
Schneier: It's Time to Regulate IoT to Improve Cyber-Security - pwg
http://www.eweek.com/security/schneier-it-s-time-to-regulate-iot-to-improve-cyber-security
======
Asdfbla
Even though many people scoff at the idea of government regulations, the
economic incentives in IoT security are really all messed up and it's not
really clear that the market will fix itself because so much of the damage can
be externalized somehow. Does the manufacturer of a cheap and outdated IoT
device care if it's participating in some ddos attack? Or like Schneier said,
does the consumers care if they don't notice?

There seem to be some soft mechanisms that governments could explore. Maybe
something like demanding opening the source code once security updates for the
device stop, so consumers could help themselves. Or at least, an even more
modest regulation, simply allowing all consumers to hack their own devices
without fear of violating any laws.

One thing that could hurt the market is maybe making manufacturers liable for
the damages caused by security holes in their devices, but regulation doesn't
have to go that far to make an impact.

~~~
tzs
> One thing that could hurt the market is maybe making manufacturers liable
> for the damages caused by security holes in their devices

That's what insurance is for. Something like this was discussed in my torts
class in law school, except that was long before IoT devices existed so it was
about things like lawn mowers.

The idea is that it might make the most sense economically to make the lawn
mower manufacturer liable when users cut off a finger or toe, even if it was
due to consumer stupidity instead of any negligence on the part of the
manufacturer, because the manufacturer is in the best position to estimate the
risks and purchase insurance to cover them.

Presumably, the manufacturer will pass on the costs of those insurance
premiums to the consumers. The manufacturer still has an incentive to try to
build safe mowers, because if their insurance company ends up paying out a lot
the premiums will go up. They can pass those higher premiums on to the
consumers, of course, but that will make them more expensive than their safer
competitors.

The manufacturer is in a good position to deal with insuring for these
injuries because they know how many mowers they are selling. Other candidates
have less useful information. For example, a consumer usually has no idea what
their chances are of suffering a lawn mower accident, so have no idea how to
decide how much insurances is needed. Health insurance companies will have a
good idea in the aggregate of how many of these accidents occur in a year, but
they have no idea which of their customers use lawn mowers.

Done right, this should not hurt a market much.

I'm not sure it could work for IoT, though, because a lot of IoT devices are
made by new companies that probably will not be around long. With things like
lawn mowers, you could takes years to get around to cutting your hand off, and
still reasonably expect the manufacturer to be around. Not so with a lot of
IoT devices.

~~~
forapurpose
> That's what insurance is for

What are the outcomes for using insurance, and what are the outcomes for using
regulation? Does anyone know the answers in a technical policy sense (not in a
philosophical sense)? They are different tools useful for different problems.

Thinking out loud, insurance seems like a poor solution when people will
suffer serious, irreparable harm. If the lawnmower severs a foot, then an
insurance payout isn't really sufficient; regulations should prevent that from
happening in the first place. More broadly, my point is that there are larger
issues than economics.

> Presumably, the manufacturer will pass on the costs of those insurance
> premiums to the consumers.

In economics, that is not the case. Businesses don't price goods at 'cost-
plus'; they don't look at their costs and add a profit margin. Think of the
soda at the movie theater on one hand, and on the other the car being sold at
a loss because the market is soft; think of software. Like all businesses, the
lawnmower manufacturer already is pricing their product at the level that
maximizes total sales revenue, which depends on supply and demand; raising the
price will reduce revenue (probably because unit volume will decrease too much
to be compensated for by per-unit revenue increase). If they could raise the
price and bring in more revenue, they would have done that already.

There is an issue of elasticity: If your customers' alternatives are limited -
i.e., if they can't go without your product, if there are limited competitors
and substitutes - then you can raise prices more easily. A Van Gogh painting
is highly inelastic; lawnmowers are much less so.

~~~
shubb
On insurance vs regulation -

What isn't being mentioned here is that insurers will require insured
companies to do a bunch of stuff in order to remain insured. Have some
processes in place, do some things, and so on.

Just like your car insuruance isn't valid if you drink and drive, your
software company insurance might not be valid if you aren't using source
control and have no testing or code review proccess.

So in some ways, what you get out of insurance is market driven 'regulation'.

Possibly, because a rival insurance company can impose different conditions,
insurers are incentivised to require only the stuff that really reduces risk,
while regulators might make irrational regulations driven by moral panics in
the press. Similarly, they might be more responsive to supporting new
technqiues that reduce risk at lower costs, because customers will seek out an
insurer that lets them use those.

Possibly, insurers are less suceptible to moral hazard, where regulator
employees have close relationships with industry heavyweights and make policy
that helps their buisness, at the expense of consumers and sector rivals.
Insurers mostly want to make money.

Regulators might be better sometimes because their staff tend to be very
mission driven (they want to fix the problem, not make money). They will get a
kicking from the public if there is a big accident and laws and regulations
did not prevent it, while an insurer is only punished if they don't satisfy
current law. So a regulator might be more proactive.

