Wednesday, February 1, 2017

The security mess that is the Internet Of Things

Bruce Schneier has a long and interesting article on the crummy security that is inevitable in the Internet Of Things:
At a recent hacker conference, a security researcher analyzed 30 home routers and was able to break into half of them, including some of the most popular and common brands. The denial-of-service attacks that forced popular websites like Reddit and Twitter off the internet last October were enabled by vulnerabilities in devices like webcams and digital video recorders. In August, two security researchers demonstrated a ransomware attack on a smart thermostat.
Even worse, most of these devices don't have any way to be patched. Companies like Microsoft and Apple continuously deliver security patches to your computers. Some home routers are technically patchable, but in a complicated way that only an expert would attempt. And the only way for you to update the firmware in your hackable DVR is to throw it away and buy a new one.
The market can't fix this because neither the buyer nor the seller cares. The owners of the webcams and DVRs used in the denial-of-service attacks don't care. Their devices were cheap to buy, they still work, and they don't know any of the victims of the attacks. The sellers of those devices don't care: They're now selling newer and better models, and the original buyers only cared about price and features. There is no market solution, because the insecurity is what economists call an externality: It's an effect of the purchasing decision that affects other people. Think of it kind of like invisible pollution.
He sees the only solution as being regulation.  Ugh.

I say "ugh" because a lot of what he says is hard to dispute.  Bad security is an externality.  The market won't address the problem.  Manufacturers don't care, because customers don't care, and that won't change.

When I think that Schneier goes wrong is in thinking that a new government regulatory agency will be staffed by Internet Security technocrats like him.  If it were, I might be able to get behind his idea. But the Iron Law of Bureaucracy says that those technocrats won't run things, and the agency will soon look like all the other agencies: mostly incompetent, mostly ineffective in addressing the problem, captured by the industries it attempts to regulate, and which imposes very high costs on everyone while stifling new innovation.

And US only - the global market is huge, and there's nothing to ensure that these "better security" regulations apply to, say, China.  In a sense, Schneier's proposal is a lot like the CO2 emission controls that have been proposed - they only apply to a small portion of the world, and externalities from other countries remain a huge problem, like smog from Chinese industry that drifts to the US west coast.

My take is that the problem is intractable this way.  A different approach is to make attack traceability easier, and hold manufacturers liable for damages.  Remove the externality via liability legislation.

Schneider still hopes that the problem is solvable:
Over the past couple of decades, we've seen examples of getting internet-security policy badly wrong. I'm thinking of the FBI's "going dark" debate about its insistence that computer devices be designed to facilitate government access, the "vulnerability equities process" about when the government should disclose and fix a vulnerability versus when it should use it to attack other systems, the debacle over paperless touch-screen voting machines, and the DMCA that I discussed above. If you watched any of these policy debates unfold, you saw policy-makers and technologists talking past each other.
Our world-size robot will exacerbate these problems. The historical divide between Washington and Silicon Valley -­ the mistrust of governments by tech companies and the mistrust of tech companies by governments ­- is dangerous.
We have to fix this.
We can't.  The FBI won't stop trying to get crypto backdoors and the NSA won't stop collecting everyone's metadata.  See the Iron Law for why.  And so adding a new Three Letter Agency to try to solve the problem will not lead to a solution.  It won't address the problem of trust, it will almost certainly make the problem worse.


Old NFO said...

Yep, major and unsolved issue... I've had people try to hack my WEP router in DC more than once.

matism said...

I suspect that if hackers were to break into enough IoT devices, collect appropriate info on the devices' owners, and post that info for the world to see, things might change rather quickly...

matism said...

Furthermore, I suspect it wouldn't take much hacking at all if the breaks were into the IoT devices of mid-level and senior managers at the corporations who design and manufacture those devices. Posting info obtained therefrom would change the priority of security for those devices VERY QUICKLY. And I expect that other corporations making IoT would swing quickly as well, since they would understand what soon would be coming at them and theirs...