from instruction manuals. /-:

    • #153
  4. James Gawron Inactive
    James Gawron
    @JamesGawron

    anonymous:

    James Gawron:….

    ….. There’s no reason the “pairing” could not be extended to a list of specific devices to handle situations like this and, indeed, it is common when configuring corporate firewalls to have an access control list of external devices/users which are granted access to specific resources inside the firewall.

    The alternative would be to have the baby monitor, thermostats, remote light controls, etc. all talk exclusively to a home automation controller (which in most cases would simply be an application that runs on a computer in the home, although it could be a dedicated device). People wishing to access the devices from outside would open a secure (https:) connection to a Web interface maintained by the controller, which would manage all communication with the devices. There would, then, be no direct access to the devices from outside. The controller would provide a single point of security which, running on a PC, would receive security patches from the PC’s operating system supplier and that of the home automation controller software. With https: access to a Web interface, interactions with the home automation controller would be as secure as most Internet banking and commerce transactions, which are good enough for most people.

    John,

    Thanks John. Sounds like a plan.

    Regards,

    Jim

    • #154
  5. Spin Coolidge
    Spin
    @Spin

    James Gawron:

    Spin:

    James Gawron: If the devices don’t show it they don’t get on-line. New devices will have it.

    So how would the network determine if something was an “IoT” device versus some other type of device. Let us remember that “IoT” is just a buzz phrase, and that most of these devices are capable communicating on an IP network the exact same way your computer does.

    Spin,

    Because the net will now be asking for the new protocol before it allows access.

    Regards,

    Jim

    “The net”?  So you are suggesting that all network devices that pass traffic across “the net” will require a new protocol (by I assume you mean replacing TCP/IP).  Which naturally means that the computer I am typing on, or at least my router, will need to talk that new talk, not just my IoT devices.  Right?

    • #155
  6. James Gawron Inactive
    James Gawron
    @JamesGawron

    Spin:

    James Gawron:

    Spin:

    James Gawron:

    Because the net will now be asking for the new protocol before it allows access.

    Regards,

    Jim

    “The net”? So you are suggesting that all network devices that pass traffic across “the net” will require a new protocol (by I assume you mean replacing TCP/IP). Which naturally means that the computer I am typing on, or at least my router, will need to talk that new talk, not just my IoT devices. Right?

    Spin,

    Let me make a disclaimer at this point. Both you and John are far in advance of my specific technical abilities. I recommend John’s take on all of this. However, to answer your question, I would suspect that a new router is in the mix to get this done right. That isn’t the worst outcome. I suspect that for the home or small business user they could acquire the router for the less than the price of a single months net service. Yes, heavy business users will spend more but they have more dollars to spend, not to mention plenty of security concerns worth nailing down properly.

    @JohnWalker, please help us out here and respond to spin’s enquiry with greater depth than I possess.

    Regards,

    Jim

    • #156
  7. Spin Coolidge
    Spin
    @Spin

    anonymous: Every device and user on the Internet must have a certificate issued by an approved certificate authority in order to have packets transmitted over the Internet.

    So your scheme doesn’t really address my point, which was, simply, you cannot introduce some system that affects only IoT end points.  The scheme has to address all devices.

    • #157
  8. Spin Coolidge
    Spin
    @Spin

    James Gawron: suspect that a new router is in the mix to get this done right.

    It’s not just a new router for you and I at home.  That cell tower over there?  It’s backhaul is essentially the Internet.  Which means that in this new scheme where there is a new protocol, the switch to which the cell tower connects must be updated to support the new protocol.  The switches in my office that connect all of my remote sites have to be changed.  The firewall that manages my client based VPN connectivity must be changed.  My wireless APs must be changed.  All of my computers must be changed.

    Now, we created a new protocol to address a lot of the deficiancies in the TCP/IP stack.  It’s called IPv6.  It was formerly introduced in the late 90s.  And it still is not widely used.  Most modern networking gear as well as end points can do IPv6.  But we have not deployed it.

    I’m not trying to throw cold water on your idea, I’m just saying that it is unrealistic to suggest that we could simply create a new protocol and require it be used.

    • #158
  9. Spin Coolidge
    Spin
    @Spin

    anonymous:

    Spin:

    anonymous: Every device and user on the Internet must have a certificate issued by an approved certificate authority in order to have packets transmitted over the Internet.

    So your scheme doesn’t really address my point, which was, simply, you cannot introduce some system that affects only IoT end points. The scheme has to address all devices.

    That is exactly what I said in the text you quoted.

    I know that’s what you said.  I was just addressing what Jim said which was that we’d create some protocol specific to IoT devices.  That’s all.  It would have to apply to all devices.  Which means you might as well forget it.

    • #159
  10. Spin Coolidge
    Spin
    @Spin

    anonymous: all talk exclusively to a home automation controller

    Which simply must live in the cloud.  ;-)

    • #160
  11. James Gawron Inactive
    James Gawron
    @JamesGawron

    Spin:

    James Gawron: suspect that a new router is in the mix to get this done right.

    It’s not just a new router for you and I at home. That cell tower over there? It’s backhaul is essentially the Internet. Which means that in this new scheme where there is a new protocol, the switch to which the cell tower connects must be updated to support the new protocol. The switches in my office that connect all of my remote sites have to be changed. The firewall that manages my client based VPN connectivity must be changed. My wireless APs must be changed. All of my computers must be changed.

    Now, we created a new protocol to address a lot of the deficiancies in the TCP/IP stack. It’s called IPv6. It was formerly introduced in the late 90s. And it still is not widely used. Most modern networking gear as well as end points can do IPv6. But we have not deployed it.

