Could Firmware Expiration Dates Fix The Internet Of Broken Things...Before People Get Hurt?

from the the-looming-global-IOT-shitstorm dept

If you hadn't noticed, the incredibly flimsy security in most Internet of Things devices has resulted in a security and privacy dumpster fire of epic proportions. And while recent, massive DDoS attacks like the one leveled against DNS provider DYN last year are just one symptom of this problem, most security analysts expect things to get significantly, dramatically worse before they get better. And by worse, most of them mean dramatically worse; as in these vulnerabilities are going to result in attacks on core infrastructure that will inevitably result in human deaths... at scale.

Estimates suggest that 21 billion to 50 billion IoT devices are expected to come online by 2020. That's 21 to 50 billion new attack vectors on homes, businesses and governments. And many of these are products that are too large to replace every year (cars, refrigerators, ovens) but are being manufactured by companies for whom software -- and more importantly firmware updates -- aren't a particular forte or priority.

To date, there are a number of solutions being proposed to tackle this explosion in poorly-secured devices, none of which seem to really solve the issue. Agencies like Homeland Security have issued a number of toothless standards the companies that are making these poorly-secured products are free to ignore. And efforts at regulating the space, assuming regulators could even craft sensible regulations without hindering the emerging sector in the first place, can similarly be ignored by overseas manufacturers.

In the wake of the Wannacry ransomware, University of Pennsylvania researcher Sandy Clark has proposed something along these lines: firmware expiration dates. Clark argues that we've already figured out how to standardize our relationships with automobiles, with mandated regular inspection, maintenance and repairs governed by manufacturer recalls, DOT highway maintenance, and annual owner-obligated inspections. As such, she suggests similar requirements be imposed on internet-connected devices:

  • A requirement that all IoT software be upgradeable throughout the expected lifetime of the product. Many IoT devices on the market right now contain software (firmware) that cannot be patched even against known vulnerabilities.
  • A minimum time limit by which manufacturers must issue patches or software upgrades to fix known vulnerabilities.
  • A minimum time limit for users to install patches or upgrades, perhaps this could be facilitated by insurance providers (perhaps discounts for automated patching, and different price points for different levels of risk)."
  • Of course, none of this would be easy, especially when you consider this is a global problem that needs coordinated, cross-government solutions in an era where agreement on much of anything is cumbersome. And like previous suggestions, there's no guarantee that whoever crafted these requirements would do a particularly good job, that overseas companies would be consistently willing to comply, or that these mandated software upgrades would actually improve device security. And imagine being responsible for determining all of this for the 50 billion looming internet connected devices worldwide?

    That's why many networking engineers aren't looking so much at the devices as they are at the networks they run on. Network operators say they can design more intelligent networks that can quickly spot, de-prioritize, or quarantine infected devices before they contribute to the next Wannacry or historically-massive DDoS attack. But again, none of this is going to be easy, and it's going to require multi-pronged, multi-country, ultra-flexible solutions. And while we take the time to hash out whatever solution we ultimately adopt, keep in mind that the 50 million IoT device count projected by 2020 -- is expected to balloon to 82 billion by 2025.

    Filed Under: expiration dates, iot, patches, recalls, sandy clark, security, vulnerabilities

    Reader Comments

    Subscribe: RSS

    View by: Time | Thread

    1. identicon
      Anonymous Coward, 1 Jun 2017 @ 12:54pm

      Re: Re: Re: Re: Terrible idea

      People who are not technical enough to keep their devices up to date are not necessarily "stupid", Mr. Coward, they just don't have the same skillset you do.

      So, they are unable to read then? How about ask questions? Or maybe they just can't comprehend basic $INSERT_NATIVE_LANGUAGE_HERE. I understand they don't have the same skillset I do, they shouldn't need to. That still doesn't excuse them from not giving a crap at all about the stuff that they use. And if it's not optional, then they should learn at least enough about it to use it safely. That's true of anything not just computers.

      If I applied the same excuse you are to something like driving a car, or finance, I'd be on the receiving end of society's vengeance along with a long visit from society's finest. Even if I didn't cause any harm. Yet, with computers for some reason, society doesn't care until it bites them. Then it's a problem. See the double standard yet?

      This isn't about them learning how to set up a VPN or learn x86 ASM, this about them caring enough to do the basic things that they are supposed to do. (RTFM, Think before you click, just because you can doesn't mean you should, think about the circumstances (Anti-phishing), read first then click ok, don't reuse passwords, keep regular backups, etc.)

      so why not try and look for ways to prevent people from getting infected?

      Because we do, but most people then come up to us and demand that what ever we come up with be automated so they don't have to do anything, even if the issue was their own carelessness. Also, it's not possible to prevent every infection. Even the best protections will fall to a well crafted exploit. So, operator awareness really is the best option. Sadly, we have too many operators who could care less and don't follow basic safety rules. It's also hard to feel sympathy for someone who refuses to do anything to protect themselves in their own self-interest and then demands everyone else do the protecting for them. Plus we've pretty much hit the bottom of the barrel for finding new ways to protect people that doesn't involve 1. Telling them to stop using it. Or 2. Taking control of their toys away from them because they refuse to play by the rules like adults. (The latter being what TFA is about.)

