Homeland Security Issues 'Strategic Principles' For Securing The Internet Of Broken Things
from the my-smart-toaster-just-destroyed-the-internet dept
For much of the last year, we’ve noted how the rush to connect everything from toasters to refrigerators to the internet — without adequate (ok, any) security safeguards — has resulted in a security, privacy and public safety crisis. At first, the fact that everything from Barbies to tea kettles were now hackable was kind of funny. But in the wake of the realization that these hacked devices are contributing to massive new DDoS botnet attacks (on top of just leaking your data or exposing you to hacks) the conversation has quickly turned serious.
Security researchers have been noting for a while that it’s only a matter of time before the internet-of-not-so-smart-things contributes to human fatalities, potentially on a significant scale if necessary infrastructure is attacked. As such, the Department of Homeland Security recently released what they called “strategic principles” for securing the Internet of Things; an apparent attempt to get the conversation started with industry on how best to avoid a dumb device cyber apocalypse.
Most of the principles are simple common sense, such as recommending that companies, oh, actually think about security a little bit during the product design phase. Other principles are a bit ironic given the government’s behavior on other fronts, including the recommendation that companies implement encryption at the processor level for devices like the iPhone:
“Use hardware that incorporates security features to strengthen the protection and integrity of the device. For example, use computer chips that integrate security at the transistor level, embedded in the processor, and provide encryption and anonymity.”
Again though, most of the recommendations are painfully basic, including actually “understanding what consequences could flow from the failure of a device,” ensuring devices are more quickly and automatically updated, and engaging in “red teaming exercises” where employees probe devices for vulnerabilities before launch. Still, just getting some of this stuff in writing isn’t a bad idea, given that most of the new IoT DDoS malware relies on something as stupid as not changing default login credentials. So there is value in just establishing some kind of core best practices (apparently incompetent) companies can look to.
As such, the DHS is clear that this is just a “first step”:
“These non-binding strategic principles are designed to enhance security of the IoT across a range of design, manufacturing, and deployment activities, and include relevant suggested practices for implementation. It is a first step to motivate and frame conversations about positive measures for IoT security among IoT developers, manufacturers, service providers, and the users who purchase and deploy the devices, services and systems. “
The problem of course is that voluntary guidelines are no guarantee that the companies involved will actually adhere to them. After all, these are companies (and IoT evangelists) that were so keen on selling hardware that they couldn’t be bothered to do the bare minimum to secure their products or acknowledge this rising, obvious problem. As a result, you have hardware like the Jidetech 720p WiFi enabled security camera, which security researcher Rob Graham noted this week can be hijacked by malware and participate in a botnet in all of five minutes after being unboxed:
1/x: So I bought a surveillance camera pic.twitter.com/HbmPzrZgFK
— Rob Graham ? (@ErrataRob) November 18, 2016
As a result, there are many security researchers arguing that voluntary guidelines simply won’t be enough. Bruce Schneier, for example, earlier this month proclaimed that the internet-of-broken-things is a clear case of market failure that will require tougher regulations if we’re going to actually solve the problem:
“An additional market failure illustrated by the Dyn attack is that neither the seller nor the buyer of those devices cares about fixing the vulnerability. The owners of those devices don’t care. They wanted a webcam ?? or thermostat, or refrigerator ?? with nice features at a good price. Even after they were recruited into this botnet, they still work fine ?? you can’t even tell they were used in the attack. The sellers of those devices don’t care: They’ve already moved on to selling newer and better models. There is no market solution because the insecurity primarily affects other people. It’s a form of invisible pollution.”
That’s certainly not going to be good news for the regulation phobic, but Schneier argues the alternative is, quite literally, chaos:
“Regardless of what you think about regulation vs. market solutions, I believe there is no choice. Governments will get involved in the IoT, because the risks are too great and the stakes are too high. Computers are now able to affect our world in a direct and physical manner.”