~~~
forapurpose
Excellent points; thanks.

I'd only add that the insurer's incentive to reduce risks to their profits is
not always aligned with consumer's risks. As a simple example, the insurer may
require the vendor to have consumers sign away their legal rights to reduce
the risk of expensive lawsuits.

------
cletus
Not that I'm a fan of government regulation for technology issues like this
but the security situation is beyond a joke.

For one, it's time to hold companies (and executives!) accountable for
security of the data they are charged with protecting, often without your
consent (eg Equifax).

For another, insufficient product liability for companies being lax--even
negligent--with security. Honestly I don't see an outcome like network-
connected lightbulbs bringing down the Internet as particularly far-fetched.

Frankly I don't even know what the market for IoT even is. Who needs $50 light
bulbs that will DDoS someone one day? Or, worse, compromise your network to an
attacker.

And all for what? So you can turn the lights on after you go through multiple
steps to unlock your phone?

~~~
thaumasiotes
> And all for what? So you can turn the lights on after you go through
> multiple steps to unlock your phone?

I wanted network-connected lightbulbs so I could have them turn on at the time
I needed to wake up, when that time was well before dawn.

I never installed them because I didn't know how to secure them and my
schedule got more reasonable, but I think the use case is pretty compelling.

~~~
joe_the_user
Why would light bulbs need to be connected to the Internet for the use case of
being turned on at a specific time? They'd just need to be connected to a
timer for this.

I mean, an Internet connected light bulb use-case would a bulb that flashed
whenever a stock you owned went down in price, which is ridiculous despite
being the least ridiculous example I could think of.

IoT security cameras and an automated kitchen you phone to, to prepared you
dinner if you were coming home unexpected seems like the least crazy IoT
device an individual could own - most IoT stuff seems more like what a global
company would want rather than an individual.

~~~
DanBC
> despite being the least ridiculous example I could think of.

A lighbulb flashes when visitors ring the doorbell, which is useful for people
with visual impairment. the doorbell has a hidden rfid reader, and certain
guests have an rfid card. the doorbell flashes differently for each visitor.

~~~
joe_the_user
" _A lighbulb flashes when visitors ring the doorbell, which is useful for
people with visual impairment. the doorbell has a hidden rfid reader, and
certain guests have an rfid card. the doorbell flashes differently for each
visitor._ "

How is this an example of something that needs to be connected _to the
Internet_. My point is most examples are about local connect to justify a jump
into a world-wide, insecure net.

I mean, all the light bulb examples are contrived because a PHONE has all
information-conveying ability of a light bulb and is designed for information-
conveyance. Light bulb are designed for the light-consumption needs of those
nearby and examples of light-bulb-control at a distance are either poor
substitutes for phones or "weirdness" \- haunted houses and art-happenings.

------
jstewartmobile
Always love Mr. Schneier, but I think torts would be a better way of handling
this.

There are several problems with regulation: a) Whack-a-mole, new ideas and
business models arise faster than the speed of government. b) Regulatory
capture, like what happened to our banking regulations. c) More often than
not, penalties are captured by the regulator, but compensation is not made to
the injured parties. d) International law / trade agreement complications. I'm
sure there are many more.

If manufacturers knew they'd be on the hook for damages in a dollar-to-dollar
way, they'd put more engineering into their work, they would price it
accordingly, and personally I'd be fine with that.

~~~
dragonwriter
The creation and definition of torts (or the generalization of existing torts
to cover new relsted domains) is a mechanism of regulation.

~~~
jstewartmobile
Yes. In the postwar period, the word regulation typically entails new laws,
possibly a new regulating agency, and a mix of civil and/or criminal
penalties. I think a more liberal interpretation of existing torts would be
simpler, more just, and harder to game.

~~~
eropple
It also encourages the tiering of IoT such that insecure-and-cheap remains on
the market and is pushed towards people who can _least_ afford to be pwned.

Regulation is not blind, but it does raise the floor.

~~~
jstewartmobile
"least afford"??? As though these IoT devices weren't pure bored yuppie
disposable income in the first place?

