
How to force manufacturers to take IoT security seriously? - herghost
https://securitybytes.io/how-to-force-manufacturers-to-take-iot-security-seriously-33a3e9b5ba55
======
runeks
I think the morality of this issue is extremely interesting. A single insecure
IoT device isn't a problem at all, but in huge quantities they become a form
of Internet weaponry.

Imagine if white hats were given legal immunity to hack devices that are easy
to hack (for some definition of "easy") and, for example, replace the firmware
with something that flashes some red text reading "contact manufacturer for
replacement", and simultaneously closing the security hole in of which they
came in the first place.

This would be a sort of middle ground, giving consumers a minor annoyance
rather than a bricked device, but still leveling the playing field between
white hats and black hats.

Perhaps adding a $1 bounty per device for the white hats, paid by the device
manufacturer. Then the manufacturer would be forced to purchase insurance, who
would want to look at the security of the software before giving a offer on
the policy.

~~~
inetknght
This insurance concept is and interesting idea, I think.

Unfortunately, insurance is all about risk management. In layman's terms: why
bother worrying about security when you can just buy insurance for it. Then
they'll pick up the tab for any problems, right?

~~~
imgabe
Insurance can be a powerful force for creating standards. Most of the building
codes in existence were created by the insurance industry. The NFPA (National
Fire Protection Association) was originally sponsored by a collaboration of
insurance underwriters. [1]

Insurers want to make sure that a building meets the code before offering
insurance on it. If a building collapses or burns down and it is later shown
that it was not built to code, the insurance policy will be void.

I imagine similar incentives would hold for IoT security. The insurance would
be contingent on the manufacturer following all available best practices to
show that they did all they could to make the device secure.

[1] [http://www.nfpa.org/about-nfpa/nfpa-overview/history-of-
nfpa](http://www.nfpa.org/about-nfpa/nfpa-overview/history-of-nfpa)

~~~
Zenst
When I worked upon software for the oil industry for the building of oil rigs.
The whole aspect of testing and insurance was very much key and Llyods of
London have dedicated inspectors who would inspect and sign of parts as and
when completed and without them, no insurance could be offered.

So for large scale key area's you will find that insurance/reinsurance
companies have more than actuaries giving values to a risk. It is in their
interest after all, more so when large sums of money are equally at risk of
theirs.

AS for driving standards, yes, it happens. Though in some cases it happens
after the horse has bolted.

For example in the UK ALL insurance has a premium added to it to cover people
who have high-risk properties subject to flooding and with many houses built
upon flood planes in the 80's with low regard to risk of flooding than they
should, then it is a sticky plaster solution that fixes a legacy issue that we
all end up paying for. That is the concern with IoT and I do fear that a
solution that see's everybody paying the premium to cover the issues of the
past, will transpire either directly or indirectly.

------
cm2187
In a way it is a bit unfair to IoT manufacturers. The problem is that to make
something secure today, you need to be a network protocol specialist, a linux
specialist, an expert cryptographer, etc. And guess who are IoT designers?
Either a low level technician in a big western company or a guy hacking stuff
together on the side of a factory floor in China.

To me it is unreasonable to ever expect that all of them will be linux
specialists, expert cryptographers, network specialists, etc.

Fundamentally we are at the convergence of software and hardware, but the
software is too complicated, give people too many ways to shoot themselves in
the foot.

I'd argue we need better software, not IoT manufacturers sinking ressources in
hundreds of unrelated expertises.

~~~
YCode
Ring stored WiFi credentials in plaintext on their video doorbells -- would
you say it requires a cryptographer, a network specialist and an embedded
device expert to know that was a terrible move for a home security device you
can walk up and physically rip off the outside of someone's house?

