
Creating a ZigBee Chain Reaction - nanis
https://eprint.iacr.org/2016/1047
======
SkyMarshal
Security is expensive for vendors to implement, so they externalize the risks
to their customers and society in general. To reverse this dynamic, "insecure
by default" needs to be more expensive than "secure by default".

It seems simplest for the Govt to avoid trying to mandate detailed security
standards for continuously changing tech, and rather simply make the vendors
legally liable for damages and let the market evolve effective standards and
practices.

However, constructing effective legislation/regulation for doing so is a non-
trivial legal challenge. Simply proving when the vendor is liable vs a user
could get tricky, as well as estimating damages and divying them up among
multiple vendors if damages involved products from multiple vendors. Among
other things.

Anyone, especially lawyers, have insight on best way to fix this problem?

~~~
rapsey
> It seems simplest for the Govt to avoid trying to mandate detailed security
> standards for continuously changing tech

Govs can do a lot of broad legislation rules that is non-specific.

The software industry requires a legislative bitch slap like the auto industry
received. These rules would wreak havoc on the industry but if you ask me for
the better.

\- Are you running unpatched software exposed to the internet for which CVE
patches exist? Pay a fine every day until you do so.

\- Ban IoT devices that do not have automatic signed software updates over
encrypted channels (which would probably ban all current IoT devices).

\- Ban all IoT devices without crypto capabilities. Must have a hardware RNG
and a set of standard crypto algorithms.

\- Does an IoT maker have a CVE and has not patched all their devices in X
amount of time? Daily fine.

\- Are you a vendor who has not patched a CVE for your software after X amount
of time? Pay a fine every day until you do so.

~~~
sametmax
Cars kill people. At worst current IoT let a pirate control your light bulbs,
see your heart beat or record your sleep patterns, waste your food and listen
to your music.

This won't interest anyone.

For this to start seriously motivating people, you'll need:

\- even more numerous DDOS, with more expensive consequences. Companies are
affected so they act.

\- scandals with naked people, preferably famous ones or underage, or both.
People that gets the medias talking.

\- money stolen. A lot, to bother insurances.

\- people dying. Scaring the public always work. E.G: fire started by pirated
IoT device.

Otherwise nobody is gona bat an eye.

We don't live in a world were most companies do the right thing because it's
the right right. Remember that tobacco companies use to run ads to show you
how cool your life is with cigarettes while lobbying the congress to state how
non dangerous for health it was. Remember that people are putting their entire
life on systems with text analysis, geolocation and face recognition and they
don't see the big deal out of it. Remember that the government spies on every
citizen, considers it perfectly acceptable, and that the citizen let it to.

So really, the fact that your connected fridge has an open telnet port is not
going to move anyone.

You need damage done to get a reaction. Not potential damage.

~~~
flukus
> Cars kill people. At worst current IoT let a pirate control your light
> bulbs, see your heart beat or record your sleep patterns, waste your food
> and listen to your music.

Once you're home network is compromised it's much easier to infect other
computers on it, a lot of IT people don't even run firewalls on PC's anymore.
We largely rely on a single line of defense for home cyber security.

A compromised device becomes a launch pad for a bunch of other attacks, like
data collection and credit card theft. Imagine how many pedophile rings would
love to remotely watch kids using a built in webcam? All without the family
ever knowing.

Or you could simply use them to stream illegal torrents.

~~~
sametmax
I said "Cars kill people", not "cars could kill people".

You are talking about potential. People don't care about that.

Potential that I mentioned by the way, with "scandals with naked people,
preferably famous ones or underage, or both."

They will care only once pedophiles will have watched THEIR kids using their
web cam. Repeatedly. With media coverage.

Not before.

~~~
rapsey
> You are talking about potential. People don't care about that.

What people care about is irrelevant. What should be legislated for the better
of all is another matter. Car safety laws were unpopular with a lot of regular
people as well.

~~~
sametmax
That's fair but it was because dead people cost money.

------
sametmax
Security should be embedded in the IoT frameworks and should be easy for it to
become the standard practice.

But most IoT stuff are hacked on, rarely using anything standard, and even
when there is a framework involved, it seldom has security as a main feature.

Even when it does, it's still a lot of work. Take crossbar.io, which is my go
to tool to communicate within a IoT context (or anything soft real time
really). To secure it you need to:

\- setup the TLS certificate. Default communication transport is over
unencrypted websocket.