I would figure large service providers, and big companies with fleets of
marginally protected devices, would be the ones to bear most of the damages
coming from shoddy IoT devices being pwned and rolled into larger
ddos/ransomware/etc attacks.

~~~
eropple
At the moment, yes, they are at the high end of the market. In three years,
you can expect that to be either in the process of moving downmarket. In five,
they will be comfortably midmarket and still moving downward. And, the cheaper
the device, the more corners cut in production. The more corners cut, the
higher the likelihood that at least some of them are in terms of security.

~~~
jstewartmobile
We are governed by people who have trouble agreeing that 30 year olds
propositioning minors is a bad thing.

I just think broadening the concept of liability in our industry to the point
where some company's negligence is _finally_ made an example of has a much
better chance of improving things than a panel of regulatory agency appointees
that have either already been paid as industry lobbyists, or are operating
under the carrot of a future position as a highly-paid exec--just like the
FCC, or Robert Rubin, or any of Trump's appointees, or so many others...

------
noonespecial
On the surface, I agree with this.

In practice I expect it to result in fewer products on the market that are
more expensive and no more secure as this sort of regulation will simply
select for large companies who are experts at paperwork and soft bribes.

I wish I had a better idea.

~~~
rogerbinns
> I wish I had a better idea

Something that already works are various forms of certification.

Examples are:

* "Norton protected" on websites

* Underwriters Laboratories on US products

* US DOD Trusted Computer System Evaluation Critera for how the US military checks the security of a product

* ISO 9001 for quality management

* Oregon Tilth for certifying organic products

Some of these are more valuable than others, but are at least a separate stamp
of approval.

With my magic wand I'd have a group come together to form such a certifying
organisation and provide it with a marketing budget. The marketing would
mirror the success of "check for a green padlock on a website to know it is
secure" \- look for the stamp on a product box.

If that doesn't happen and there are more serious incidents is that consumers
would look to Google, Apple, Amazon etc. eg if the proposed device doesn't
work with the Apple hub and been vetted by Apple, then they wouldn't buy it.

~~~
mnw21cam
The problem with certifying a device (presumably as secure) is that security
is a process, and a device that is secure now may not be tomorrow. For a
device to remain secure requires regular updates.

~~~
rogerbinns
ISO 9001 for example does certify process. I'm sure organic does too.

------
oliwarner
China already ignores safety and radio regulations. Sure, add more. They'll
keep flooding Amazon and eBay with _cheap_ crap and people will keep buying
it. Good IoT will just become even more expensive.

The only way to avoid a botnet apocalypse is to secure home routers. Outbound
traffic should not be an automatic right. People should have to authorise each
device for each type of traffic.

I argued this long-hand when OVH was taken down by "security" cameras. Good to
see we've made no progress.

[https://thepcspy.com/read/when-did-we-stop-caring-network-
se...](https://thepcspy.com/read/when-did-we-stop-caring-network-security/)

~~~
JumpCrisscross
> _People should have to authorise each device for each type of traffic_

Nobody wants to do this. I'm a quarter way paranoid about electronic security
and even I don't want to do this.

~~~
oliwarner
Sure. I've been through this though. See the link.

I recommend a certification programme, with manufacturers justifying the
access their device needs. A little _signed_ JSON blob of hosts and ports it
plans on connecting to. The device communicates this to the router. If the
signing certificate is still valid and the manufacturer trusted, the router
could just allow _that_ access, or prompt the user to just let them know that
device is trying to connect. No confusing detail. And just once, at the same
time you're setting up network stuff, so it's not weird or extra hassle.

It's leaps and bounds better than what we currently have. The vast majority of
us have zero idea what the devices on our network are actually doing, all
while we're each throwing dozens of these cheap internet-enabled things
online.

For legacy devices, a more iterative approach might be needed but it can still
be prompted: "Dell computer is trying to connect to clearlybaddomain-dot-com.
Allow, Allow All, Deny, Quarantine". You could even layer on some "known bad"
hosts or traffic patterns via centralised lists to automatically quarantine
devices at the router level.

Nothing here is rocket surgery. One developer for a few months. An entity like
Google could do this in an afternoon. There's just surprisingly little
appetite for it.

------
emilecantin
While we all lament about incentives & regulation which are out of our
control, there are still a lot of technical issues to solve, perhaps we can
start there.

A few examples: \- It's currently pretty hard to add HTTPS on a router admin
page. \- Browsers can't do service detection on a local network, so we have to
resort to central servers to manage headless devices (or ugly, unreliable
local IPs). \- Punching through firewalls / NAT is still hard, so we again
resort to central servers.

It's really fucking hard to do IoT at scale, in a easy-to-use way that's
secure and that respects the user's privacy. I think we can solve that.

------
solomatov
I think a better solution is to buy non smart versions of toasters, microwaves
and kettles.

------
fareesh
May end up in a situation where the network layer of hardware and their
respective wrappers/software is monopolized by a group of compliance savvy
folks who have done the necessary audits, certifications, etc. In theory it is
not necessarily bad, but regulations have a bad reputation because of how
poorly these things are generally implemented.

------
jstewartmobile
IoT is a solution that has been looking for a problem for _at least_ 20 years
now. It's like every EE department in existence feels compelled to cram micros
and ethernet into every toaster, thermostat and lightbulb.

I guess it only took this long for enough people to become insane enough to
justify a market for it.

 _Preach on brother Bruce!_