IoT manufacturers don't have to contract Linus Torvald to review their code,
but it's entirely reasonable to expect IoT manufacturers to use existing best
practices to secure these products.

~~~
patcheudor
I would say, based on my experience that indeed it does require some level of
specialization which most don't have today. I'm fighting with an IoT
manufacturer right now because they ship the same root private key on every
one of their devices. This is a pretty simple concept to understand:

"Are all your device privates derived from the same key? Do you ask your users
to install your public root to get past security warnings?"

Yet they clearly don't understand PKI 101 and think what they are doing is
completely appropriate because they are "following standards" while of course
missing the bigger picture entirely.

------
StavrosK
I like this quote I saw here:

> The "S" in "IoT" stands for "Security".

------
Razengan
From another IoT comment [0] that I just posted:

• Develop a standard interface/protocol for integrating IoT devices with the
major mobile operating systems:

• Upon unboxing an IoT device and first power-on, require physical contact
(via NFC?) with user's primary smartphone/wearable, and register the device
with the user's third-party cloud account (e.g. Apple's iCloud/HomeKit).

• Only allow control of the IoT device from the smartphones/wearables that are
signed into the user's iCloud/Google/Microsoft/etc. account.

• Web interfaces for IoT control should require two-factor authentication on
the user's smartphone/wearable, again like the web interfaces for
iCloud/Google/Microsoft accounts.

• Expose a different set of controls based on the user's physical distance
from the IoT device, and the level of authentication on the controlling
phone/wearable. For example: To unlock your front door you'd have to be
standing right there (similar to unlocking a MacBook with the Apple Watch) but
you could turn the lights on/off from across the world if you've unlocked your
phone and entered your iCloud/Google/Microsoft password – and only from that
phone.

• Sharing control with spouses/family could be similar to how Family Sharing
for the App Store currently works; set a level of access on each IoT device
for each member, and fallback on asking the family "admins" for permission.

No doubt there must be some non-apparent holes in this, but just throwing an
idea out there.

[0]
[https://news.ycombinator.com/item?id=14077965](https://news.ycombinator.com/item?id=14077965)

~~~
kbart
_" Upon unboxing an IoT device and first power-on, require physical contact
(via NFC?) with user's primary smartphone/wearable, and register the device
with the user's third-party cloud account (i.e. Apple's iCloud/HomeKit)."_

Sorry, you lost me here. The last thing we need right now is another database
of users' personal information. Why every gadget should be attached to my
_personal_ phone?

 _" Only allow control of the IoT device from the smartphones/wearables that
are signed into the user's iCloud/Google/Microsoft/etc. account."_

No again. It's enough Google owns my phone and email, I don't want it to own
my home. What happens when Google's algorithm decides to ban you for no
apparent reason (there are plenty of such horror stories around)?

Tl;DR if that's the price to pay for IoT security, I'm resorting back to
"dumb" devices or going to live in woods.

~~~
Razengan
That is sort of similar to how Apple's Continuity/Handoff/etc. currently works
though, isn't it?

Your iDevices, once registered on the same iCloud account, just talk to
themselves, without needing to tell or ask Apple anything, other than just
checking that you've signed into the same iCloud account.

~~~
kbart
I don't use Apple products, so can't comment on how that works, but Apple is a
rare company that owns it all: hardware, software, support, so the hardest
part of any solution -- agreement of different parties -- disappears.

------
jpalomaki
For consumer devices the solution could be the consumer protection
legislation. For example in EU the manufacturers/sellers are responsible for
the devices after the sale. The exact time is not defined, but I believe for
average consumer electronics 2 years is kind of minimum. During that period
the manufacturer is responsible for defects in the products. The
responsibility means they need to fix them, provide new (working) gadget or
provide financial compensation.

If we would defined that device with a known security vulnerability is broken,
the manufacturers/resellers would need to take action. Suddenly there would be
direct financial consequences for shipping broken devices for which updates
don't exist. I'm sure this would quite quickly lead to manufacturers putting
more effort on providing updates and maybe even to proactively preventing
security issues.

------
shad0wca7
The healthy technology market will force IoT manufacturers to take security
seriously. It is not the job of a government to punish a corporation for
failing to implement what should now be basic tenets of product quality and
suitability.

The loss of customers and reputation should a major security concern arise is
a serious market driver and calls for regulation will only ensure that nobody
does anything until a multitude of governments agree on a standard. As further
food for thought, do you honestly trust the government to make the best
choices for your security as a private citizen?

~~~
vog
I don't buy that argument.

If "customers and reputation" were sufficient, we wouldn't need regulations on
the safety of e.g. medical stuff, food and cars. (And history, as well as
comparison with other countries, confirms that we do need those.)

Whenever one needs to establish a minimum of quality (and this is what that's
ultimatively about), establishing laws mostly works, while trusting the market
mostly fails.

Markets are good at many things, but are really bad at establishing a minimum
of quality (or provision with basic supplies, for that matter).

------
tabeth
I know it's kind of a rhetorical question, but I think the answer is
obviously: make it cost them _significant_ amounts of money if they do _not_.

So, the question then becomes, how do you make it cost them significant
amounts of money?

