Could Firmware Expiration Dates Fix The Internet Of Broken Things...Before People Get Hurt?

from the the-looming-global-IOT-shitstorm dept

If you hadn't noticed, the incredibly flimsy security in most Internet of Things devices has resulted in a security and privacy dumpster fire of epic proportions. And while recent, massive DDoS attacks like the one leveled against DNS provider DYN last year are just one symptom of this problem, most security analysts expect things to get significantly, dramatically worse before they get better. And by worse, most of them mean dramatically worse; as in these vulnerabilities are going to result in attacks on core infrastructure that will inevitably result in human deaths... at scale.

Estimates suggest that 21 billion to 50 billion IoT devices are expected to come online by 2020. That's 21 to 50 billion new attack vectors on homes, businesses and governments. And many of these are products that are too large to replace every year (cars, refrigerators, ovens) but are being manufactured by companies for whom software -- and more importantly firmware updates -- aren't a particular forte or priority.

To date, there are a number of solutions being proposed to tackle this explosion in poorly-secured devices, none of which seem to really solve the issue. Agencies like Homeland Security have issued a number of toothless standards the companies that are making these poorly-secured products are free to ignore. And efforts at regulating the space, assuming regulators could even craft sensible regulations without hindering the emerging sector in the first place, can similarly be ignored by overseas manufacturers.

In the wake of the Wannacry ransomware, University of Pennsylvania researcher Sandy Clark has proposed something along these lines: firmware expiration dates. Clark argues that we've already figured out how to standardize our relationships with automobiles, with mandated regular inspection, maintenance and repairs governed by manufacturer recalls, DOT highway maintenance, and annual owner-obligated inspections. As such, she suggests similar requirements be imposed on internet-connected devices:

  • A requirement that all IoT software be upgradeable throughout the expected lifetime of the product. Many IoT devices on the market right now contain software (firmware) that cannot be patched even against known vulnerabilities.
  • A minimum time limit by which manufacturers must issue patches or software upgrades to fix known vulnerabilities.
  • A minimum time limit for users to install patches or upgrades, perhaps this could be facilitated by insurance providers (perhaps discounts for automated patching, and different price points for different levels of risk)."
  • Of course, none of this would be easy, especially when you consider this is a global problem that needs coordinated, cross-government solutions in an era where agreement on much of anything is cumbersome. And like previous suggestions, there's no guarantee that whoever crafted these requirements would do a particularly good job, that overseas companies would be consistently willing to comply, or that these mandated software upgrades would actually improve device security. And imagine being responsible for determining all of this for the 50 billion looming internet connected devices worldwide?

    That's why many networking engineers aren't looking so much at the devices as they are at the networks they run on. Network operators say they can design more intelligent networks that can quickly spot, de-prioritize, or quarantine infected devices before they contribute to the next Wannacry or historically-massive DDoS attack. But again, none of this is going to be easy, and it's going to require multi-pronged, multi-country, ultra-flexible solutions. And while we take the time to hash out whatever solution we ultimately adopt, keep in mind that the 50 million IoT device count projected by 2020 -- is expected to balloon to 82 billion by 2025.

    Filed Under: expiration dates, iot, patches, recalls, sandy clark, security, vulnerabilities

    Reader Comments

    Subscribe: RSS

    View by: Time | Thread

    1. identicon
      Thad, 31 May 2017 @ 4:21pm

      Re: Terrible idea

      This would turn out to be NOTHING other than better planned and legalized obsolescence.

      ...I'm pretty sure planned obsolescence is already legal.

      Business would quickly turn this to their economic favor

      Well, yes, but "stop supporting a device after 2 years and push customers to buy a new one" is already standard practice. The difference here would be changing "push" to "force".

      I have mixed feelings about the idea. Stricter requirements for vendors to patch vulnerabilities are a good idea. Bricking customers' devices is not -- though if the software is open-source and the device can be rooted, that opens up the opportunity for longer-term third-party support.

      It seems to me that the best solution for Android mobile devices is probably for Google to flex more muscle in requiring OEMs to provide long-term support and security updates. Android is open-source, but OEMs can only include the Google Apps (Google Play, Google Maps, etc.) by license with Google. I think the license should require support for long-term, automatic security updates.

      But that doesn't really apply to most IoT devices. Even for the ones that are using Android (as opposed to GNU/Linux or something else), Gapps is not nearly as essential on an IoT device as it is on a phone or tablet.

      I'm really not sure what the best solution is. I do think there are cases where security practices are so bad that they qualify as negligent and companies should be fined for them (say, having an open telnet port, a hardcoded root password, or, God help you, both). But I don't really trust lawmakers to be savvy enough to draw the distinction between a company that's negligent and one that does a good job with security but gets compromised anyway.

    Add Your Comment

    Have a Techdirt Account? Sign in now. Want one? Register here

    Subscribe to the Techdirt Daily newsletter

    Comment Options:

    • Use markdown. Use plain text.
    • Remember name/email/url (set a cookie)

    Follow Techdirt
    Insider Shop - Show Your Support!

    Report this ad  |  Hide Techdirt ads
    Essential Reading
    Techdirt Deals
    Report this ad  |  Hide Techdirt ads
    Techdirt Insider Chat
    Report this ad  |  Hide Techdirt ads
    Recent Stories
    Report this ad  |  Hide Techdirt ads


    Email This

    This feature is only available to registered users. Register or sign in to use it.