~~~
flukus
I'm surprised more people aren't willing to consider not having the IoT as the
solution. It doesn't look like we'll get a decent solution to security anytime
soon and the average person doesn't seem to get much out it anyway. It's just
more trouble than it's worth.

------
ttul
Yes it is. Importing a cheap Chinese WiFi access point that has an exploitable
default password should be as illegal as importing Chinese fentanyl.

~~~
watty
That's ridiculous, why? I'd understand some sort of certification process and
requiring certified products to have ample warnings but why should it be
illegal?

If I want to buy cheap hardware or software that isn't certified I should be
able to.

~~~
maltalex
Same reason it's illegal to drive a car that's not certified for roads or
build a building that don't meet safety standards.

You have a right to pose a danger to yourself. You don't have a right to pose
a danger to others.

~~~
dfox
In my opinion you should be liable for any such danger you pose to others with
the ability to shift that liability to whoever sold you source of such danger
while assuring you that it is safe.

In fact it is then inconsequential whether some device puts you in direct
danger or in danger of somebody comming after you for putting them in danger.

~~~
maltalex
> In my opinion you should be liable for any such danger you pose to others
> with the ability to shift that liability to whoever sold you source of such
> danger while assuring you that it is safe.

Right. So you, the little guy, is going to shift the blame to a rich company
that does this for a living. Say it's a company such as Google which makes
some IoT devices. Would you be able to prove in court, and in front of their
engineers and lawyers that they've sold you an insecure device? Do you even
have access to their source code?

------
forapurpose
We can think of the Internet as a public resource, like the electromagnetic
spectrum.[0] The FCC regulates what can use the spectrum, requiring that
devices do so safely, in a manner that will not interfere with other devices
or cause harm to people or property. The same could (and I think should) be
required of devices that connect to the Internet.

Frankly, I'm tired of trying to find time to find specs (and then learn how it
really works) to figure that out for myself; I secretly dread receiving
anything networked for the holidays. It's difficult for me; most end-users
have no hope of protecting themselves - and they seem to assume that any
product sold must be safe. They assume it is regulated, in effect.

[0] Arguably the Internet is physically different than spectrum. Physics
'creates' the spectrum and its physical limitations make it a public good;
there are only so many frequencies, and propagation is part of the equation.
The Internet is a creation of humans and in theory can be recreated or
modified at will. But that theory isn't realistic: The Internet cannot be
replaced or substantially modified; the public has no realistic option of
using a different Internet if they don't like this one. In any practical
sense, it's a public good.

------
herf
This is also a business model problem. Consumer hardware companies do not have
the margin to make and support software that needs to run for ten years or
more.

Before the iPhone, software and hardware were often different and had
different business models.

~~~
Sophistifunk
This is the big problem, and regulation can not fix it. If companies are
expected to pay programmers and testers and support staff to keep their
devices up-to-date, that money needs to come from somewhere, and cloud
"services" that don't provide any value but exist only for MRR and lock-in are
only going to result in a bigger attack surface and a bricked device when the
company folds or loses interest.

------
blunte
It's simply not going to happen as long as elected politicians and officials
are mostly technically-illiterate. These are the same people seriously
considering back doors to encryption in the name of security.

Give it 5-10 years when enough of them have died off; then change will happen.

~~~
crottypeter
No, in 5 or 10 years they will be replaced by new technically-illiterate
people.

------
indigochill
Can someone educate me on one IoT point: devices presumably send and receive
traffic over a router. That router presumably has security measures such as a
firewall in place to reject malicious traffic. So, assuming a competent user,
shouldn't security be primarily handled at the router level rather than the
IoT device level? Of course IoT devices should also be secured, but my
thinking is insecurity and lack of political motivation to regulate could
probably be largely mitigated this way?