One problem of course is that U.S. regulation certainly won’t help deter the rest of the world from creating internet-connected devices that can wreak havoc on vital infrastructure. There’s also the very real concern that federal regulations would be crafted poorly, restricting sector innovation or consumers’ freedom to tinker with their own device. In fact, many of these devices have such abysmal interfaces and control systems that hacking and modifying them is in some instances the only path to actually securing them and controlling what traffic is being sent over the network.
As such, IoT regulation is going to be a debate that rages for several years, when it’s not entirely clear we have several years to waste. In the interim, the only recourse left to consumers continues to be to establish smart security in your own home and business, and continue to name and shame IoT vendors that clearly prioritized profits over human lives and the health of the internet at large.
Filed Under: cybersecurity, devices, dhs, hacking, homeland security, internet of things, iot
Comments on “Homeland Security Issues 'Strategic Principles' For Securing The Internet Of Broken Things”
It’s so good to see Bruce Schneier informing our lawmakers.
https://youtu.be/BvId5-0295U?t=1h10m11s
Re: Schneier luvs Feds
————–
Bruce Schneier often has excellent technical insights & info — but he is a political leftist with great trust /faith in government solutions to security problems.
He blocks commenters on his website who politely point out his unwarranted trust in big government.
Re: Re: Schneier luvs Feds
I’m sure all the comments being blocked were polite and not offensive in the least bit, and therefore his ridiculous censoring is not warranted at all.
Lefties have no freedoms and therefore should be forced into allowing comments while righties should be allowed to express their god given freedoms by blocking comments they do not like.
Re: Re: Schneier luvs Feds
What solution do you believe is possible, to broken IoT security, without any government regulation?
The free market isn’t going to fix this one, because it doesn’t affect the companies that make these products and it doesn’t affect the customers who buy them; it affects third parties who are completely outside the supply chain. How do you propose to fix that dilemma?
Re: Re: Re: Schneier luvs Feds
@Thad
…do tell us exactly where the government recruits all these brilliant & selfless “Regulators” who can readily solve this IoT problem ?? Are they bred in some secret government nursery?
How is it that government regulators are so much smarter than private citizens/businessmen, and totally immune to self-interest, bias, error, or incompetence?
Solutions always come from the private sector, even if funneled through government bureaucrats.
As an apparent leftist, you do not understand the complex mechanisms of voluntary cooperation in mass production/exchange and its inherent problem solving capabilities. Not enough space here to educate you.
Re: Re: Re:2 Schneier luvs Feds
I noticed you did not answer the question.
Also, you appear to be arrogant and ignorant – bad combo bro.
Re: Re: Re:3 Schneier luvs Feds
…and I noticed you did not answer the question either or discuss the general issue at all.
Your entire comment here was a personal attack upon me.
I did not attack @Thad personally. He posed a highly loaded/biased question to reinforce his point of view. I chose to respond indirectly to subtly highlight the faulty assumptions in Thad’s viewpoint/loaded-question.
Re: Re: Re:4 Schneier luvs Feds
No one asked me to answer that question, you chose not to, I commented.
Your comment was not entirely nice, now was it?
I thought “personal” attacks involved something personal, oh well.
Re: Re: Re:4 Schneier luvs Feds
Well, yes, dude, you totally did. Here’s what you said:
"You’re an ignorant, uneducated leftist. Nothing personal."
(Aside: what, precisely, do you mean by "not enough space here to educate you"? Do you think the Internet is going to run out of pages?)
I did no such thing. I repeat my question now:
There is nothing biased about that question. It is certainly informed by my point of view, but it is not rhetorical; I am not begging the question. I believe that there is no free-market solution to the problem of IoT security, for reasons which I have explained. You disagree, which you’re entitled to do.
But you have given no factual basis for your disagreement; rather than answer the question I posed, you have — repeatedly, now — chosen to criticize my viewpoint, my motives, and my education, and suggested that the question itself is somehow biased. (How, exactly, you believe the question is biased is one more thing you have chosen not to explain.)
I asked a simple question. You did not have an answer. You had the option of saying "I don’t know, but I have deep misgivings about increased regulations, because legislators and enforcers are often ignorant of technology, and subject to their own biases and self-interest." That’s what an adult would have done.
