If the security of Internet of Things (IoT) devices is one of tech’s big worries, how might this be turned around?
In the UK, the Government just published new details of its surprising and unfashionable answer – a sticky label.
Called ‘Secure by Design’ since first being mooted in 2018, this won’t simply be a nice to have sticker. In time it could become a legal requirement to display it on anything sold with IoT features, such as internet TVs, home security cameras, IoT toys, and home appliances.
Right now, the legal bit remains an aspiration subject to further consultation, but legislation appears to be on the cards at some point, perhaps by next year.
Rather than get mired in complicated security concepts, Secure by Design cleverly zeros in on three fundamental problems that bedevil IoT devices and device security in general.
“IoT device passwords must be unique and not resettable to any universal factory setting.”
The industry has been getting better at avoiding this pitfall in recent years (witness the way broadband routers now ship with unique admin and Wi-Fi passwords) but a lot of mass-market IoT gadgets still ignore this simple principle.
“Manufacturers of IoT products provide a public point of contact as part of a vulnerability disclosure policy.”
A simple and radical suggestion – if you make something there should be a way for researchers to tell you that something’s broken in it that needs fixing. There’s plenty of anecdotal evidence that some mass-market manufacturers at least, are completely oblivious to this concept.
“Manufacturers explicitly state the minimum length of time for which the device will receive security updates through an end of life policy.”
This is where things become uncomfortable for device makers. The first two above require a change of culture but wouldn’t cost much to implement. This one, however, could be a sticking point.
Big brands such as Google, Apple and Microsoft already offer a clear indication on the life expectancy of their products, but they are the exception rather than the rule. For most product makers, the idea of a defined life expectancy with a legally binding update schedule to maintain is anathema, because it adds ongoing costs that play havoc with their investment model.
Notice that Secure by Design doesn’t, as it stands, tell makers how long this should be, simply that they should be upfront about their intentions.
Good luck to anyone who can figure out a sure-fire way of putting that into practice. The danger is that device makers come up with clever ways to downplay its importance or hide the information in small print.
A waste of time then?
The idea of government imposing national security standards on equipment is still alien to an industry built on easy investment, time-to-market, and barely any regulation beyond that required for electrical safety.
And yet security standards that get their timing right have a habit of becoming de facto, a good example being the way stringent cybersecurity regulations in tiny Singapore have influenced compliance standards far beyond its borders.
Once a higher standard has been set, larger manufacturers with economies of scale often buckle down and treat it is a useful guide. The fact that the UK Government says it has taken input on Secure by Design from Amazon, Philips, Panasonic, Samsung, Miele, Yale and Legrand is encouraging.
Let’s see whether Secure by Design’s code of practice gets watered down or ends up being optional. But cynics shouldn’t assume it will.
Some will argue that had governments laid out stringent security regulations in advance of IoT being invented, investors would have shied away from investing.
Then again, had that happened there would also be no IoT security problem to worry about. To borrow an old adage: if you think security is expensive try living in a world that doesn’t have any.
Tony Gore
Public point of disclosure should not be underestimated. However, it must include an obligation to respond. Twice in the past I came across flaws with a bank’s online systems and it took me a year to get them to do anything – I had to report them to the banking ombudsman to get them to talk to me. The three principles make sense, but there also has to be some form of oversight to ensure compliance. And how do we stop non-compliant devices bought by people online? It would be much better if this was an EU wide initiative, then it would have a lot more force behind it.
James
Requirements like this would be insane. Why not just provide a quick path to something like a certification of compliance allowing manufacturers to put some restricted usage badging on their products? Or, and I don’t agree with my own next suggestion here but it’s at least simpler and less damaging to commerce than arbitrary requirements which won’t necessarily make sense to enshrine forever, require manufactures that do NOT adhere this law to conspicuously disclose in some not less than X% of each packaging face sized badge that saying ‘does NOT meet xyz big government requirement’?
David Pottage
There needs to be some sort of stick on the minimum commitment to supply security updates, as otherwise vendors will either promise only 30 days, or will conveniently go bust after 6 months only to be replaced with another company at the same address with the same directors & employees.
To prevent stupidly short support time frames, I would allow ISPs to refuse service to end users running IoT devices that our out of support, and encourage them to do that with some legal liabity if case of botnets and the like. It should be easy to create an automatic reporting system with a magic IP address that all devices are required to connect to every week or so reporting their make, model, firmware version and the date when support expires. At the ISP end that IP address would be routed to an ISP owned server that records everything in a database, so in case of a botnet it is easy to get a list of users with vulnerable hardware.
To prevent manufacturers conveniently disappearing to avoid their responsibilities, how about requiring them to put their source code into escrow. If they go bust, or otherwise fail to provide the support they should, their code enters the public domain. That sort of thing would not be a problem in the case of real bankruptcies, but would discourage fake ones.
Paul Ducklin
It’s not the source code (though it would surely help) you need, it’s the private keys to unlock bootloaders, sign your own firmware, and so forth.
As for regulations requiring ISPs to collect yet more data about me and my network and stuff it into yet more cupboards where it will be kept in case Her Majesty’s Government figures out it might be useful in the future…
…I’d rather be more cautious in my hardware purchasing decisions up front and take the risk of buying a device that turns out to have been a waste of money.
I’d like to opt out right now from any process that permits, let alone encourages or mandates, ISPs to cut me off on the basis of telemetry such as ‘what version string is in that camera’ or ‘what firmware version seems to be in that router’. Considering that the router provided for me by my ISP hasn’t had any firmware upgrades in more than five years, and ships with a telnet server turned on by default, I’m not convinced they’re *quite* the right people to be appointed as anyone’s cybersecurity investigator, let alone to be allowed to cut me off for ‘perceived firmware offences’.
Wilderness
I appreciate both David’s and Paul’s comments here. It seems that security needs to be more built-into the Internet in order to stop DDoS attacks, sinkhole C&C servers, block fraudulent login attacks at the source, etc. If we don’t make security a part of the Internet itself, I don’t see how order can win.
John McLeod VII
They missed a few, the most glaring of which many IoT manufacturers haven’t gotten right.
Device login credentials should never be stored in clear text anywhere at any time.
anonymous coward
When “Amazon, Philips, Panasonic, Samsung, Miele, Yale and Legrand” conspire with politicians and civil servants to enact regulations that raise the barrier to entry for upstart manufacturers and innovative developers, we should be alarmed. Nothing good comes from that process.