Could Firmware Expiration Dates Fix The Internet Of Broken Things...Before People Get Hurt?

from the the-looming-global-IOT-shitstorm dept

If you hadn't noticed, the incredibly flimsy security in most Internet of Things devices has resulted in a security and privacy dumpster fire of epic proportions. And while recent, massive DDoS attacks like the one leveled against DNS provider DYN last year are just one symptom of this problem, most security analysts expect things to get significantly, dramatically worse before they get better. And by worse, most of them mean dramatically worse; as in these vulnerabilities are going to result in attacks on core infrastructure that will inevitably result in human deaths... at scale.

Estimates suggest that 21 billion to 50 billion IoT devices are expected to come online by 2020. That's 21 to 50 billion new attack vectors on homes, businesses and governments. And many of these are products that are too large to replace every year (cars, refrigerators, ovens) but are being manufactured by companies for whom software -- and more importantly firmware updates -- aren't a particular forte or priority.

To date, there are a number of solutions being proposed to tackle this explosion in poorly-secured devices, none of which seem to really solve the issue. Agencies like Homeland Security have issued a number of toothless standards the companies that are making these poorly-secured products are free to ignore. And efforts at regulating the space, assuming regulators could even craft sensible regulations without hindering the emerging sector in the first place, can similarly be ignored by overseas manufacturers.

In the wake of the Wannacry ransomware, University of Pennsylvania researcher Sandy Clark has proposed something along these lines: firmware expiration dates. Clark argues that we've already figured out how to standardize our relationships with automobiles, with mandated regular inspection, maintenance and repairs governed by manufacturer recalls, DOT highway maintenance, and annual owner-obligated inspections. As such, she suggests similar requirements be imposed on internet-connected devices:

  • A requirement that all IoT software be upgradeable throughout the expected lifetime of the product. Many IoT devices on the market right now contain software (firmware) that cannot be patched even against known vulnerabilities.
  • A minimum time limit by which manufacturers must issue patches or software upgrades to fix known vulnerabilities.
  • A minimum time limit for users to install patches or upgrades, perhaps this could be facilitated by insurance providers (perhaps discounts for automated patching, and different price points for different levels of risk)."
  • Of course, none of this would be easy, especially when you consider this is a global problem that needs coordinated, cross-government solutions in an era where agreement on much of anything is cumbersome. And like previous suggestions, there's no guarantee that whoever crafted these requirements would do a particularly good job, that overseas companies would be consistently willing to comply, or that these mandated software upgrades would actually improve device security. And imagine being responsible for determining all of this for the 50 billion looming internet connected devices worldwide?

    That's why many networking engineers aren't looking so much at the devices as they are at the networks they run on. Network operators say they can design more intelligent networks that can quickly spot, de-prioritize, or quarantine infected devices before they contribute to the next Wannacry or historically-massive DDoS attack. But again, none of this is going to be easy, and it's going to require multi-pronged, multi-country, ultra-flexible solutions. And while we take the time to hash out whatever solution we ultimately adopt, keep in mind that the 50 million IoT device count projected by 2020 -- is expected to balloon to 82 billion by 2025.

    Filed Under: expiration dates, iot, patches, recalls, sandy clark, security, vulnerabilities


    Reader Comments

    Subscribe: RSS

    View by: Time | Thread


    1. identicon
      Anonymous Coward, 1 Jun 2017 @ 9:13am

      Re: Terrible idea

      I don't have any IoT devices in my house. I won't get any with the piss poor security most all of them have. I plan to go with Homekit devices. Just because they have far better security and are encrypted. The downside is you have to be in the Apple World. That's a con for many people. Also the Homekit device market is not that big in comparison. It is growing. Your selection of devices in a category narrows. The pro is security and you have to be Apple approved. Not anyone can just throw any old thing out there.

      There are a few IoT devices that have good Security like the Ring Doorbell which is kept up to date and they take security seriously. Chamberlain the Garage door company will be within a few months, if they don't keep being delayed will have new Homekit supported devices. So I should be able to Say to my Apple Watch "Siri, Open garage door" and it should do it. Right now I can do it with a App on the watch, but Siri control would make it simpler and quicker. There's the EcoBee3 which supports Homekit for House Climate control. Which I think is better then the Nest and can have remote temp sensors.

      I haven't jumped on the IoT bandwagon because of all the poor security with them. I figured I'd wait until they figured this out before I jump on that bandwagon. It really is the wild west right now with them. They need to get this stuff figured out and fixed before the end result is another failure like with others in the past like X10 devices. I used a few of those in the past a number of years ago.

    Add Your Comment

    Have a Techdirt Account? Sign in now. Want one? Register here



    Subscribe to the Techdirt Daily newsletter




    Comment Options:

    • Use markdown. Use plain text.
    • Remember name/email/url (set a cookie)

    Follow Techdirt
    Techdirt Gear
    Show Now: Takedown
    Advertisement
    Report this ad  |  Hide Techdirt ads
    Essential Reading
    Techdirt Deals
    Report this ad  |  Hide Techdirt ads
    Techdirt Insider Chat
    Advertisement
    Report this ad  |  Hide Techdirt ads
    Recent Stories
    Advertisement
    Report this ad  |  Hide Techdirt ads

    Close

    Email This

    This feature is only available to registered users. Register or sign in to use it.