That said, I've more or less completely ignored IoT so far aside from passing
interest in how easy Mirai was and I've only briefly dabbled in firewall
configuration, so many of my assumptions could be wrong.

~~~
cmdkeen
"Assuming a competent user" is absolutely not what IoT is about, it shouldn't
be what most of our decisions as engineers should be about. I don't want to
have to be a "competent user" for my fridge, lightbulbs, sex toys - i.e.
everything is potentially going IoT.

Separately, no - attacks like CSRF will quite happily be routed and compromise
an incompetently designed IoT device.

~~~
indigochill
I was thinking about blocking all traffic routed for the IoT device which
comes from any address outside a set of explicitly trusted sources (such as
the vendor's service and the user's smartphone or something). Then attacks
like CSRF and default admin credentials become a moot point unless those
trusted sources become compromised.

~~~
cmdkeen
That's how CSRF works - I get you to communicate to the device from your
"trusted" smartphone or other device. There is nothing you can do at the
routing level to protect against it. It is entirely up to the endpoint
receiving the request to have implemented proper CSRF protection against
attacks.

CSRF has been around since 2001 and is in the OWASP top 10. It would be
absolutely valid for regulators to require reasonable steps to be taken to
prevent its abuse, along with similar attacks.

------
walrus01
I am cautiously leaning towards the perspecive that Schneier is right. This
problem is not going to be solved by market forces. Ordinary non technical
consumers will buy things like wifi security cameras for the absolute cheapest
price at $45/unit, based on them having attractive retail packages or what
appears to be a good feature set/spec/price. I have not seen any signs that
people are moving away from known-insecure things in droves, because in my
estimate, only 1 to 5% of users of such things actually care about the
operating system/under the hood software configuration of their IoT devices.

~~~
michaelt
Hell, even for highly technical users it's almost impossible to evaluate a lot
of this stuff.

I mean, I program embedded systems for a living - and I couldn't tell you
which IoT dash camera or digital camera with wifi or internet-connected car
entertainment system is secure.

~~~
chopin
That's easy - presumably none. At least if you take secure as an absolute
value.

------
maltalex
I don't think that government certification is the answer here. This will turn
security into a check-mark. Companies will do the bare minimum to get
certified and won't invest a penny more. This would solve some of the more
extreme cases we see, but I doubt it'll make a real impact.

Instead, I feel that accountability would work much better here. If you're
selling an IoT device, and you haven't taken industry standard precautions for
securing it, then you're on the hook for whatever your device is used for. The
same can be applies to companies storing personal information e.g. Equifax.

~~~
MBCook
I think Schneier is right. The market has utterly failed here and there is no
reason to think it will start working. Class action lawsuits are _very_ slow
and you have issues of trying to prove actual harm. To use his example if my
TiVo is part of a botnet but continues working perfectly, have I been harmed
in a way that’s likely to let me sue someone?

What happens when you want to sue a company for lack of updates when the
company went out of business 6mo after it was created (like Juciero)? You
can’t sue them, where a law could have forced them to be secure from the start
or put up a bond to support the devices for a while.

Companies will do the bare minimum to get certified? You realize that’s a
_massive_ jump compared to what happens now.

~~~
maltalex
You're right, and perhaps ideally we should have a mix of both accountability
and certification. I don't know who could or would sue TiVo for the attack,
and I don't know how to solve the problem of out of business companies. This
approach has its drawbacks.

However, give the certification process some thought too. I can see quite a
few drawbacks here as well.

First, a significant advantage for established, rich companies. We'll be
swamped with IoT from Apple, Google, Facebook and Amazon while small
competitors have a hard time getting their products to the market.

Second, you'd need give the regulatory body access to both your software and
your hardware. And what if the device is connected to some cloud server? That
body may need to look at its code too to make sure that your control server is
compliant. And what about the network? The database? Where does it end? And do
you need to re-certify each and every version of your server? What if you
introduce a security vulnerability?

Third, certification can't be a one-time deal. That protocol your lightbulb
uses to talk to the microwave oven for whatever reason? Well, someone broke
that and can now make both of them divulge your dirtiest secrets. The same
regulatory body would have to keep track of such vulnerabilities and force
manufacturers to update their devices - and what if the manufacturer has gone
bankrupt? What if he doesn't want to update these devices? Are you going to
force people to throw away their light bulbs? You'll have to, otherwise you're
back to square one in which all devices are compromised, only now it takes a
little bit longer.

Imagine the bureaucracy all of this will require.

~~~
MBCook
You’re right, it’s not easy. But even specifying hilariously trivial stuff
like HTTPS, certificate pinning, no hardocded backdoors, and per-device random
initial passwords would probably be a huge boon. Simple security without even
talking about the problems on the service servers.

