Spitballing IoT Security

Wed Oct 26 21:25:00 UTC 2016

In message <20161026120634.GA20735 at gsp.org>, 
Rich Kulawiec <rsk at gsp.org> wrote:

>On Mon, Oct 24, 2016 at 01:24:59PM -0700, Ronald F. Guilmette wrote:
>>    2) Second, once elected I will decree that in future all new IoT devices,
>>       and also all updates to firmware for existing IoT devices will have,
>>       BUILT IN TO THE KERNEL, code/logic which (a) prevents all outbound TCP
>>       session initiation and which also (b) strictly rate-limits all other
>>       protocols to some modest value.
>
>I like this idea.  But unfortunately, I think it has no chance of succeeding.
>
>The makers of IoT devices are falling all over themselves to rush products
>to market as quickly as possible in order to maximize their profits.  They
>have no time for security.  They don't concern themselves with privacy...

Well, see, this is why I was clear at the outset that in order for this
scheme to work, I'll first need to be elected King of the World.

>From that high perch I will be able to decree, by fiat, that no Internet
connectable device shall be sold or marketed *unless* it has been certified
(i.e. by some reliable entity that knows how to test these things) to be
incapable of being converted into a weapon, i.e. incapable of spewing
unnecessarily large amounts of garbage at completely arbitrary targets,
*even if* an attacker somehow manages to get a shell prompt.

OK, so setting aside all frivolity now, how could this kind of restriction
actually be achieved?

Here's the thing:  Any solution to these problems is going to come in two
parts, technical and political.

We here, by and large, are not politicians, but we can influence them and
urge them towards solutions that are, workable, economically practical,
and above all, technically effective.  Or alternatively, we can leave
them to flouder around on their own, in the dark.  (We've all seen
*that* movie before, and it isn't pretty.  Think Clipper Chip and the
recent push for crypto backdoors.)  Left to their own devices, politicians
routinely screw up technology regulation virtually every time.

So the first order of business is for the industry itself to come up with
a rational approach... and virtually immediately, because the window of
opportunity is rapidly closing...  for solving these IoT problems, and
then get widspread agreement... or at least a lack of violent disagreement...
within the industry itself.  The industry can then speak with one voice
to the politicians and regulators, who will then be effectively bound to
doing the Right Thing.

Sensible regulations, once enacted in one jurisdiction, tend to be
contagious.  In my own state of California, state regulation of various
things, most notably air pollution, and the production thereof by cars,
has eventually affected the entire North American auto market and beyond,
in part because it is less economically palatable for manufacturers to
design and ship multiple configurations of any one product, i.e. one
which conforms to the regulations in jurisdiction X, and another that
doesn't.

In short, if sensible regulations requiring "safe" designs for IoT products
were to come into force in one locale, it is not only possible, but
actually quite likely that they would affect the whole market.  If a given
Far East manufacturer was required to have safety built into the kernel
of its toasters in order to be able to sell said toasters, say, in the
United States... or even just in California...  would they really go to
the trouble to strip out the additional "safety" part of their firmware
when manufacturing what is essentially the same product, but destined
for other markets?  I think not.  (A question for the audience:  How has
FCC regulation of the maximum power output of WiFi routers affected the
worldwide market for such devices, over time?  I honestly don't know, but
I suspect that there has been a good effect, over time, on the whole
worldwide market.)

It may be difficult, even among technologists, to find common ground and
agreement about what "IoT" things should and should not be able to do,
or even, for that matter, to agree on the definition of "IoT".  But after
last Friday, and even before, I think that most of us know what we *do not*
want them to be able to do, i.e. to send an unlimited percentage of their
available bandwidth towards any arbitrary IP address.  General purpose
computers, and also routers, need to be able to do that, but your bird
feeder, your lightbulb, your HDTV, your refrigerator and your home alarm
system don't.  So maybe that's a starting point.

I proposed something which is at base, really rather simple, even if, in
practice, the implementation details could get a bit complex.  Basically,
the proposal is that the kernels of all IoT devices should impose sensible
limits on outbound bandwidth usage, consistant with each specific device's
expected operational needs.  It seems to me that this is not particularly
different from other belt-and-suspenders approaches used in other safety
critical systems, ranging from medical radiation treatment devices to
nuclear power plants.  Actual engineering of the firmware-imposed safety
constraints needed in IoT devices will not, in my opinion, be very hard.

In the absence of a King of the World to impose such a requirement on all
manufacturers of IoT devices, I believe that it would be equally effective,
in the long run, to get (U.S.) state-level regulations on the books,
perhaps starting in California, just because we here in my home state
have some experience going first with a lot of these kinds of things.
A plausible alternatively would be to get the FCC on the case.  (Obviously,
the FCC already has a ton of experience in promulgating regulations whose
goal is to prevent individual devices from behaving in ways that muck up
the communications of other devices, so from that perspective at least,
it seems like a good fit.  Not that the FCC could be easily persuaded to
take on this tar-baby, but they might.)

So anyway, bottom line, I think this is do-able, both technically
and politically, and also absolutely necessary.  After the Krebs, OVH,
and Dyn attacks, is anybody in their right mind willing to stand up, at
this late date, and say that we can go on, as we have been, ignoring
these problems and just constantly racing to build bigger pipes... a
strategy which, by now, should be universally accepted as a self-defeating
non-solution?

Lincoln said "As our case is new, so we must think anew and act anew."

If you hook up a device to your local telephone or cable company which
sends fifty thousand volts down the line, you may fry your local
distribution substation, but you're not going to fry the entire
Eastern Seaboard or take down the world's largest e-commerce site
for two hours.  Even the popular news media, typically devoid of
technical sophistication, now knows that the single organism that is
the Internet is becoming more vlunerable *to itself* day by day.
The time is ripe for clear-headed action and I do hope that we will
see some.

Regards,
rfg