New Open Source Standard Hopes To Cure The Internet Of Broken Things Of Some Awful Security Practices
from the come-together,-right-now dept
As we’ve pretty well documented, the internet of things is a security and privacy shitshow. Millions of poorly-secured internet-connected devices are now being sold annually, introducing massive new attack vectors and vulnerabilities into home and business networks nationwide. Thanks to IOT companies and evangelists that prioritize gee-whizzery and profits over privacy and security, your refrigerator can now leak your gmail credentials, your kids’ Barbie doll can now be used as a surveillance tool, and your “smart” tea kettle can now open your wireless network to attack.
Security analysts like Bruce Schneier have been warning for a while that the check is about to come due for this mammoth dumpster fire, potentially resulting in human fatalities at scale — especially if these flaws are allowed to impact integral infrastructure systems. But Schneier has also done a good job noting how nobody in the production or consumer cycle has any incentive to take responsibility for what’s happening:
“The market can’t fix this because neither the buyer nor the seller cares. Think of all the CCTV cameras and DVRs used in the attack against Brian Krebs. The owners of those devices don’t care. Their devices were cheap to buy, they still work, and they don’t even know Brian. The sellers of those devices don’t care: they’re now selling newer and better models, and the original buyers only cared about price and features. There is no market solution because the insecurity is what economists call an externality: it’s an effect of the purchasing decision that affects other people. Think of it kind of like invisible pollution.”
There’s no quick fix for this problem. And as Schneier notes it’s going to take the cooperation of companies, governments, consumers and independent groups to craft a solution, something that was already difficult enough during decidedly more sane times.
Consumer Reports has been one of the few organizations to try and tackle this problem with plans to incorporate some open source security and privacy testing standards into its product reviews, to name and shame companies that turn a blind eye to this problem. Just about a year ago the organization noted it was working with privacy software firm Disconnect, non-profit privacy research firm Ranking Digital Rights (RDR), and nonprofit software security-testing organization Cyber Independent Testing Lab (CITL) on the new effort, which it acknowledged was early and requires public and expert assistance.
This week these groups shed a little more detail on the new effort, which it claims is the first step in reinstilling some degree of trust in the internet of very broken things. The standard is still very much under development, and the groups are looking for your help in spreading the word:
“We are focused on ensuring the Standard?s maximum impact by working across many constituencies to use and refine this tool as a metric for evaluating consumer software and hardware. Our goals are to educate companies on how they can use the Standard to improve their products, help consumer and digital rights advocates to leverage the Standard in their advocacy, and solicit feedback from the full range of stakeholders on how the Standard can be improved.”
The emerging standard would incorporate 35 different security and privacy testing standards into product reviews, with a heavy emphasis on the obvious need for quality encryption, non-default usernames and passwords, transparency as to what data is collected and who it’s being sold to, more easily understood terms of service, and better government mechanisms to handle consumer complaints and enforcement against bad actors.
Traditionally, IOT companies have disregarded these issues in both their business models and product design, creating Schneier’s unaccountable “invisible pollution” (for example when your cheap ass Chinese security camera gets hacked minutes after being connected online, then contributes to historically massive DDOS attacks without your knowledge or consent). Convincing companies (especially when they’re overseas and outside of regulatory authority) that contributing to the greater good benefits everybody in the long run hasn’t been easy.
As such, the OTI tries to make the case that over the long term, respecting privacy and embracing security standards should save everybody money, noting that firms like the Ponemon Institute have estimated that the average data breach in 2017 cost “responsible” businesses $3.5 million. Not to mention the costs of downtime from massive DDOS attacks like the one that targeted Dyn last year, or the costs of having to deal with regulatory action because of the lack of common security sense we’ve seen applied to everything from smart TVs to in-car infortainment systems.
Still, the temptation to disregard security and privacy and just move on to marketing the next IOT product in the pipeline is a siren song that will be hard to compensate for (especially for overseas Chinese vendors), and it’s going to take a massive, collective push to avoid some of the doomsday scenarios many security researchers have been warning about.