~~~
keyme
Here's an idea:

There exists an FCC ID for every device that uses the RF spectrum. Similarly,
there should be a similar required license for any device/product that
operates on the Internet.

The license should be easy to get initially (basic examination by 3rd party).
However, once the product is out on the market, if it is shown to be
demonstrably broken (insecure), the license is revoked. It now becomes illegal
to operate or sell the product as-is (both for user and manufacturer). It now
has to be disconnected from the Internet (or the user and manufacturer face a
fine).

Devices that are produced in very low quantities will be exempt from this
(prototypes, specialty equipment, etc).

This is similar to the mandatory safety checking of a motor vehicle.

A cop pulls you over since your car mirrors are broken? You need to fix them
before its legal to drive.

Some one finds out that all models have a fatal life-endangering flaw? It is
now both illegal to drive them, and to sell new ones (as-is). Note that in
this case, manufacturers will always foot the bill and do a recall.

I get that this is extreme. I don't see how anything else would work, though.

------
Zenst
I would like some kind of standard for testing that is recognises, in much the
same way the FTC tests radio related items for compliance.

Which reminds me that it is not a new issue and a read of few years back
raises concerns for IoT and security, by the FTC:

[https://www.ftc.gov/system/files/documents/reports/federal-t...](https://www.ftc.gov/system/files/documents/reports/federal-
trade-commission-staff-report-november-2013-workshop-entitled-internet-things-
privacy/150127iotrpt.pdf)

------
dwheeler
Bricking devices is unlikely to help; the manufacturer already got his money.
Indeed, economics are the fundamental problem - the manufacturer has zero
incentives to do anything correctly.

Laws can't solve all problems, but I think they could help.

See "What laws should be created to improve computer security?" \-
[https://www.dwheeler.com/essays/law-
security.html](https://www.dwheeler.com/essays/law-security.html) \- because I
think some could help.

------
franciscop
The title IMO is clickbait in the way of "discover how ___"; I'd change it to:
"Bricking IoT devices gives incentives for better security".

~~~
herghost
I agree. Updated.

------
DrNuke
For what I see, this is a problem for the consumer market on one side and for
the small manufacturers on the other. Big industrial players like General
Electric, Bosch, Phillips, etc. are deep in this already with their QA
protocols and their own software platforms, think of Predix.io. Nothing more
than another line or an extension of home / office / factory appliances for
them.

------
passivepinetree
Here's a much more descriptive/informative article (linked to in the original
article): [https://arstechnica.co.uk/security/2017/04/rash-of-in-the-
wi...](https://arstechnica.co.uk/security/2017/04/rash-of-in-the-wild-attacks-
permanently-destroys-poorly-secured-iot-devices/)

------
ziikutv
Would it be worth an effort if there was an open source protocol of secure
communication of IOT devices?

For example, many solutions use MQTT, why not make a secure TCP/UDP one by
implementing one of the higher layers in OSI stack?

------
patrickmn
IoT seems hopeless because

\- There are so many different kinds of devices and different hardware

\- Vendors want to maximize profits like everyone else, which entails making
new devices all the time, and ending support on the last model fairly quickly
(typically within two years,) but consumers regularly keep their devices for
more than two years.

\- Hardware vendors historically were not software vendors. For many IoT
makers, this is their first real foray into software. The mistakes being made
are amateurish, at a level that we saw on PCs in the mid-90s.

\- Although there are some IoT standards, they're mostly concerned with
communications, not the operating system. It feels like we're still 5+ years
off from something as basic as automatic updates being a given (even just
notifying users that an update is available and allowing them to easily
install it is a challenge currently.)

Two things that are really bothersome:

\- A huge number of IoT devices don't need the 'I'. They are perfectly capable
of serving their purpose without an Internet connection (e.g. over Bluetooth,)
but a huge attack surface is added to make you able to configure the device
via a central website, or simply to monetize usage data.

\- It is futile to trust each vendor to have the security expertise to lock
down every device. An "IoT operating system" would be highly desirable, but
there is nothing anywhere near real world implementation, and given the
heterogeneous of hardware components it doesn't seem likely something non-
Linux-based will come along.

Brickerbot is hostile and aggressive and shouldn't be necessary, but maybe it
is. That's beside the point, though: Nobody has to be given permission to
brick insecure IoT devices. Vendors don't feel it where it hurts (the bottom
line,) and consumers increasingly just don't care (studies show people have
grown accustomed to security incidents -- "it happens to everyone and
everything; replace it and move on, there's nothing you can do")

Hacks made Microsoft shape up in the 90s and early 2000s, but Windows has only
become actually secure since after Vista. Maybe just don't buy IoT devices for
another 5-10 years, or at least put them on a separate vlan.

There are a bunch of groups trying to spread the word, but it doesn't seem
many vendors are listening (or if they are, they don't have the capability to
really secure their devices.) We've had some success with Securing Smart
Cities working with local and state governments, and trying to address some of
these issues before hilariously insecure IoT hardware becomes ubiquitous in
cities/related to critical infrastructure:
[http://securingsmartcities.org/](http://securingsmartcities.org/)

It's hard to see how it's not going to get much, much worse before it gets
better.

