Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Government Security United States

Schneier: We Need a New Agency For IoT Security (onthewire.io) 165

Reader Trailrunner7 writes: The recent DDoS attacks by the Mirai botnet against various targets, including DNS provider Dyn, have drawn the attention of congressional leaders, who say there may be a need for regulation of IoT device security in order to address the problem of vulnerable embedded devices. In a joint hearing on Wednesday, the House Subcommittee on Communications and Technology and the Subcommittee on Commerce, Manufacturing, and Trade delved into the issue of IoT security and several lawmakers said that they were reluctant to get the government involved in regulating this problem, but it may be inevitable. The problem, of course, is that many of the embedded devices that make up the IoT aren't manufactured in the United States, so regulation would have no effect on their security. Another piece of the puzzle is the fact that there's no one federal agency or independent organization that oversees security standards for IoT devices. There are embedded computers in cars, appliances, medical devices, and hundreds of other kinds of devices. That cuts across many different industries and regulatory fields, a problem that the federal government is not set up to handle. "I actually think we need a new agency. We can't have different rules if a computer makes calls, or a computer has wheels, or is in your body," said cryptographer Bruce Schneier, another witness during the hearing. "The government is getting involved here regardless, because the stakes are too high. The choice isn't between government involvement and no government involvement. It's between good government involvement and stupid government involvement. I'm not a regulatory fan but this is a world of dangerous things."
This discussion has been archived. No new comments can be posted.

Schneier: We Need a New Agency For IoT Security

Comments Filter:
  • by unixisc ( 2429386 ) on Wednesday November 16, 2016 @05:33PM (#53299983)

    Say what you will about IoT, bottom line is that it would be impossible on the scale being discussed w/o IPv6. That's not something that works fluently w/ NAT, especially given that for a lot of these things, auto-configuration would be required.

    So far from any 'agency', what is required is expertise in IPv6 security. Especially how to keep IPv6 nodes either secure, and/or undetectable to anything but approved agents. This would have to work in tandem w/ access controls as well as IPv6 address management mechanisms

    • What we need are ISPs willing to shut down participants in botnets.

      The other thing we need is a mesh network to permit the internet to actually route around censorship.

      And then we're probably going to need yet another new protocol to handle that kind of chaos.

      • Or we could just enhance IPSEC around that
      • What we need are ISPs willing to shut down participants in botnets.

        And how do we do that? Was my smoke detector DoSing the ABS website when the Australian census was last due? Or was I at my computer trying to access the damn website?

        This is not a problem that is easily solved. It's difficult to tell this traffic apart from legitimate traffic. If you can route around the problem, so can the attack rendering the new node useless. A new protocol sounds like it may be able to incorporate something in this. I look forward to implementing it in 2045.

  • We can't have different rules if a computer makes calls or a computer is in your body? I hope there are different rules. More generally it would seem that since computers are used everywhere, this new department would usurp power from every previously established regulatory body. The way this works everywhere else is that a standards body comes up with standards and they are adopted by different government agencies.
    • Agreed, that was a stupid comment. Of course an autonomous car, which os hurling toward me at 75 MPH, should have different standards than an IoT refrigerator, and biomedical devices implanted in my body should another set of standards. Perhaps the standards for biomedical implants could include also the standards for consumer electronics by reference - "In addition to the 60 points listed below, medical devices must also meet consumer electronics standard #1235 ".

  • Department of Stuff Security? Matches the other silly name...
  • They should be manufactured in the United States!

    TRUMP TRUMP TRUMP!

  • by H3lldr0p ( 40304 ) on Wednesday November 16, 2016 @05:38PM (#53300061) Homepage

    use this technology.

    Let's be honest. Right now, this stuff doesn't give us anything of real benefit. We don't need an internet connected thermostat. Or lights. Or fridges. Or toaster oven. Or whatever next comes up. Our skateboards reporting how many meters they've covered to some site or another. Useless! The utility of such things are near zero.

    Nifty? Yes. Neat? Yes. Useful? Not in the least. And certainly not outside the developed world.