      Unless they get hit by something with automatic execution capabilities, it is their fault. Most of these will get patched quickly assuming you have updates turned on. (Most do, as it's the default.) These types of infections are also rare due to the potential fallout being a huge motivator for a patch to be made ASAP once it's known. Everything else requires some level of user intervention to successfully infect the machine, which by definition means it is the user's fault.

      Nevermind that regardless as to how you got infected, you are also responsible for taking steps to safeguard your own data, and keeping a backup for later use if needed. Most people don't do this. This is not an "if" you get infected question, but a "when" you get infected question. Even the best people that take every precaution will get a virus at some point or another. (Once again see the automatic execution type above.) So not doing this is once again the fault of the end user.

      Not to mention that most couldn't even recover the system after an infection because they have no recovery media. (Thanks manufacturers that wanted to save $0.02 cents on each machine. That is a valid complaint against them.) Even if they did have the media most wouldn't know how to or when to use it. That's why the "default" option when a computer gets infected for most people is to plop down another load of cash for a new one. (Once again, another valid complaint against manufacturers (and retailers) who exploit this fact for financial gain.) This creates a HUGE e-waste problem in addition to their laziness and new debt. (Which should speak volumes the level of apathy that they have for following basic safety guidelines when it comes to computers.)

      even power users don't necessarily want to spend their time dicking around with configuration.

      I didn't ask you what you wanted to do. I told you what you needed to do. Life's hard get used to it. Yes somethings can be made easier, others are overly complicated for no reason. For those things, complaining about the process is valid. But, most people will never make constructive complaints. Why? Because most will look at it for a grand total of five seconds before throwing their hands up, not bothering to read documentation, and start complaining.

      it wasn't because I'm too stupid to figure out how to install Arch

      Never said you were. Although most people wouldn't be using Arch either. Most people who I'm referring to use some version of Windows (often what ever came with the computer), and never look at the documentation. (Which is often better quality (though not necessarily better quantity) for proprietary software.) Not reading the documentation isn't stupid, but if you don't know how the software works, it's not the smartest decision either.

      it's because I have a finite amount of time on this Earth and I feel that I have already spent enough of it manually editing configuration files.

      Then use something that you do know how to use, advocate for a GUI tool to be made (or better, code your own / help someone else with theirs), or swallow your pride, sit down, and do it. If you have to use that program, than realize you'll need to invest the time required to set it up properly.

      Automatic security updates are a good thing. They should be encouraged, as a necessity for novice users and a convenience for power users.

      Here, here.

      But it is absolutely reasonable and right that we hold manufacturers responsible for the security of the products they sell.

      Except they have a reasonable assumption that the person using their products will use them as intended. (If you use the thing as a Frisbee, don't expect them to fix it. Similarly, if you use a consumer AP as a $300.00 router, don't expect software support from them.) They also cannot predict every single possible configuration and environment that their products will be used in, and as such must rely on the local admin (even if it's a clueless end user) to fill in the blanks. Somethings you just can't secure without knowledge of the environment it will be used in. (Is there a Firewall? Is a password required? Do we have a proxy server we must go through? Etc.) What may work for one environment will not necessarily work for another, so the manufacturer can't hard code it and the end user must decide. (And yes, it's the end user's job to know enough about the environment to set it up, or know who to contact that does.)

      Granted they should be held accountable for their own bugs, but making devices stop working because the manufacturer doesn't want to bother with it anymore, isn't the solution. The manufacturer shouldn't be rewarded with more money because they decided to retire a product for whatever reason. They should be held accountable for the products they make, and continue to provide security patches for a reasonable amount of time after the product's retirement to allow consumers to migrate to newer products, or to start maintaining it themselves. (I'd say about ten years is good enough.) Along with hefty legal penalties and fines should they break that mandate. Never should the product stop working due to an arbitrary date passing, and never should the consumer be prevented from maintaining it themselves. (No code signatures that cannot be overridden. Use a hardware jumper / switch for protection, but allow the end user to change the key used to sign if they so desire. (The ability to change the key used to sign is important due to the code signatures being part of the overall security design of the product.)) This should also be enforced by mandate and have even greater legal penalties and fines if the manufacturer chooses not to abide by them. (The former because it's creating more junk for the landfill, and risks locking the (probably careless) user out of their data. The later because not doing that creates an imbalance of power in which the consumer is completely beholden to the manufacturer's will, and it makes everyone less safe when one company (or a nation state that manipulates them) can hold the entire internet hostage to get what they want.)

      Yes, this is an end user problem. That's not to say that there are not other issues, or that there are not people who genuinely try to do what's expected of them. But, there is a reason that PEBKAC and ID10T exist, and that is a problem of that particular subject's own creation. Trying to fix the problem, by ignoring it, and throwing extra penalties on top of it, doesn't fix it.

    Add Your Comment

    Have a Techdirt Account? Sign in now. Want one? Register here

    Subscribe to the Techdirt Daily newsletter

    Comment Options:

    • Use markdown. Use plain text.
    • Remember name/email/url (set a cookie)

    Follow Techdirt
    Techdirt Gear
    Shop Now: Copying Is Not Theft
    Report this ad  |  Hide Techdirt ads
    Essential Reading
    Techdirt Deals
    Report this ad  |  Hide Techdirt ads
    Techdirt Insider Chat
    Report this ad  |  Hide Techdirt ads
    Recent Stories
    Report this ad  |  Hide Techdirt ads


    Email This

    This feature is only available to registered users. Register or sign in to use it.