You did not do that. You thought that, if you blustered and insulted me and, inexplicably, claimed that there was "not enough space" on the Internet to "educate" me, maybe nobody would notice that you didn’t have an answer.
You were mistaken.
There’s nothing wrong with being suspicious of regulators. But I asked you a question. And if you don’t know the answer, have the guts to say so.
Re: Re: Re:2 Schneier luvs Feds
I asked you first, jackass.
Re: Re: Re:2 Schneier luvs Feds
You are assuming that reasonable people run and finance industry, and you are wrong. The majority of the captains of industry are intensely competitive, and will do in any of their peers, with whom they socialize, given a chance to increase the size of their empire.
Essentially governments is a means by which society tries to use the more reasonably sociopaths to reign in the rapacious nature of the extreme sociopaths.
Boycott
Except that won’t stop Joe Sixpack, or technophiles that are enamored by shiny.
DHS really needs to stop fapping to Orwell's 1984.
To me, this article reads as: “DHS tests the waters, with the intention of asserting itself as the defacto regulatory body for all in-home electronic devices.”
I’m relaxed to know they are on the case. I mean god forbid anyone with industry specific knowledge actually regulate the thousands of categories of commodities that will eventually be IOT enabled.
Re: “There is no market solution because the insecurity primarily affects other people”
That is why god invented litigation and criminal prosecution. What DHS is actually saying, is that there is no solution that _they_ like.
Or more to the point, DHS is looking to jump on the bandwagon and leverage the same failures in architecture the ISP’s are leveraging to violate peoples 4th amendment rights. And while they (and ISP’s) could contribute to increasing consumer security, they will not litigate or prosecute if it reduces their own unconsensual voyuerism into citizen homes. Third amendment be damned.
Solutions DO exist. The biggest threat to their adoption, is the revenue stream being generated by the consumer surveillance market. The Fed being the biggest customer therein.
So these guys are wailing about systemic failures, for which there are solutions. They just don’t like the fact that the solutions protect consumers against state intrusion, as much as criminal intrusion. So it is essentially the same issue as the cryptographic back door argument.
They want their access, and they will let everything burn until somebody offers something that endows them with additional power, and fucks everybody else. At which point they will glorify this new raping of the Constitution as the greatest security technology since underwear. And in the mean time they will use their propaganda infrastructure to delay any public shift in view related to digital civil rights.
SSDD.
Re: DHS really needs to stop fapping to Orwell's 1984.
The scariest part of your comment is that DHS might be regulatory agency, as well as an enforcement agency. That should scare even the most adamant government apologist. If such a thing were to become true, what is to stop them?
Re: Re: DHS really needs to stop fapping to Orwell's 1984.
same thing stopping them now. Absolutely nothing
Re: DHS really needs to stop fapping to Orwell's 1984.
Wait a sec .. I thought the prez elect of orange was against regulations.
Hahahhahaha – they will say anything, I’m amazed at how many believe it.
Their strategy should start with a having greater degree of transparency and building trust with the IT community. But that would make too much sense.
Re: Re:
A fair point, but the sort of people you’d reach out and build bridges to are already the sort of people who wouldn’t manufacture these kind of highly exploitable devices in the first place. They’re also not likely to enter the sector until after the government steps in to regulate it because they know they’ll never be able to make (more expensive) adequately secured devices for the same cost/price as the people who are already willing to make insecure devices.
There’s a definite element of Catch-22 to all this, unfortunately.
encrypted processors conspiracy
Or, as the conspiracy-theorists believe, they already have a hardcoded backdoor into encrypted processors and want everybody on them (for ease of access).
Re: encrypted processors conspiracy
This sort of thing is openly happening commercially at this point, though it isn’t at the core CPU. Monitors are getting built in decryptionware (whether hardware or software I don’t know), so that streams can be encrypted all the way to the display.
Video streams are serial and digital. Which means all they technically need for hardware, is two pins to transmit and maybe two pins for hardware signaling. HDMI has 29 pins. As soon as I saw the cable, (maybe 10 years ago) I knew the jig was up.