    It's a distraction. A bad one. And if the recent mega-botnet attacks are any indication it's not good for the health of the internet either. So let's get rid of them before someone in a position of abusable power decides that they're evil and gets rid of them for us. With us doing it, it at least leaves the door open for getting it right next time. Not so certain that others would give the tinkerers a second chance on something like this. I've already had to deal with parents panicking over their children's laptop cameras.

    That wasn't a fun conversation in the least.

    • Re: (Score:2, Flamebait)

      by tlhIngan ( 30335 )

      use this technology.

      Let's be honest. Right now, this stuff doesn't give us anything of real benefit. We don't need an internet connected thermostat. Or lights. Or fridges. Or toaster oven. Or whatever next comes up. Our skateboards reporting how many meters they've covered to some site or another. Useless! The utility of such things are near zero.

      Nifty? Yes. Neat? Yes. Useful? Not in the least. And certainly not outside the developed world.

      It's a distraction. A bad one. And if the recent mega-botnet attacks

    • by AmiMoJo ( 196126 )

      You are only seeing the consumer side. On the infrastructure and business side, IoT is huge. From asset tracking, to remote metering (why send people round to read every meter in the country when they can just self report once a month?) to monitoring applications (how much stress is that bridge under, are all my street light bulbs working?) there are many very useful, practical applications for IoT devices.

      And that's where the real risk is. Fridge botnets are one thing, taking out infrastructure is another.

  • Short answer: We need manufacturers of so-called 'Internet of Things' to get their HEADS out of their ASSES and stop skimping on (or skipping altogether!) security of their gods-be-damned devices! It would also be nice if they didn't make every damned thing to use 'the cloud' or otherwise require connection to one of their damned servers in order to work AT ALL.
    • by DarkOx ( 621550 )

      Short answer is we need to hold people accountable. This is a case where there absolutely should be not quite a strict liability situation but maybe negligence level where you are responsible for shit that a computer you own does unless you can show you took appropriate and reasonable precautions.

      Once that is True people will install patches, they will learn to install and configure firewalls, or they will turn the shit off and unplug the Ethernet wire from the smart tv because its to much hassle to deal w

      • Most people have trouble just putting the SSID and password in for their equipment. Talking about VLANs and firewalls is a lost cause. Then you have mischievous devices that try to use open wifi systems to at least phone home to allow remote configuration as a fallback. The only thing that works is making things secure by default, and even that is easy to screw up. Also, who are you trying to secure it from... because it is all relative.
    • Security of things that can be connected to the internet can't be done until they actually are connected to the internet. How does an internet enabled home security system know whether it's being accessed by a legitimate controller or an intruding agent? This job needs to belong to the Firewall/Gateway
      • by suutar ( 1860506 )

        The router/gateway has a part to play too. However regardless of whether the user accessing the system is legitimate, buffers should not overflow, sql should not get injected, etc. Defense in depth.

  • Wrong (Score:5, Insightful)

    by Hognoxious ( 631665 ) on Wednesday November 16, 2016 @05:39PM (#53300079) Homepage Journal

    We totally don't. Just fuck off already.

  • I really like Schneier's work in general, but if there's one answer that has to be nearly always wrong it's "We need a new government agency."

    It's also patently false that because a thing isn't manufactured here, we can't regulate it. We can (and do) regulate the import of things that aren't manufactured here. If he's talking about regulating things that are manufactured, sold, and used elsewhere but also happen to be on the internet, then we just shouldn't be doing that at all anyway.

  • Another way (Score:5, Insightful)

    by MobyDisk ( 75490 ) on Wednesday November 16, 2016 @05:40PM (#53300099) Homepage

    Most electronics in the United States are (Underwriters Laboratory) UL approved. That is because there are various non-governmental rules that strongly influence people into buying UL approved products. One is that vendors often refuse to stock products that are not approved by some standards body, because otherwise they may face liability for the product. Another is that homeowners insurance will not cover you if a non-UL approved device started the fire. Hospitals and laboratories will not buy medical devices that are not UL approved.

    We need something like UL for security.

    It would be great to have a system like that in place, rather than to have the government directly involved. The toughest part is that so much electronics is purchased online, from overseas manufacturers, that this free-market solution may not work. Really, the free market is optimizing around it. It would be awesome to see Amazon and Newegg refuse to sell products unless they had some kind of security approval.