I imagine a market would appear for some of the basic software (Linux diaries,
etc) to help make things easy for small companies that do want to do it all
themselves.

I like the government idea because frankly I can’t think of anything else that
would work (outside a rediculously improbable change in consumer behavior).

~~~
maltalex
> HTTPS, certificate pinning, no hardocded backdoors, and per-device random
> initial passwords would probably be a huge boon

That's what I meant by check-mark security. Yes, it is better than nothing,
and by all means let's do that. It's low hanging fruit, and it should be
plucked. But in the end it amounts to little more than hanging an air re-
freshener on a huge pile of garbage.

I'm just pointing out that such certification might cause executives in
companies that today put more effort into securing their devices to stop
putting in that effort. If it's all the same to the consumer, why spend any
more than the bare minimum to get a check mark?

Today there's no clear bar, and a good engineering team will always be able to
convince a responsible management that they need to put effort in security.
But once that fairly low bar is set, I think that the next order from the
management will be "make our devices certifiable and nothing more".

~~~
MBCook
Just like car safety we have to keep raising the bar.

Checklist car safety means a pretty safe car these days, and the companies
that go beyond do amazing things.

------
ausjke
Something similar existed called FIPS-140, though it is hard to certify and
not a good fit for IoT.

IoT router/firewall might be one of the solution here, i.e. adding IoT pattern
into existing routes/firewalls to protect IoT devices, in addition to your PCs
and sometimes BYODs(smart phones etc).

It is very hard to make all IoT devices secure due to limited resource they
have, so the first line of protection should be done on the
router/firewall/gateway I think.

~~~
zAy0LfpBZLC8mAC
OK, so how do you distinguish automatically "abuse" from "proper use" for
arbitrary devices, and how would putting the code that is able to do that on a
separate device be easier than compiling it into the firmware of the devices
themselves?

~~~
ausjke
Look, your PC and BYODs are still prone to attacks, they're much much more
powerful than those networked IoT devices, and they still need firewall to
protect.

I of course hope all firmware will be safe, and they should be safe as much as
possible, still, you need a more powerful device to safeguard them. Put
another way, no matter how secure my wifi-bulb is designed, I'm not going to
expose it to the internet, and I will put it behind my firewall/NAT-router.

~~~
zAy0LfpBZLC8mAC
> they still need firewall to protect

Why?

> you need a more powerful device to safeguard them

Why?

> I'm not going to expose it to the internet, and I will put it behind my
> firewall/NAT-router.

Why?

------
hw
As we move towards a more decentralized future, it's hard to see governments
controlling or regulating something like IoT.

Sure, the idea of billions of devices around the world connected somehow is
scary, but government regulation is not the answer. If anything, regulation
needs to be decentralized. More open source, community involvement with
reviews and discussions, more self regulation

------
rb808
One thing that should be happening is that ISPs should have to monitor traffic
to look for DoS agents, bad bots and perhaps some common vulnerabilities, with
the ability to throttle the pipe or shut it off if problems aren't remedied.

Regulating IoT is tougher, but is analogous to licensing the airwaves.

------
nanodano
I would rather see independent (private) solutions before inviting a bunch of
bureaucratic red tape to manufacturers.

For example, someone could create a company that issued certificates of
security. Manufacturers would pay a small fee to these companies to perform
security tests and give them a certificate of security. They can put that
label on their products to provide confidence to consumers. Some products may
warrant a much higher level of scrutiny than others so there could be
different levels or different companies that offer it.

I think people will naturally choose the products that are 'certified' over
the ones that aren't, and manufacturers will have to end up doing it to stay
competitive.

~~~
gareim
Lightning cables that aren't MFi certified are still widely used. See their
presence is gas stations and other stores nationwide. Lots of "MFi certified"
cables online are likely fake. Who knows?

USB Type-C can deliver enough power to seriously damage your $1000 MacBook if
the cable/adapter is designed poorly. There is a certification process, but
most products on the market are still below-par. Below I will link a list.
Guess what, those "bad" products are still bought en masse.

This week, I discovered that pretty much all the water filters that are
popular for the type I'm looking for aren't even certified to filter out
harmful materials. NSF 53 certification exists, but it looks like the market
didn't do any research into it and trusted NSF 42, which was touted but is a
much less strict standard, filtering out odor and taste (important in its own
way). Theoretically, these filters could be passing on lead and asbestos.

Your solution _might_ work for a _part_ of the market, but it is almost
guaranteed that there will still exist a significant (if not majority) part of
the market, that doesn't care about certification/prefers the cheaper product.