Initially you look at that and you say: “hey, fine, no biggy, people have a right to contract as they please”.
Where the problem comes in, is that in digital systems you can encapsulate anything inside of anything without too much work. So yes, you CAN put a full TCP/IP tunnel inside an MP4 stream.
So what is being billed as an encrypted video stream, could really be any kind of data stream. And it is being pumped through a box in your living room that has a mic that is listening 24 hours a day (how else does the box know it’s own name, if it isn’t digitally processing 100% of its audio input?). So these services aren’t limited to just streaming movies, and they aren’t constrained to simplex transmission. Anyone suggesting otherwise is lying.
Which is why I’ve kept all my old monitors, and will not be buying a new one, until somebody starts doing some auditing of this shit.
The economic impetus for these problems, are primarily driven by constraint of trade in the telecom sector. The monopolies have created market dynamics that are preventing product evolution at the lower layers. And so the newer more liberty preserving technologies aren’t flowing into the market as fast as the douchebag ones.
The only way to fix that is to break up the telecoms Content||Carrier. There is NO technical regulation that the fed can write, that can’t be engineered around in less time than it took to write the initial regulation. There are more of them, than there are of the Fed.
So these issues, are technological and sociological symptoms of bad economic management. Period. Full Stop. CRLF, pagefeed. Fix problem A, and problem B will eventually go away on its own.
In the mean time DHS babbles: “The economics DON’T WORK, we need a committee on committees!”. When in fact the economics CAN work. The fed is just regulating the economy wrong.
I’ve said before that some chaos is wonderful to fix broken things. Give them enough chaos and the whole world will worry about it. And if countries couldn’t care less they’ll end up blocked at the backbone level.
Re: Re:
Just to be clear and make sure I’m understanding you correctly: did you just suggest that attempting to intentionally block entire countries from accessing the Internet would be a good idea?
Re: Re: Re:
not from accessing the internet but from reaching your infra-structure. A while back a site I used to visit in the .br domain was hit by large and sustained DDoS attacks. I don’t precisely remember which country was sending most of the data but in the follow up news they said they were in the talks with their provider and that it requested a temporary block of an entire country at the backbone level so the site could come back online. Russia if memory serves. Obviously it was an emergency measure and it lasted while they could work out better solutions but at the time they evaluated the options and this was the best course of action.
So, to answer your question: no, it’s not a good idea but it will happen.
Other steps to secure the stupid internet of things: open-source hardware and free software.
I’ve said it before: Connecting everything under the sun to the internet and then wondering about how to keep it from being hacked is like removing your front door for convenience and then wondering how to stop burglars from walking into your home.
ISPs left out of Recommendations
Regulation of IoT devices is coming…We may not know the origins (industry or government or some kind of partnership or university thingy?) or the cost, but I assure you it is on its way. I hope the entire internet doesn’t have to be DDOS’ed first.
There are recent whitepapers out on it. The one I read managed to leave out ISPs and WiFi routers.
However, my ISP (Centurylink in VA) recently sent me a broadband router which allowed inbound connections on my home network by default. That’s a HUGE problem.
Yes, a certain amount of stuff is going to break when that is turned off…but it’s not stuff used by “normal”, non-technical consumers. It does mean my insecurity camera won’t talk to my smartphone from afar before the router allows it, but, like WPS, that’s an addressable usability issue.
Likewise, my home network is largely invisible to me — and I’m a programmer and design electronic hardware, so how can an average consumer have a chance?
Re: ISPs left out of Recommendations
“which allowed inbound connections on my home network by default. That’s a HUGE problem.”
Oh, that is nothing. Has anyone checked whether the transcievers in the WiFi nodes that are remote managed by ISP’s can reach down to the 900Mhz spectrum? If so they can snoop most ANALOG home phones with it from remote. Even those carried by other carriers POTS networks.
And don’t get me started on teredo.