    • Something like UL, but focused on security, would be great.
      Insurance companies established Underwriters Laboratories and the National Fire Protection Association in order to reduce their costs stemming from fires, injuries, and death. I don't see an obviously similar group for information security. Google, Amazon, and Comcast would all benefit from reducing attacks, so perhaps they could found an organition similar to Underwriters Laboratories.

      • So every device that connects to the Internet would need to pre-approved by a group founded by Google, Amazon and Comcast? And you think this is a good idea?
        • If there were an organization similar to UL, but testing for safety and security of IT products, it's value would depend on what the group DID, not who provided the initial funding.

          Note again I didn't say these companies would test and approve products. Rather, they have an interest in having the internet secure for everyone, so they might put up some cash to seed an independent testing organization. (Example: IoT ddos attacks flow through Comcast's network, costing them money.

          History shows that they can

          • Requirements aren't only the domain of governments. So the next step is that every device that connects to Comcasts network must be approved by this "organization similar to the UL", or they won't allow it on. And you can't make any unapproved changes to that device, because any change might make it insecure. It is only logical after all. Are you guys really that dense? What do you think is happening here? At some point you will be only allowed to use a locked down computer running pre-approved software run
            • by MobyDisk ( 75490 )

              So the next step is that every device that connects to Comcasts network must be approved by this "organization similar to the UL", or they won't allow it on

              Almost. We are proposing something similar to how it works with electrical devices and telecommunications devices. In those cases, it isn't the power company or the phone company that gets a say, it is the insurance companies and retailers. So no: Comcast would not be able to approve things. They simply have no way to enforce this even if they wanted to.

              And you can't make any unapproved changes to that device, because any change might make it insecure. It is only logical after all.

              No, that is not logical, and it is not how the industry we are comparing it to works.

              At some point you will be only allowed to use a locked down computer running pre-approved software running in the cloud. Don't think it will happen? That is the logical conclusion to this madness.

              If that is the logical conclusion, then why has it not happened alr

    • by Anonymous Coward

      And these days UL requirements (generally needed in the U.S.A.) and CE requirements (definitely needed in Europe) mostly line up!
      This highlights another potential pitfall, but also goes to show that both the government and private-industry routes have been pretty successful.

      I'd lean towards a government approach in this case though (and we have examples of this like Energy Star certification) because there's not the same private incentive. You don't want an insurance claim denied because a non-UL device ca

      • by MobyDisk ( 75490 )

        So getting some kind of incentive to have devices certified seems like it will be difficult.

        Agreed! So to make this work, we need liability.

        So how about this: if your device is part of a botnet, or infects another computer - you are liable unless the device was certified by the testing agency. Hmmmm...no, that won't work. The problem there is finding out the source. If there is a DDOS from 5 million devices, nobody is going to sue 5 million people.

        So how about this: Hold manufacturer liable. We've been asking for companies (banks, etc.) to be liable for security breaches, and for software com

    • "this free-market solution may not work"

      If not, then it's not that important, really.

      I admit, I'd pay extra for devices I KNEW had been tested; the problem is what is a "successful test"? I mean, obviously the mfg are going to game around it. Besides that, what about devices that legitimately need to phone home? For example that stupid IoT thermostat that was connected to some Google server. Stupid design, yes. "Failure" (assuming it's not sending personal data) ?

      Clippy: "Oh, I see you're on a test ben

      • by MobyDisk ( 75490 )

        the problem is what is a "successful test"?

        That is what the 3rd-party testing lab determines. It's not up to the manufacturer to test it.

        what about devices that legitimately need to phone home

        The testing agency should not have a problem with a device that needed to phone home. That's a legitimate feature. The testing agency would make sure that the data was encrypted, that failed pasword attempts are limited, that there isn't a single shared password on each device, etc.

        For example that stupid IoT thermostat

        Yes!!! That's what we are trying to prevent! It had no encryption, send the user's personal information (email account, password,

  • I warned everyone years ago that we were coming to a time when only GOVERNMENT APPROVED devices would be allowed to connect to the Internet. Everyone scoffed, but this is the first step. Truly the end of personal computing is coming, fast.
  • by Tokolosh ( 1256448 ) on Wednesday November 16, 2016 @05:48PM (#53300187)

    Government involvement is not needed and will be counterproductive. Something like UL (https://en.wikipedia.org/wiki/UL_(safety_organization) ) will be appropriate. There are a number of analogous examples that work well, like the ANSI, API, ICANN, IMO.