    I’m not trying to throw cold water on your idea, I’m just saying that it is unrealistic to suggest that we could simply create a new protocol and require it be used.

    Spin,

    Flexibility thy name is the free market. Inflexibility thy name is the government.

    cont.

    • #161
  12. James Gawron Inactive
    James Gawron
    @JamesGawron

    cont. from #175

    Let’s assume that we are faced with a massive cost and as you say if we require the new protocol’s implementation on a specific date we will meet major resistance. What are the incentives for the participants to absorb the cost and keep going without force. As an example, 1) How many of the recent costly government & corporate security breaches might have been avoided by the new protocol? 2) Hardware is constantly improving in power and decreasing in price. Could the new protocol be just phased in during an already justified hardware upgrade? 3) You say IPv6 has not been deployed. Has there been any great incentive to deploy it?

    I don’t think that the “pairing” solution would require any of this. The burden would be shifted to the devices themselves. It might only be a band-aid but maybe the problem isn’t that great yet.

    Regards,

    Jim

    • #162
  13. Percival Thatcher
    Percival
    @Percival

    John I wasn’t chastising you. I was just reflecting on a PC incident from a few years back.

    In retrospect, it’s a good thing I didn’t have a chance to mention that the outgoing cables needed their connectors converted from female to male. I’d probably still be in Sensitivity Training hell.

    • #163
  14. Spin Coolidge
    Spin
    @Spin

    James Gawron: 3) You say IPv6 has not been deployed. Has there been any great incentive to deploy it?

    Yes, it’s genuinely better than IPv4 for a number of reasons….but…

    It’s very complex to implement in an environment that already runs IPv4.  Which is why it hasn’t been done yet.

    • #164
  15. Spin Coolidge
    Spin
    @Spin

    anonymous: Over a few years, you get there, without any top-to-bottom overhaul or disruption of the operation of the Internet.

    With HTTPS, we could deploy it over time, and it could co-exist with HTTP.  But how many websites deployed it with self-signed certs, at first?  Why did they stop doing that?  Because it was a good idea?  Or because major browsers started throwing hissyfits when a cert could not be verified?  I say the second.

    • #165
  16. James Gawron Inactive
    James Gawron
    @JamesGawron

    Spin:

    James Gawron: 3) You say IPv6 has not been deployed. Has there been any great incentive to deploy it?

    Yes, it’s genuinely better than IPv4 for a number of reasons….but…

    It’s very complex to implement in an environment that already runs IPv6. Which is why it hasn’t been done yet.

    Spin,

    So you’d rather hold off and then do the whole upgrade at once. I suspect that all the new equipment that you buy is already good for IPv6 deployment but you are using it as IPv4. At some point, going to far more powerful and less expensive to maintain equipment will be desirable enough for you to move. At that point, you’ll turn on the IPv6 too. Nothing surprising about your strategy it’s just solid business sense.

    Spin, I suspect that there are many solutions that are way less than the total rerigging we are discussing (example: “pairing”). The fact that we are discussing them is progress in itself. Do you remember all the screaming about Y2K and it was resolved by simple low-cost solutions without any disruption in service at all. I think that the internet of things is going to get the same treatment with some minor inconveniences to the owners of the devices in question as it should be.

    Regards,

    Jim

    • #166
  17. The Reticulator Member
    The Reticulator
    @TheReticulator

    Spin: Or because major browsers started throwing hissyfits when a cert could not be verified? I say the second.

    In other words, cultural pressure rather than government mandate.

    • #167
  18. Joe P Member
    Joe P
    @JoeP

    The Reticulator:

    Spin: Or because major browsers started throwing hissyfits when a cert could not be verified? I say the second.

    In other words, cultural pressure rather than government mandate.

    A thousand times this.

    • #168
  19. Spin Coolidge
    Spin
    @Spin

    The Reticulator:

    Spin: Or because major browsers started throwing hissyfits when a cert could not be verified? I say the second.

    In other words, cultural pressure rather than government mandate.

    I wouldn’t call it cultural pressure so much as industry pressure.  Users neither knew nor care about SSL.  But browser manufacturers did, and they felt the need to keep a user secure.  So they finally said “Well we’ll fix your wagons, you web admins who don’t want to do what is right.”

    • #169
  20. Matt White Member
    Matt White
    @

    anonymous: This is much like the “master/slave” relationship between the device and the controlling computer that I mentioned in #8 (only to be chastised that the terminology was infelicitous to the ears of residents of a country in which I do not live for this, among many other, reasons).

    We still use that terminology in factory automation. I haven’t heard of a replacement.

    • #170
  21. Phil Turmel Coolidge
    Phil Turmel
    @PhilTurmel

    Master/slave is still around in the industrial automation world because that is the best description of the relationship between the devices.  The protocol specs even use “owner” for the master device of a specific slave when multiple masters are present.  Masters tell slaves what to do and when.

    I guess I’ll have to keep some smelling salts on hand in the office for the fragile snowflakes who incidentally find out about these terrible technologies.

    • #171
  22. Fake John/Jane Galt Coolidge
    Fake John/Jane Galt
    @FakeJohnJaneGalt

    Phil Turmel:Master/slave is still around in the industrial automation world because that is the best description of the relationship between the devices. The protocol specs even use “owner” for the master device of a specific slave when multiple masters are present. Masters tell slaves what to do and when.

    I guess I’ll have to keep some smelling salts on hand in the office for the fragile snowflakes who incidentally find out about these terrible technologies.

    The problem with snowflakes is they have a bad tendency to run to HR and legal which some reason take this stuff seriously.  I have yet seen anybody fired over such events but have been in meeting called for these purposes where it was suggested not to use such terms.

    • #172
Become a member to join the conversation. Or sign in if you're already a member.