Spitballing IoT Security

Mark Andrews marka at isc.org
Wed Oct 26 20:58:00 UTC 2016


In message <CAF-Wqd5sO0x5muw6uPDxMXd+h1ebCCtL9Ke9uMEc7k364OfHLA at mail.gmail.com>, Ken Matlock writes:
> As a relative 'outsider' I see a lot of finger-pointing and phrasing this
> as (effectively) someone else's fault.
> 
> To me this is a failing on a number of levels all contributing to the
> problem.
> 
> 1) The manufacturer - Backdoors, hidden accounts, remote access
> capabilities, no proper security testing. No enforcing of security updates.
> 2) The end-user - No initiative on the end-user's perspective to gain even
> a basic understanding of how the device works, connects, etc. Also no tools
> or understanding of how to recognize *which* of their many devices on the
> network might be compromised and participating in the botnet. (Only
> indication they get is maybe their internet is slow)
> 3) The service providers - No effective monitoring of outgoing traffic from
> the end users to identify botnets and DDoS in a real-time fashion
> 
> I contend that all 3 levels have failed in this, and nothing has
> fundamentally changed (today it's IoT, before it was unpatched windows
> boxes, etc) in decades. We keep talking about the problem but very little
> actual action has occurred to *fix* the underlying issues.

Actually things have changed a lot in a positive direction.

* Router manufactures are using device specific passwords.
* Microsoft, Apple, Linux and *BSD issue regular fixes for their
  products and users do intall them.
* My smart TV has automatic updates available and turned on.
* Other products do the same.

Now not everyone does this sort of thing yet, but we have examples
and things don't blow up in the user's face very often.  Even in
the case the manufacture has tried to do the right thing.  The
problem had been identified and a fix issued.  Now could this have
been automated, yes.  But it does show that what is required is
getting through to manufactures and they are trying to reduce the
problem.

We need manufactures to have a working system to accept problem
reports.  We need manufactures to issue fixes to their products
once they have been reported.  This needs to happen for the entire
expected lifetime of a product.  We need the ability to have a third
parties fix problems if a manufacture won't / is too slow.

Getting this may require legislation changes.  This may require
manufactures to publish expected product lifetimes.

