Could Firmware Expiration Dates Fix The Internet Of Broken Things...Before People Get Hurt?

from the the-looming-global-IOT-shitstorm dept

If you hadn't noticed, the incredibly flimsy security in most Internet of Things devices has resulted in a security and privacy dumpster fire of epic proportions. And while recent, massive DDoS attacks like the one leveled against DNS provider DYN last year are just one symptom of this problem, most security analysts expect things to get significantly, dramatically worse before they get better. And by worse, most of them mean dramatically worse; as in these vulnerabilities are going to result in attacks on core infrastructure that will inevitably result in human deaths... at scale.

Estimates suggest that 21 billion to 50 billion IoT devices are expected to come online by 2020. That's 21 to 50 billion new attack vectors on homes, businesses and governments. And many of these are products that are too large to replace every year (cars, refrigerators, ovens) but are being manufactured by companies for whom software -- and more importantly firmware updates -- aren't a particular forte or priority.

To date, there are a number of solutions being proposed to tackle this explosion in poorly-secured devices, none of which seem to really solve the issue. Agencies like Homeland Security have issued a number of toothless standards the companies that are making these poorly-secured products are free to ignore. And efforts at regulating the space, assuming regulators could even craft sensible regulations without hindering the emerging sector in the first place, can similarly be ignored by overseas manufacturers.

In the wake of the Wannacry ransomware, University of Pennsylvania researcher Sandy Clark has proposed something along these lines: firmware expiration dates. Clark argues that we've already figured out how to standardize our relationships with automobiles, with mandated regular inspection, maintenance and repairs governed by manufacturer recalls, DOT highway maintenance, and annual owner-obligated inspections. As such, she suggests similar requirements be imposed on internet-connected devices:

  • A requirement that all IoT software be upgradeable throughout the expected lifetime of the product. Many IoT devices on the market right now contain software (firmware) that cannot be patched even against known vulnerabilities.
  • A minimum time limit by which manufacturers must issue patches or software upgrades to fix known vulnerabilities.
  • A minimum time limit for users to install patches or upgrades, perhaps this could be facilitated by insurance providers (perhaps discounts for automated patching, and different price points for different levels of risk)."
  • Of course, none of this would be easy, especially when you consider this is a global problem that needs coordinated, cross-government solutions in an era where agreement on much of anything is cumbersome. And like previous suggestions, there's no guarantee that whoever crafted these requirements would do a particularly good job, that overseas companies would be consistently willing to comply, or that these mandated software upgrades would actually improve device security. And imagine being responsible for determining all of this for the 50 billion looming internet connected devices worldwide?

    That's why many networking engineers aren't looking so much at the devices as they are at the networks they run on. Network operators say they can design more intelligent networks that can quickly spot, de-prioritize, or quarantine infected devices before they contribute to the next Wannacry or historically-massive DDoS attack. But again, none of this is going to be easy, and it's going to require multi-pronged, multi-country, ultra-flexible solutions. And while we take the time to hash out whatever solution we ultimately adopt, keep in mind that the 50 million IoT device count projected by 2020 -- is expected to balloon to 82 billion by 2025.

    Filed Under: expiration dates, iot, patches, recalls, sandy clark, security, vulnerabilities


    Reader Comments

    Subscribe: RSS

    View by: Time | Thread


    1. identicon
      Anonymous Coward, 31 May 2017 @ 4:45pm

      Re: Re: Terrible idea

      The solution would be to allow the users to patch their own stuff. No, I'm not saying disable the auto-updates, but allow the user to patch their own system if they choose.

      The way things are right now, the user cannot patch it even if they wanted to. You can't make an installer that you can tell someone to just download and run anymore. You have to often do the exact thing that the security system was designed to prevent to change something if the manufacturer looses interest. Most are scared shitless by the length of the online tutorials one must go through to install anything that the manufacturer didn't explicitly approve, and would rather continue to use the insecure device(s) as a result. Sure you might get the one hobbyist who will do it out of a good 100 people, but the remaining 99 people are vulnerable and that hurts EVERYONE when they get infected.

      The idea of using a firmware with a builtin death sentence is a solution to a problem that was created as a result of taking way the choice of the consumer. Now the "solution" to the broken "solution" is less choice for the consumer???? Now your device is outdated and bricked??? That's going to cause a lot of problems for people who leave data on these things when they go. I can imagine the lawsuits now...

      Quit making it harder to fix something that is broken. If the users are stupid, let them be stupid and suffer the consequences for it. That's the one problem that was never fixed. The end user's not caring about the stuff they were responsible for, and then blaming the manufacturer / their kids / God / etc. when it broke / got infected / turned into a cat / etc. If they would enforce the rules rather than bowed to demands for "simplicity" from idiots that didn't even spend the time to take the manual out of the packaging, we wouldn't have any of these issues.


    Add Your Comment

    Have a Techdirt Account? Sign in now. Want one? Register here



    Subscribe to the Techdirt Daily newsletter




    Comment Options:

    • Use markdown. Use plain text.
    • Remember name/email/url (set a cookie)

    Follow Techdirt
    Insider Shop - Show Your Support!

    Advertisement
    Report this ad  |  Hide Techdirt ads
    Essential Reading
    Techdirt Deals
    Report this ad  |  Hide Techdirt ads
    Techdirt Insider Chat
    Advertisement
    Report this ad  |  Hide Techdirt ads
    Recent Stories
    Advertisement
    Report this ad  |  Hide Techdirt ads

    Close

    Email This

    This feature is only available to registered users. Register or sign in to use it.