\- configure the provided authentication service (and write a backend for your
system).

\- declare several realms to isolate the clients, and configure the
permissions accordingly (default permissions are YOLO, to ease the "hello
world", which I understand). Make sure you don't expose important RPC to the
wrong clients or allow anybody to declare callbacks.

\- manually code the procedure to use their hot reload system to swap code
updates. It's made for local updates, not remote ones.

\- be very careful when updating your clients. Crossbar routed RPC is
transparent and it's tempting to replace a call from JS to Python to a call
from JS to Postgres to remove a layer of indirection. But do you make proper
permissions checks in your SQL ? Are you sure you don't expose too much ?

So basically, you can make it secure. But only if you know what you're doing
and don't have a deadline tomorrow.

~~~
bsder
> Security should be embedded in the IoT frameworks and should be easy for it
> to become the standard practice.

To be fair, almost all of the security libraries suck. The only thing which is
_SMALL_ and solid is DJB's TweetNaCl
([http://tweetnacl.cr.yp.to/](http://tweetnacl.cr.yp.to/))

If I'm running on a Nordic nRF51 series, for example, things like SSL/TLS are
a _HUGE_ chunk of my RAM, ROM, battery, and time budgets. This exploit is a
good example. Even if you wanted to use something like a public/private key
system, it's not clear that the the Atmel SoC could handle it.

In addition, there are still gaps in security libraries that we need. We don't
have a good PAKE (password authenticated key exchange) library, for example.
HomeKit standardized on SRP with a 3072-bit key, and then discovered that it
was too heavyweight and slow for devices working with a lithium coin cell
battery. Even Microsoft with AllJoyn had to deprecate SRP and switch to a non-
standardized elliptic curve key exchange to better match tiny hardware.

The crypto folks are falling down on the job here. These things aren't
standardized, and they don't seem to have been beaten on very hard. And they
certainly haven't been tested on small hardware very much.

Everybody can bitch about security, but until someone figures out the tools
required for these small systems, it's going to remain the wild west.

~~~
sametmax
Well you said it.

There is a reason IoT is not secured. It's hard to make thousands of connected
devices with little system resource but connected on foreign networks in
heterogeneous context secure.

~~~
catdog
Then simply do not connect thousands of such devices if you can't handle it…

~~~
sametmax
Yeah. And to avoid theft, simply don't acquire things that are not yours.

~~~
pythonaut_16
A better comparison would be: to avoid theft, don't build your house out of
toothpicks that can't support a deadbolt door.

~~~
bsder
And yet we built houses out of such materials for thousands of years.

Security has 2 problems--technical and social.

The technical problem will eventually get solved as transistors are almost
free. We are integrating hardware accelerators into almost everything since
transistors are so cheap.

The social problem isn't so easy. Companies don't give a crap about security.
Only when companies start losing 25% of their stock price after a breach will
they care.

------
jrockway
While reading this, I went looking for the ZLL master key. What surprises me
is that it got DMCA'd everywhere, including Hacker News:

[https://news.ycombinator.com/item?id=9249841](https://news.ycombinator.com/item?id=9249841)

And there was really no outrage about it. Very strange.

~~~
ktta
It's amazing how 16 bytes of data can be under copyright.

Not arguing, just pointing out how there can be a DMCA request for something
so small, citing copyright laws.

Reminds me of the AACS controversy when people starting printing keys of
t-shirts, and illegal numbers were born.

~~~
Sanddancer
John Cage's 4'33" is silence that is under copyright, and has been the subject
of legal controversy.

[http://edition.cnn.com/2002/SHOWBIZ/Music/09/23/uk.silence/](http://edition.cnn.com/2002/SHOWBIZ/Music/09/23/uk.silence/)

~~~
fjdlwlv
Differnt issue.

4'33 is a recording of the audience, not silence. I studied it in a music
class in school.

Cage's estate's infringement claim on "silence" was not upheld by a court.

The defendant on that suit put Cage's name on the album as a songwriter, of
his own accord.

------
Paul_S
I don't work in the IoT department but they use our chips and I can guarantee
you that if you make security a legal requirement my company will not hire
more engineers, they will hire more lawyers.