If there are regs coming down, what you can guarantee is that they protect the monopolies, and fuck new developers. Typically it is the high volume players that are responsible for the problem, since they are the ones who are more concerned about cutting support costs. That is why they implement consumer-stupid level security. They engineer to reduce call load, and RMA count. Not to actually make good products. And that isn’t going to change because of regulation.
The nitch market players make their bones on having better support. So they tend to have better security, because their customers EXPECT it.
So you’ve got the Internet using more crypto because ISP’s and the fed are douchebags. In response the fed will mandate insecure architectures, and refer to a bunch of experts, who are anything but experts. And then they will take a victory lap, with one hand behind their back to collect cash as they circle the room. The worst companies will get more market leverage, and responsible network architecture will become a crime.
How about this. Take the number of nodes botted, find the respective vendors with the largest count, and SUE them. That WILL fix the problem. There is no need for regulation. Criminal negligence and bench law is what is required here. And it doesn’t even matter if the fed wins. The point will be made.
There is no reg the fed can pass that won’t make the situation worse. This is not an area where compromise and cronyism wins the day. You can’t build a dyke with half sandbags and half a baloney sandwiches. There are certain things that just require integrity to function AT ALL.
Which is why this is an issue the state will fuck up, and continue to fuck up worse, and worse until there is a crisis. The engineers KNOW HOW TO FIX THIS. It is the frathouse circle jerk at the executive level that is preventing them from doing it. The fed needs to look left, look right, take off the rubber gloves, and LEAVE THE ROOM.
There is no “yes but!”. Just take responsibility. This is the result of failing to take punitive action, against acts of digital pollution. Botnets are the superfund sites of the Internet. The taxpayers shouldn’t be paying for the cleanup. The guys doing to polluting should be.
Re: Re: ISPs left out of Recommendations
My! You are allergic to government regulation! I repeat: Regulation is coming, from somewhere, it doesn’t have to be from the government. If things continue the way they are, with market forces only, then, well, nice internet you have there, it would be too bad if something happened to it, Mr Krebs!
****
Your mission, Mr Phelps, should you choose to accept it, will be to use my broadband modem to capture my repsonse to a phone spam on my v-tech wireless phone handset and to repeat the exchange for the amusement of the Techdirt readership. This paragraph will self-destruct in 10 seconds.
***
Personally, I don’t think the liability approach is going to work. The courts simply take too long, the big ISP boys are all really good at avoiding liability (arbitration, anyone? Section 230?), consumers can plead ignorance, and the companies that contracted the factories and the programmers will be gone before you can sue them. Had any luck sueing anyone in China lately?
The best hope I can see is Elon Musk and SpaceX bringing true competition to the broadband market with their proposed low-orbit internet satellites.
D(ad) H(as) S(poken)
Isn’t that adorable? With zero expertise or remit in the area of network security, DHS wants to tell big companies how to keep us all safe on the Internet. My dad’s like that.
Re: D(ad) H(as) S(poken)
“Hi, we’re from the government, we’re here to help.”
What a scary thought, though those indoctrinated actually think it might be true. What drugs do they do?
Unfortunately firewalls are complicated. They tend to come with unsafe settings. When one without IT know-how, that gobbledygook looks like…well gobbledygook. What to leave open, what to close, how to do either, on which system. Either a bunch of open source programs designed to impact the firewall you have that will safe your system, and tell you how to open only what your game/program that is really needed and leave everything else closed, or some ruling that firewalls come with everything closed and instructions easy enough for Joe Sixpack to open only what he needs, and no AI that will allow for back doors that poor Joe won’t recognize (looking at you Windows).
In other words, this cannot be left in the hands of the end users. The effort must be system wide, connection to program to device, and in such a way that the end user is safe first, and manufacturers a far, far distant second.
Therein lies the issue. The question remains, how to get it implemented market wide, with or without government regulation.
Facebook, Google, Amazon, Apple collect it all
so the NSA, DHS, FBI won’t have to; thus saving the taxpayer billions of dollars.