> - Manufacturers need to be held accountable for devices that go on the
> internet (that includes *anything* that's connected. PCs, servers, routers,
> IoT devices, etc)
> - End users need to have ways to easily see what's going on over their
> local networks, to see botnet-like activity and DDoS participation (among
> other things) in a more real-time fashion
> - Service providers need to be much more proactive in watching for threats
> and identifying/blocking them at the source, not allowing the traffic to
> flow to your peers and making it someone else's problem. Right now there's
> a financial disincentive to doing this, in both real costs (standing up
> monitoring gear/etc), and imagined (my ISP is SPYING on me!).
> 
> Until we fix all 3 of these main issues we're just going to keep going in
> the same set of circles we do every time a 'new' threat/vector comes in.
> 
> Now, are these issues *easy*? Oh, heck no!  Are they *cheap*? Once again,
> heck no! But to 'fix' this issue it will take all 3 levels being fixed.
> 
> If we continue to keep pointing fingers at "the other guy" as the root of
> the problem we're inviting external forces (Legislation) to step in and
> 'fix' the problem for us (and it will just make it worse).
> 
> My 2 cents (adjust for inflation)
> Ken
> 
> On Wed, Oct 26, 2016 at 1:40 PM, jim deleskie <deleskie at gmail.com> wrote:
> 
> > So device is certified,  bug is found 2 years later.  How does this help.
> > The info to date is last week's issue was patched by the vendor in Sept
> > 2015, I believe is what I read. We know bugs will creep in, (source anyon=
> e
> > that has worked with code forever) Also certification assuming it would
> > work, in what country, would I need one, per country I sell into?  These
> > are not the solutions you are looking for ( Jedi word play on purpose)
> >
> > On Wed, Oct 26, 2016 at 3:53 PM, JORDI PALET MARTINEZ <
> > jordi.palet at consulintel.es> wrote:
> >
> > > Exactly, I was arguing exactly the same with some folks this week durin=
> g
> > > the RIPE meeting.
> > >
> > > The same way that certifications are needed to avoid radio interference=
> s,
> > > etc., and if you don=E2=80=99t pass those certifications, you can=E2=80=
> =99t sell the
> > > products in some countries (or regions in case of EU for example),
> > > authorities should make sure that those certifications have a broader
> > > scope, including security and probably some other features to ensure th=
> at
> > > in case something is discovered in the future, they can be updated.
> > >
> > > Yes, that means cost, but a few thousand dollars of certification price
> > > increase, among thousands of millions of devices of the same model bein=
> g
> > > manufactured, means a few cents for each unit.
> > >
> > > Even if we speak about 1 dollar per each product being sold, it is much
> > > cheaper than the cost of not doing it and paying for damages, human
> > > resources, etc., when there is a security breach.
> > >
> > > Regards,
> > > Jordi
> > >
> > >
> > > -----Mensaje original-----
> > > De: NANOG <nanog-bounces at nanog.org> en nombre de Leo Bicknell <
> > > bicknell at ufp.org>
> > > Organizaci=C3=B3n: United Federation of Planets
> > > Responder a: <bicknell at ufp.org>
> > > Fecha: mi=C3=A9rcoles, 26 de octubre de 2016, 19:19
> > > Para: <nanog at nanog.org>
> > > Asunto: Re: Spitballing IoT Security
> > >
> > >     In a message written on Wed, Oct 26, 2016 at 08:06:34AM -0400, Rich
> > > Kulawiec wrote:
> > >     > The makers of IoT devices are falling all over themselves to rush
> > > products
> > >     > to market as quickly as possible in order to maximize their
> > > profits.  They
> > >     > have no time for security.  They don't concern themselves with
> > > privacy
> > >     > implications.  They don't run networks so they don't care about t=
> he
> > > impact
> > >     > their devices may have on them.  They don't care about liability:
> > > many of
> > >     > them are effectively immune because suing them would mean
> > > trans-national
> > >     > litigation, which is tedious and expensive.  (And even if they
> > lost:
> > >     > they'd dissolve and reconstitute as another company the next day.=
> )
> > >     > They don't even care about each other -- I'm pretty sure we're
> > > rapidly
> > >     > approaching the point where toasters will be used to attack garag=
> e
> > > door
> > >     > openers and washing machines.
> > >
> > >     You are correct.
> > >
> > >     I believe the answer is to have some sort of test scheme (UL
> > >     Labratories?) for basic security and updateability.  Then federal
> > >     legislation is passed requiring any product being imported into the
> > >     country to be certified, or it is refused.
> > >
> > >     Now when they rush to market and don't get certified they get $0
> > >     and go out of business.  Products are stopped at the boader, every
> > >     shipment is reviewed by authorities, and there is no cross boarder
> > >     suing issue.
> > >
> > >     Really it's product safety 101.  UL, the CPSC, NHTSA, DOT and a
> > >     host of others have regulations that if you want to import a produc=
> t
> > >     for sale it must be safe.  It's not a new or novel concept, pretty
> > >     much every country has some scheme like it.
> > >
> > >     --
> > >     Leo Bicknell - bicknell at ufp.org
> > >     PGP keys at http://www.ufp.org/~bicknell/
> > >
> > >
> > >
> > >
> > > **********************************************
> > > IPv4 is over
> > > Are you ready for the new Internet ?
> > > http://www.consulintel.es
> > > The IPv6 Company
> > >
> > > This electronic message contains information which may be privileged or
> > > confidential. The information is intended to be for the use of the
> > > individual(s) named above. If you are not the intended recipient be awa=
> re
> > > that any disclosure, copying, distribution or use of the contents of th=
> is
> > > information, including attached files, is prohibited.
> > >
> > >
> > >
> > >
> >
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org


More information about the NANOG mailing list