~~~
mirimir
OK, but then lawyers will say to hire more engineers.

~~~
Paul_S
I genuinely can't tell if you're joking.

In case you're serious:

No, they will work on some legal dodge to avoid the liability. The company
does not see it as a technical problem.

~~~
mirimir
OK, I was joking, a little.

If the regulations are crafted properly, legal dodges won't make the nut.
Firms that go that route will fail.

------
bgentry
previous discussion was here:
[https://news.ycombinator.com/item?id=12893793](https://news.ycombinator.com/item?id=12893793)

Though the report does say it was recently updated, unsure what the diff was.

~~~
notthetup
Yea.. Is there a good way to find the diff? Only if research papers were
published on git :P

------
mahyarm
ZigBee / Z-Wave are just getting started in their WEP everything stage. Most
of the installed base is unencrypted. It will take many more years until they
are at WPA2 levels of robustness.

------
mirimir
Wow. That's awesome. The first WiFi worm, I think.

Think of the art that's possible with this. You could create city-scale
images. Maybe larger, in high-density areas.

------
modeless
IoT is a bad vision for the future. 20 years from now I don't want a million
devices in my home running software. Either they'll all constantly be
pestering me with updates that break functionality I rely on, or they'll be
out of date with bugs and security holes that last forever.

My vision of a good future is one where I have exactly one smart device: a
robot butler which will operate all my other devices. I don't need a smart
lock if the butler unlocks the door for me. I don't need a security webcam if
the butler monitors the house while I'm away. I don't need a smart thermostat
if the butler sets it for me. Etc.

~~~
colechristensen
Meh, I'm much more interested in a future where all my devices aren't "smart"
but they all include an API contract regulated by an org akin to UL or FCC
backed by legislation providing legal remedies to security and usability
deficiencies. It's not about _if_ legal regulation will come to software but
_when_, and the further in front of it hackers are, the better the future can
be.

------
rochellle
I don't know why, but I kind of want to see a truly gargantuan IoT debacle
unfold at this point.

Something beyond stupid, and completely preventable, and all the more
horrendous, because at this point, it can only be funny.

I want to see something like a TV commercial accidentally trigger a home
automation system, which corrupts the operation of a class of light switches,
which cascades onto smart microwave ovens, which transmit kill signals to
self-driving cars which synchronize with flying cars at which point they all
swarm the nearest hospitals and explode, demolishing trillions of dollars of
health care, and imploding society because of failed credit default swaps on
all of the health care insurance (even obamacare), which then causes automated
trading platforms to sell, killing off everyone's 401K's, destroying the
retirement plans of all survivors, such that the living envy the dead.

Can we make that happen?

IoT is retarded.

~~~
virmundi
Hyperbole, or just wanting to watch the world burn, aside, why is IoT, as an
idea, retarded? It seems to me that having the underlying platform for secured
communication to semi-smart technology is good. If my house could
intelligently govern itself within a set of parameters I define that fit my
life, I bet I could save a few bucks a month on power, not have as much food,
and help the environment in my own little way.

I do see the idea of IoT with no security and no long term commitment to the
products as actually, technically retarding (we'd be worse than we are no for
the reason you enumerated). Could you make an argument for your last statement
as to why a good implementation of IoT is bad?

~~~
pdkl95
> why is IoT, as an idea, retarded?

The usual complaints about IoT as an excuse for surveillance capitalism aside,
the key problem with IoT in _most_ products is the (currently obscured) costs
do not outweigh the (often novelty) benefits. By benefits I mean actual,
significant time or effort savings that need to outweigh the large risks
inherent to anything IoT.

> underlying platform for secured communication

That illustrates a big part of the problem. There is no such think as a
"secure platform", because "Security is a process, not a product."[1]

The internet is and will always be an incredibly hostile place. If you plan on
internetworking on the shared global network _or_ anything that connects to it
in any way, you need to plan on a way to maintain vigilance over the devices
you created or are responsible for. This means continuous work into the
future[2].

> I bet I could [...beneficial outcomes...]

You're only listing the positive side. To judge IoT properly also need to
enumerate the _known problems_ and _possible risks_. A few examples of the
risk that most IoT devices bring are:

* The other end of the supposed "secure communication" being compromised by governments, criminals, disgruntled workers, etc.

