US Senators Unveil Their Attempt To Secure The Internet Of Very Broken Things

from the good-luck-with-that dept

Over the last few years we've documented in painstaking detail how the lack of any real security and privacy standards in "internet of things" devices is leading us down a path to some serious trouble. That shouldn't be particularly surprising if you've paid attention to how your refrigerator can now leak your Gmail credentials, your "smart" thermostat is now vulnerable to ransomeware attacks, your smart car could be hacked in order to kill you, your power outlets can be hacked and used to launch DDOS attacks, or how your vibrator is now busy collecting data on your daily behavior.

There's one root cause: companies that prioritized making a quick buck over implementing anything resembling sane security or privacy standards.

And despite this dysfunction now being the butt of endless jokes, things really haven't changed all that much, since actually giving a damn about the problem would erode profit margins for WiFi-enabled widget makers. The end result is the daily introduction of millions of new attack vectors for both homes and businesses on a global scale. As such, there's more than a few security experts that, no hyperbole intended, believe it's inevitable that this problem will impact core infrastructure leading to significant human casualties.

Given this is a global problem, and many of these companies are Chinese, legislating the problem away via U.S. law is likely going to be a steep uphill climb. That apparently doesn't seem to concern Congress, which this week introduced a new bill they hope will help secure the internet of very broken things:

"The new bill would require vendors that provide internet-connected equipment to the U.S. government to ensure their products are patchable and conform to industry security standards. It would also prohibit vendors from supplying devices that have unchangeable passwords or possess known security vulnerabilities. Republicans Cory Gardner and Steve Daines and Democrats Mark Warner and Ron Wyden are sponsoring the legislation, which was drafted with input from technology experts at the Atlantic Council and Harvard University. A Senate aide who helped write the bill said that companion legislation in the House was expected soon."

While IOT legislation may be well-intentioned, many of these devices (like the security cameras and DVRs that contributed to the historically massive DDOS attack on Dyn last year) are made in China, where manufacturers will laugh off foreign legislative band aids. And while there's very legitimate concerns that legislation crafted by a Luddite Congress could stifle innovation and experimentation in the space, this particular proposal does at least apply some standards to the IOT devices purchased and used by the federal government, injecting at least a layer of sanity and reflection to the rapid expansion of poorly-secured IOT devices.

Security researcher Brian Krebs highlights another good part of the bill, namely the portion that expands legal protections for cyber researchers working in "good faith" to hack equipment to find vulnerabilities so manufacturers can patch previously unknown flaws:

"Those advocates were no doubt involved in shaping other aspects of this legislation, including one that exempts cybersecurity researchers engaging in good-faith research from liability under the Computer Fraud and Abuse Act (CFAA), a dated anti-cybercrime law that many critics say has been abused by government prosecutors and companies to intimidate and silence security researchers. Perhaps the most infamous example of prosecutorial overreach under the CFAA comes in Aaron Swartz, a Harvard research fellow who committed suicide after being hounded by multiple CFAA fraud charges by state and federal prosecutors for downloading a large number of academic journals.

All of that said, the legislation isn't going to do enough to prevent major, looming problems. Between 20 billion and 30 billion "IOT" devices are expected to be connected to the internet by 2020 worldwide. And as Bruce Schneier has noted on occasion, the origins of this market failure begin with an apathetic cycle of dysfunction between both hardware vendors and consumers, something that the market alone has shown it's not capable of -- or seriously interested in -- fixing:

"The market can't fix this because neither the buyer nor the seller cares. The owners of the webcams and DVRs used in the denial-of-service attacks don't care. Their devices were cheap to buy, they still work, and they don't know any of the victims of the attacks. The sellers of those devices don't care: They're now selling newer and better models, and the original buyers only cared about price and features. There is no market solution, because the insecurity is what economists call an externality: It's an effect of the purchasing decision that affects other people. Think of it kind of like invisible pollution."

So while this law may be a start, it's going to take a lot more than U.S.-specific legislation to fix this particular market failure, assuming such laws don't actually manage to make the problem worse. Smart networks, smarter engineers, better routers, better code, and better communications between companies, governments, activists, and other stakeholders are all essential to get ahead of this particular threat. Fixing the internet of broken things requires a massive, over-arching, holistic effort, one that doesn't exist yet, and unfortunately isn't likely to gain serious momentum until after the internet of broken things check comes due.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: cfaa, congress, iot, mandates, researchers, security

Reader Comments

Subscribe: RSS

View by: Time | Thread

  1. identicon
    Sok Puppette, 7 Aug 2017 @ 4:54pm

    Fuck "smart networks"

    Or at least fuck them as most often conceived.

    If the network wants to protect its own resources by not allowing huge traffic floods, especially without some indication that the recipient actually wants the data, that's good. If the network wants to start guaranteeing that the source address on a packet bears some relation to where that packet came from, that's also good.

    But oddly enough the people pushing "smart networks" don't want to make networks smart when it comes to dealing with their own internal functions, because that's actually hard. Nobody wants to actually redo the routing infrastructure.

    Instead, what they want to do is to spy on traffic, filter it, "collect intelligence" from it, and sometimes react to it... including with things that you could reasonably call security attacks. In the process they'll introduce a bunch of complexity and create gridlock by making everything depend on everything else. And they'll further blur the lines about what you're allowed to do to somebody else's traffic. Those are actively bad for security.

    Not to mention the number of things they'll simply break, because it's crazy hard to look at the traffic between two other parties and intuit what they're actually doing.

    They'll also create the machinery for an Internet police state. I'm not saying there's any kind of conspiracy to do that. I'm saying that that's what the technology is actually good for, regardless of anybody's current intentions.

    Anybody who suggests "smart networks" as a solution for any kind of privacy problem needs their head examined.

    If some piece of shit endpoint misbehaves, then other endpoints need to protect themselves, and the network needs to stay out of it.

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here

Subscribe to the Techdirt Daily newsletter

Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Insider Shop - Show Your Support!

Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Report this ad  |  Hide Techdirt ads
Recent Stories
Report this ad  |  Hide Techdirt ads

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it

Email This

This feature is only available to registered users. Register or sign in to use it.