Actually, you know, there's a lot of regulations that work
I’m basically a Libertarian, but I have to admit that there are a lot of regulations that have had the desired affect. Pollution controls and emission reductions have undeniably reduced pollution in the US. No one thinks a thing about fining companies for importing toys from China with lead paint. I think this should be exactly the same kind of thing. You sell a product that “pollutes” the internet, you should be fined. We just need the folks like Bruce to lay out clear definitions of what kinds of vulnerabilities we should punish companies for.
Re: Actually, you know, there's a lot of regulations that work
OK, here’s my starting point for a minimum:
Rule #1: Outbound connections only by default on routers and broadband modems, especially the consumer variety. There’s only one IP address for my modem, so it doesn’t “route” any IP addresses except its own, and its primary purpose is simple web browsing and possibly streaming video. If I want it to do more, I have to enable it. My broadband modem is an important firewall.
Rule #2: Nothing inside my default consumer router is visible to anything else.
Rule #3: My router will need to enable IOT connections outside my house, so it will provide a simple way with perfect forward secrecy to enable my phone to authenticate and communicate from away from home.
Rule #4: My router is an IOT, so all rules below also apply.
Rule #5: My IOT is an endpoint, not a router, and does not respond to anything that attempts to make it into a router.
Rule #6: My IOT firmware is fixed unless someone presses a button and is using the local, hardwired LAN port on an authenticated connection.
Rule #7: My IOT settings are fixed and my IOT does not accept inbound connections without an authenticated connection. A true random password on the label is sufficient.
Rule #8: All password attempts are rate limited and take 2.9 to 3.2 seconds each, randomly. [Tries to minimize data leakage; knows his solution isn’t perfect]
And a few more I have missed…in my flameproof, silver llame tinfoil hat!
If we want to make this happen, we’ll nerd a little bit and see some really good graphical UIs demo’d on common hardware that everyone can get behind and copy. My mother needs to understand the UI, as does my congresscritter if he’s so inclined.
Building user interfaces for the computer OWNER is the new research frontier. It’s 80% of the computer security problem.
Re: Re: Actually, you know, there's a lot of regulations that work
It is inappropriate to consider the Internet a product that exists above OSI layer 3. It is equally inappropriate to rely on anything predicated on the carrier accessing the traffic above OSI layer 3.
There is a point where the carriers responsibility ends, and where citizens civil rights begin. The most conservative demarcation point to split the two is between OSI layer 3, and OSI layer 4.
What needs to happen is TCP and UDP need to be replaced universally with an open protocol stack that conceals service type, and transmits using public key crypto by default. Then the whole DNS system needs to be replaced with a peer to peer block chained resource registry system, that runs at layer 4, instead of at layer 7 where DNS currently is today.
Most of the problem stems from the assumption that the OSI model was correct. It wasn’t. Layers 4 and 5 are transposed. The reason we can say that, is that the first piece of meta data that isn’t required for delivery, exists at layer 4.
This meta data (port numbers, sequence numbers, window size etc.) requires no evaluation by the carrier in order to complete delivery. And therefore evaluation of it by carriers constitutes an unnecessary intrusion into the citizens communications. Yet carriers evaluate, log, and modify in transit, this part of consumer communications regularly.
If we consider crypto as a session layer function (layer 5) then we can say that transposing layer 4 and 5, solves that problem. All meta data other than that required for delivery would be encrypted and concealed from the carrier. Which it should be. But more importantly it makes the need for defining legal regulations obsolete, since the technical demarcation point (between carrier delivery requirement and citizen civil rights), would preclude regulatory demarcation points. The digital implementation, would be in direct conformance with Constitutional principles.
The problem isn’t with the software. And really it isn’t even with the fundamental protocols that make up the Internet. (though that is what must be re-engineered) The problem is that the technology conceals the actual disposition of interpersonal communications, from reasoned debate. People feel enamored or threatened by the technology, and it blurs their focus.
This isn’t a technical problem that needs to be solved legally. It is a legal problem that needs to be solved technically. We can not expect to always act honorably. We can only engineer a network that compels us to do nothing else. In that way our challenge as network engineers, is very similar to the legal challenge debated by a bunch of terrorists in Philadelphia, in 1776.