[https://docs.google.com/spreadsheets/d/1vnpEXfo2HCGADdd9G2x9...](https://docs.google.com/spreadsheets/d/1vnpEXfo2HCGADdd9G2x9dMDWqENiY2kgBJUu29f_TX8/pubhtml#)

------
leggomylibro
Bullshit.

What makes 'IoT' any different from an ordinary network-connected computer?
You're either saying "it's time to regulate networked computing devices" or,
"I want to carve out an easygoing regulation-free niche for _MY_ product[s] to
artificially excel in."

I try not to be needleslly pessimistic, but this article has no definition of
'IoT' beyond 'networked computer with sensor', so three guesses as to which
one it is.

~~~
MBCook
I can easily update my Mac or my Windows PC. I also know that Apple and MS
will be around for a while.

How do I update my lightbulb? Who will make updates for? Maybe Phillips will
for their product but what about smaller OEMs? What if the company quickly
goes out of business like Juicero?

Depending on what you buy and where you buy it do people even know who made
it? Would you even know how to check for updates (assuming they exist)?

~~~
leggomylibro
You can, but you very well might not. And your desktop computer is a far, far
more valuable target in terms of computing power and network connectivity.
Should we be regulating that device as protection against your choosing or
forgetting to not follow best practices?

~~~
MBCook
> And your desktop computer is a far, far more valuable target in terms of
> computing power and network connectivity.

It’s also FAR more secure. IoT devices are often easy to hack. And while they
may not have much horsepower they have a network connection. You won’t mine
many Bitcoins but it doesn’t take a lot power to be part of a DDoS.

And I have one computer, one tablet, one phone. I may have 5 smart lightbulbs,
a DVR, a security camera or two, a indoor/outdoor thermometer....

~~~
leggomylibro
Also a good point, but how would you propose that we measure 'security'? Is an
Android phone that hasn't received a carrier update in 8 months "secure"? How
about a home server running an ancient distro which long since stopped
receiving package updates?

The phone is probably a bigger concern at scale, but I have seen plenty of
families with dusty "photo storage/backup" boxes that their family's resident
IT person set up and networked when they were in high school.

------
wybiral
It is a bit out of control. I've written a small Python script [1] that finds
dozens of vulnerable devices within minutes just by checking random IP
addresses. There shouldn't be that many poorly secured devices floating around
out there. It shouldn't be that easy to find them.

[1] [https://github.com/wybiral/dex](https://github.com/wybiral/dex)

------
mbar
> there is a difference between when a hacker crashes a computer and you lose
> your data and when a hacker hacks your car and then you lose your life.

Forget about hacking your car, what about the hacker that hacks a car fleet?
What could a hacker do with a botnet of cars, each with cameras and maybe even
face recognition. How about killing off people for the highest bidder at the
push of a button.

------
m_st
I fully agree on the need for action. But I don't get why IoT should get a
special treatment compared to outdated smartphones, PCs, Macs and even video
game consoles. Any device that connects to a network is a potential target.

So what about the old iPhone 5 and MacBook Pro from 2008 we gave to our kids
for music, YouTube and getting started with computers?

------
dvddgld
Last year I wrote a report on IoT for an info sec and crypto undergrad class,
where I covered the usual flaws and explained why that’s a worrying standard
for an industry that’s about to scale up massively.

The professor‘s response “this is just like all of those internet hit pieces”.
Hmmmmm.

------
chendragon
It doesn't help that most of the worst IoT devices come from China in which
case regulation seems to be ignored routinely. Things like UL and CE/FCC
markings are usually fake.

------
gtrubetskoy
One simple way to improve your security at home is to have a "guest" WiFi
network which is separate from your real one and which all these questionable
IoT devices can use.

~~~
kbenson
That doesn't necessarily prevent them from infecting each other and other
people/devices on the internet, or being used in attacks.

It's sort of like living in a neighborhood and having a rock pile you enjoy
the aesthetics of, but know it's prone to having rattlesnakes move in, and
instead of fixing the rattlesnake problem either as it happens or at the root,
just putting a wall around your property excluding the pile. Sure, _you 're_
mostly safe, but when animals/children get bit, your solution starts to look
quite a bit worse.