~~~
Klathmon
>A huge number of IoT devices don't need the 'I'. They are perfectly capable
of serving their purpose without an Internet connection (e.g. over Bluetooth,)
but a huge attack surface is added to make you able to configure the device
via a central website, or simply to monetize usage data.

I always feel the need to disagree with this.

The biggest "value add" in most of my "connected" stuff is the fact that I can
access and manage it from outside the home.

Z-Wave light switches are nice, but being able to turn them off when I forgot
to after i've left is a huge bonus (and taking it a step further and tracking
my and my families phones and turning them all off when nobody is home
automatically).

A thermostat I can control when I'm on the couch is a convenience, but a
thermostat that notices when I'm at work or the store or a friends house and
turns off during that time saves tons of money and energy.

A garage door that I can control from anywhere in my house is normal, but a
garage door that I can have ensure it's closed when i'm not home, and that I
can open for a friend that showed up to my house 20 minutes before I did is
awesome.

I really do think that the "I" in IoT is absolutely necessary (in many cases,
not all), but I agree with the rest of your points.

(before people start commenting on the tracking stuff, it's all implemented on
a home-server where the phones literally "phone home" to that server, nothing
is processed outside the house)

~~~
mbreese
All of those are great use-cases. But do you really want each of those devices
to be added to the external threat surface? Perhaps it would be better to have
everything talk to a central hub over a local protocol (ZigBee, Bluetooth,
etc) and then that hub be the main connection out to the Internet at large. As
it is now, it's still a bit of a free for all. And at least if you have a hub
model where you can secure that one device (or replace it if it is
compromised), you don't have to replace all of your individual IoT devices
when something bad does happen.

A good example of this is my garage door opener. Instead of building a WiFi
connection into the opener itself, there is a separate little gateway device
that sits inside my house. The gateway talks to the door (RF) and to the
Internet (ethernet). I can still control my garage door, but if something is
compromised, I can always detach that gateway and still have a working
(secure) garage door.

~~~
Klathmon
It seems so silly to me to not use the ubiquitous "RF" broadcasting stations
already in everyone's house, that also includes an "okay" addressing system, a
security firewall, high bandwidth communications protocol, and more.

Why not focus on software which can use WiFi more securely and with a better
focus on local connectivity? I can understand the "ultra low power" needs, but
many of these devices are mains powered, and that's not really a concern.

But yes, what I do right now for the most part is use z-wave which is
connected to a central "hub" which is then connected to the outside world. But
IMO that's a hacky-workaround for this problem, not a real solution.

------
ardiri
easy - educate them.

[http://ardiri.com/blog/utls_defining_lightweight_security_fo...](http://ardiri.com/blog/utls_defining_lightweight_security_for_iot_part_10)

------
AnonNo15
By aggressively exploiting insecure devices and maximizing damages to the end
customer.

Either IoT market will die because of this or the IoT will become IoST -
internet of secure things.

------
bitwize
Liability. Liability, liability, liability.

------
sedky
IoT is going to change the world, so it's great to tackle this issue while
it's in a premature stage