    • Actually, rather than ICANN, this sort of thing should be done by the IETF - that would fall under their 'jurisdiction', or area of both expertise and responsibility
    • Something like UL (https://en.wikipedia.org/wiki/UL_(safety_organization) ) will be appropriate.

      I've heard this a few times. I'm not convinced.

      UL is "Underwriters' Laboratories." One of the things they do is look at electric devices and make sure that they won't catch fire in most conditions. This is a good thing and they have the backing of insurance companies. So if you plug in that extension cord that your brother made and it causes an electrical fire which burns down your house, when you go to your insurance company, they'll say, "Nope! We're not paying out because the extension cord wasn't U

      • In a liability situation, why would UL help? Suppose you used UL-certified light bulbs, and they were used in a major DDoS attack. You get named in the suit, and when you try to pass the liability on back the company has disappeared or gone bankrupt or is out of the country or something. The UL isn't going to indemnify me. Lots of people will have some IoT-type devices without insurance, since (at least in the US) renter's insurance wasn't all that common when I still rented. Unless people have some s

        • You miss the point. I suppose I got a bit wordy.

          Why do you buy UL-certified electric devices? Because if you use them and one of them causes your house to burn down, your fire insurance will cover you. If you use a non-UL-certified electric device and it causes your house to burn down, your fire insurance won't pay.

          Thus, I have an incentive to buy UL-certified devices. Uncle Sam does not need to get involved. This is, arguably, a good thing.

          Many people are saying that IoT devices need something akin to

  • by Anonymous Coward

    Just like electronic devices must be certified to operate within FCC or CRTC guidelines, these kinds of products should pass through a similar system to ensure compliance. All IoT devices should also conform to some network management scheme for enumeration and auditing. This just a new twist on an old system that has worked well for some forty plus years.

  • And the existing government is sooo exceptional at following it's current policy and security (re: OPM ) that we need yet ANOTHER layer of confusing, cross responsibility, finger pointing bureaucracy... ya that will solve it.
    • The problem is this though. The people that are attaching these devices are largely unaffected by this. They got some cheap device of some sort that at least somewhat does what the purchaser wants, and their own device isn't attacking their own machines.

      And the manufacturers don't care either. And even if they did, what are the chances that they would have any amount of success getting people to upgrade firmware?

  • We do NOT need a 'new agency'. Indeed, perhaps, maybe, we can use legislation to establish FTC or other regulations that require Internet-connected devices be minimally secure, as in requiring a nontrivial admin password be set, that they not be susceptible to 'trivial' attacks, and that they be manageable by owners to reestablish control.

    All of this is, sadly, patchwork, and will not solve the real problems, and establishing financial penalties will just drive manufacturers offshore where we can't reach t

    • "as in requiring a nontrivial admin password be set, that they not be susceptible to 'trivial' attacks, and that they be manageable by owners to reestablish control"

      So everyone who creates software would now need to be able to prove that to a governmental agency? Or you wouldn't allow software to be installed on Internet-connected devices unless it was pre-approved? So you couldn't attach your Linux computer (or Windows or Mac) or phone or whatever to the Internet unless it was running this pre-approved s
  • 1. Get anti virus software, free and subscription to scan a users networks by default. Find every device and test them with common pw/usernames and see what fails.
    Report that to the user and tell them to replace or update the device until it is safe on any network facing the internet.
    2. Ban the branded control software from cell phone and all app stores. If your device can be used as part of a swarm, its app gets banned and the world told why a brand cant be trusted.
    3. Work with isp. A IoT device b
    • > 1. Get anti virus software, free and subscription to scan a users networks by default.
      > Find every device and test them with common pw/usernames and see what fails.

      Go one step further. Have a government body scan the net and try to pwn and *BRICK* internet-connected everything (IOT/smartphones/tablets/desktop-PCs/servers). If it withstands the break-in attempts, it's secure. If it doesn't withstand the break-in attempts, it had no business being on the net in the first place.

      Before anybody starts ye

Have you reconsidered a computer career?

Working...