~~~
gtrubetskoy
Agreed, it's definitely not full-proof by any stretch. But it's amazing how
many people enter their WiFi password into devices they really have no control
over that can then for example sniff your network, slowly but steadily crack
your passwords, possibilities are endless.

~~~
zAy0LfpBZLC8mAC
If that is a security problem, you probably have a much bigger problem anyway.
Secure passwords cannot be cracked, the public internet is hostile anyway and
you should be protecting your communication with strong cryptography. Pretty
much the only sensible reason why you should protect your internal network
from access (including sniffing) is because you might have IoT on it that tend
to have terrible security. Putting them all in the same, but separate,
network, essentially achieves nothing.

------
mediocrejoker
I always get nervous when governments create laws regarding technology due to
the relative speeds at which governments and technology evolve (slow and fast,
respectively).

------
microcolonel
Watch this go terribly wrong.

Honestly, I don't understand why consumers lack the restraint to simply _not
buy_ unfinished products, but this is where the leverage to improve IoT
security has to come from. If today's IoT devices are such a liability, then
prove it in court; but don't think that you can write a law that ensures
security instead of mere standardization.

Meticulously studying the introduction and effects of regulations in this
vein, I highly doubt they will have the intended effect.

~~~
dredmorbius
It can be all but impossible to do so (try finding a "dumb" major appliance
currently), nor can buyers deterrmine or distinguish what is or isn't
"finished", or what will be supported in 18 months, let alone 18 years.

------
paulsutter
Require manufacturers to pay in to a bounty fund for finding exploits, and
make them responsible for fixing the exploits found.

------
zghst
Government regulation doesn’t infer that a technology will be better. IoT is a
very immature industry/technology. Adding a byzantine of obsolete compliance
laws is a good way to hamper this industry.

If we are going to regulate, we need to improve laws for consumer electronics
across the board, with all the big players on board and participating.

------
libeclipse
Ironic that the site with the article about improving cyber-security doesn't
utilize HTTPS.

------
Havoc
Can't legislate security into existence...at least not very safely

~~~
thephyber
You seem to be suggesting a law must say "the maker of any unsafe insecure
product is subject to 50 years of jail or $4million".

More realistically, legislators should be crafting incentives. Establish
liability statutes. Carve out liability exceptions for companies that can show
they used industry best practices, hired engineers that are members of
professional/industry organizations, pay for ethics training, establish good
faith effort of security development (unit tests, integration tests, traffic
encryption, encryption at rest, well designed key exchange architecture,
software/firmware update architecture for at least X years after sale, etc).

Conversely, if a company does none of the above, it's easier for a consumer or
an Attorney General to bring a case against the company, even if it's years
too late to be useful.

The problem with litigation (as well as "free-market" solutions) is that this
generally doesn't happen fast enough. The security damage of IoT will be
externalized extremely quickly. Being able to identify and sue a foreign
company that is far up the supply chain from the end-product.

------
PatientTrades
Of course Schneier would want regulation in Iot. That's literally billions of
tax dollars that would go to his and other tech consulting and compliance
companies. What we really should push for is Open source regulation. Naturally
government is always behind on cutting edge tech issues. Open source
regulation would improve the efficiency of regulation while saving billions of
dollars.

~~~
tonyarkles
Could you elaborate? I'm being genuine here when I say that I have no idea
what you mean by Open Source Regulation.

------
jessaustin
There are two pieces here, and Schneier (or at least this tiny summary of him)
is wrong on both.

First, yes of course automobiles are regulated and should be. The fact that
some things that are and should be regulated include embedded internet hosts
does _not_ mean that all devices that include embedded internet hosts should
be regulated. This is basic logic.

Second, holding one set of botnet victims responsible for the harms suffered
by another (overlapping) set of botnet victims is perverse. Every host should
be "secure"; very few are. A secure host wouldn't be a victim of a botnet,
either by donating processor cycles or receiving unwanted traffic. If lawyers
really need a job security program, consider that ISPs have lots of money and
they actually could reduce DOS attacks; why not hold them responsible?

~~~
username223
> consider that ISPs have lots of money and they actually could reduce DOS
> attacks; why not hold them responsible?

You could hold ISPs liable, and they would block untrusted IoT garbage at the
network level. Or you could hold IoT garbage producers liable, and they would
make security changes and/or pay ISPs to do some firewalling. Either way, the
costs and results will probably turn out about the same.

The best solution, of course, would be having fewer things uselessly connected
to the internet.

~~~
jessaustin
Yes the best solution would be if the world were perfect.

How on earth is a civilized society going to keep "useless" devices off the
internet? Who gets to decide what is useless? For example, medical devices are
notoriously insecure: what politician is actually going to get behind an
effort to make Grandma's life more inconvenient and also shorter just to
satisfy some nerds' idea of a perfect internet?

The nerds on HN disappoint. When faced with a hard problem, instead of doing
the hard work to fix it, they want to involve the lawyers...

