HideTechdirt is off for the long weekend! We'll be back with our regular posts tomorrow.
HideTechdirt is off for the long weekend! We'll be back with our regular posts tomorrow.

US Senators Unveil Their Attempt To Secure The Internet Of Very Broken Things

from the good-luck-with-that dept

Over the last few years we've documented in painstaking detail how the lack of any real security and privacy standards in "internet of things" devices is leading us down a path to some serious trouble. That shouldn't be particularly surprising if you've paid attention to how your refrigerator can now leak your Gmail credentials, your "smart" thermostat is now vulnerable to ransomeware attacks, your smart car could be hacked in order to kill you, your power outlets can be hacked and used to launch DDOS attacks, or how your vibrator is now busy collecting data on your daily behavior.

There's one root cause: companies that prioritized making a quick buck over implementing anything resembling sane security or privacy standards.

And despite this dysfunction now being the butt of endless jokes, things really haven't changed all that much, since actually giving a damn about the problem would erode profit margins for WiFi-enabled widget makers. The end result is the daily introduction of millions of new attack vectors for both homes and businesses on a global scale. As such, there's more than a few security experts that, no hyperbole intended, believe it's inevitable that this problem will impact core infrastructure leading to significant human casualties.

Given this is a global problem, and many of these companies are Chinese, legislating the problem away via U.S. law is likely going to be a steep uphill climb. That apparently doesn't seem to concern Congress, which this week introduced a new bill they hope will help secure the internet of very broken things:

"The new bill would require vendors that provide internet-connected equipment to the U.S. government to ensure their products are patchable and conform to industry security standards. It would also prohibit vendors from supplying devices that have unchangeable passwords or possess known security vulnerabilities. Republicans Cory Gardner and Steve Daines and Democrats Mark Warner and Ron Wyden are sponsoring the legislation, which was drafted with input from technology experts at the Atlantic Council and Harvard University. A Senate aide who helped write the bill said that companion legislation in the House was expected soon."

While IOT legislation may be well-intentioned, many of these devices (like the security cameras and DVRs that contributed to the historically massive DDOS attack on Dyn last year) are made in China, where manufacturers will laugh off foreign legislative band aids. And while there's very legitimate concerns that legislation crafted by a Luddite Congress could stifle innovation and experimentation in the space, this particular proposal does at least apply some standards to the IOT devices purchased and used by the federal government, injecting at least a layer of sanity and reflection to the rapid expansion of poorly-secured IOT devices.

Security researcher Brian Krebs highlights another good part of the bill, namely the portion that expands legal protections for cyber researchers working in "good faith" to hack equipment to find vulnerabilities so manufacturers can patch previously unknown flaws:

"Those advocates were no doubt involved in shaping other aspects of this legislation, including one that exempts cybersecurity researchers engaging in good-faith research from liability under the Computer Fraud and Abuse Act (CFAA), a dated anti-cybercrime law that many critics say has been abused by government prosecutors and companies to intimidate and silence security researchers. Perhaps the most infamous example of prosecutorial overreach under the CFAA comes in Aaron Swartz, a Harvard research fellow who committed suicide after being hounded by multiple CFAA fraud charges by state and federal prosecutors for downloading a large number of academic journals.

All of that said, the legislation isn't going to do enough to prevent major, looming problems. Between 20 billion and 30 billion "IOT" devices are expected to be connected to the internet by 2020 worldwide. And as Bruce Schneier has noted on occasion, the origins of this market failure begin with an apathetic cycle of dysfunction between both hardware vendors and consumers, something that the market alone has shown it's not capable of -- or seriously interested in -- fixing:

"The market can't fix this because neither the buyer nor the seller cares. The owners of the webcams and DVRs used in the denial-of-service attacks don't care. Their devices were cheap to buy, they still work, and they don't know any of the victims of the attacks. The sellers of those devices don't care: They're now selling newer and better models, and the original buyers only cared about price and features. There is no market solution, because the insecurity is what economists call an externality: It's an effect of the purchasing decision that affects other people. Think of it kind of like invisible pollution."

So while this law may be a start, it's going to take a lot more than U.S.-specific legislation to fix this particular market failure, assuming such laws don't actually manage to make the problem worse. Smart networks, smarter engineers, better routers, better code, and better communications between companies, governments, activists, and other stakeholders are all essential to get ahead of this particular threat. Fixing the internet of broken things requires a massive, over-arching, holistic effort, one that doesn't exist yet, and unfortunately isn't likely to gain serious momentum until after the internet of broken things check comes due.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: cfaa, congress, iot, mandates, researchers, security

Reader Comments

Subscribe: RSS

View by: Time | Thread

  1. icon
    DannyB (profile), 8 Aug 2017 @ 6:10am

    An idea

    I have suggested this idea before online numerous times. It specifically addresses this . . .

    "The market can't fix this because neither the buyer nor the seller cares. [. . .]

    Make the MANUFACTURER of the broken IoT device liable for all actual damages caused by their IoT device getting hacked. Including third party damages, like DDOS and ransomeware. And by liable, I mean, make it EASY to recover those damages from the manufacturer.

    I am specifically NOT proposing any kind of government design standards. Or testing. Or certification. Or registration. Merely putting the costs where they belong, instead of upon the customers who buy broken IoT, or worse, on third parties who had no involvement with the broken IoT devices.

    Here is how this fixes the broken perverse incentives that currently exist. Presently, the manufacturer is incentivized to spend nothing on security. To ignore it. Keep the retail price as low as possible. Would my idea cause the cost of IoT devices to rise? Probably. And this is as it should be. Put the costs where they belong instead of on innocent third parties getting DDOSed or ransomeware.

    Manufacturers might reconsider whether some devices even should be connected to the clod. Do we really need a clod connected toy teddy bare bear for children?

    This would incentivize manufacturers to cooperate on security. They might get together and build a common secure Linux base upon which to create their various products.

    Can devices be made completely secure? Maybe, or maybe not. But we could go WAY further than we do now. If you've ever had to look at PCI compliance in order to do credit card processing, you have a good idea of the enormous additional steps that could be taken. And cooperating would help reduce these costs.

    While I am not proposing government testing or certification, nothing would prevent the industry from creating voluntary testing and certification, sort of like the UL tirademark that can only be applied if you have the actual certification. Such certification would give consumers assurance that the device meets some significant safety standards.

    At times when I have proposed this idea, I get the argument that startups couldn't bear the risk involved. So what? If they can't, then don't build it. If I buy a $1,200.00 "smart" taster connected to the clod, I have the same expectation that it won't burn my house down as I would have of a $12 toaster from Target. If a startup can't build, and certify it with that same assurance of fire safety, then don't build it at all.

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here

Subscribe to the Techdirt Daily newsletter

Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Insider Shop - Show Your Support!

Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Report this ad  |  Hide Techdirt ads
Recent Stories
Report this ad  |  Hide Techdirt ads

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it

Email This

This feature is only available to registered users. Register or sign in to use it.