* Bugs (everything has bugs) allowing assholes of the "swatting" persuasion messing with your power, food, _etc_ "for the LULZ".

* All that data being logged - even when stored locally - becoming the target for discovery in a trial (maybe involving you, maybe not).

* The manufacturer of your IoT device selling data to your insurance company, or you insurance company requiring that data from you directly (e.g. fitbit data for "cheaper" insurance that now has more ways to deny you coverage).

That's just some obvious examples. The real problem is that after data is
collected it tends to be permanent. Nobody has thought of the _big_ risks of
plugging your devices into a hostile network. You see the _potential_ benefits
of IoT devices, but you also need to consider what some black hat (or script
kiddie) will do with all of those devices - and the data they collect - in 10+
years with a clever new exploit.

[1]
[https://www.schneier.com/essays/archives/2000/04/the_process...](https://www.schneier.com/essays/archives/2000/04/the_process_of_secur.html)

[2] It might be possible to limit this with products that have a limited
lifespan and are guaranteed leave the network.

~~~
virmundi
All the things you listed are things to be planned for. None of them are
extremely terrible in and off themselves with the proper vigilance. Even the
data logging should be solvable with reasonable laws.

Apply the general argument to personal computers. Anyone can attack your PC.
Once pawned, they can get valuable information. Your IP could be wrongfully
associated to a crime, which brings Jonny Law to your door. Given all of this,
I still assume you see the idea of being connected via a PC as a good thing
since you wrote a response via a browser.

My question was essentially, why dismiss something whole cloth? You raise
valid things to consider, but I don't think that anyone of them is a death
stroke to IoT. They are, at least in my opinion, design considerations for
products that make sense.

~~~
pdkl95
> proper vigilance

You seriously expect the average person to have anything close to "proper
vigilance" with a collection of IoT devices?

> reasonable laws

I'd absolutely _love_ to see strong data protection laws passed, but that
isn't likely in the near-ish future. Also, laws don't protect against bugs.

> All the things you listed are things to be planned for.

The worst problem in a new, _unexplored_ area are the unknown/unexpected
problems. You believe these data risks are minor - I strongly disagree - but
how can you even begin to make that kind of judgment? Data persists and CVEs
increase with time; how can you be certain that your data (which includes
access credentials, e.g. ssl keys/certs, passwords) won't be stolen off some
server (or your home devices) 20 years from now?

These are huge, unknown, open-ended risks that could suddenly become a problem
at any point in the future.

> personal computers

The PC isn't tied to sensors around the house, with the ability to control
various important hardware. The thermostat (nest) is an obvious example: it
_should_ be a trivial device, because simplicity is one of the better ways to
guarantee reliability. Adding massive complexity and network access left a lot
of people with a freezing house[1]. My PC isn't tied to important thing like
the thermostat, because adding risk for effectively a nerd toy, social status
symbol, and (allegedly) minor heating-bill benefits isn't a good trade-off,
and it's terrible security.

The PC _is_ a risk, but it can also serve as a place to _contain_ the risk of
being connected to a hostile network.

> why dismiss something whole cloth

I'm not: "...the key problem with IoT in _most_ products is the ... costs do
not outweigh the ... benefits."

Internet connectivity can work if the benefits sufficiently outweigh the cost
of having to actually secure the device _and_ remain vigilant and responsive
to new security issues for the lifetime of the device. This is expensive, and
approximately nobody is doing that right now. I also find it hard to believe
that anything remotely similar to the current IoT _toys_ on the market can
ever be profitable enough to pay for their own security. There may be
exceptions, of course, but they will be expensive (in some way) and rare.

[1] [https://www.nytimes.com/2016/01/14/fashion/nest-
thermostat-g...](https://www.nytimes.com/2016/01/14/fashion/nest-thermostat-
glitch-battery-dies-software-freeze.html)

------
Kenji
A lot of people are calling for government action against IoT. Think twice,
people. You are undermining your own profession (and I don't just mean IoT, I
mean software engineering in general). The laws the state will come up with
will not be great, they never are, and they will stifle innovation. The
internet is pretty darn stable, I don't think we need good old state to tell
us how to write software, we will fix our problems ourselves as we have in the
past.

~~~
lolc
What do you think about IoT devices with powerful motors that are able to kill
people?

Or conversely, what do you think about current regulations regarding cars and
aircraft?

