California Eyes Questionable Legislation In Bid To Fix The Internet Of Broken Things
from the broken-stuff dept
If you hadn’t noticed, the much-hyped internet of things is comically broken. WiFi connected Barbies that spy on your kids, refrigerators that cough up your Gmail credentials, and “smart” televisions that watch you as often as you watch them are all now the norm. And while this has all been the focus of a lot of humor (like the Internet of shit Twitter feed), security experts have been warning for a while about how introducing millions of security flaws into millions of homes and businesses is, sooner or later, going to come back and bite us all on the ass.
As security analysts like Bruce Schneier have pointed out, few people in this dance of dysfunction really care, so things tend to not improve. Customers often aren’t even aware (or don’t care) that their device has been compromised and hijacked into a DDOS attacking botnet, and hardware vendors tend to prioritize sales of new devices over securing new (and especially older) gear.
Efforts to regulate the problem away are the option for many. That’s what California lawmakers are considering with the recent passage of SB-327, which was introduced in February of last year, passed the California Senate on August 29, and now awaits signing from California Governor Jerry Brown. If signed into law, it would take effect in early 2020, and mandates that “a manufacturer of a connected device shall equip the device with a reasonable security feature or features,” while also taking aim at things like default login credentials by requiring devices auto-prompt users to change their usernames and passwords.
But as you might expect, critics of the bill state it’s not likely to actually fix the problem, in part because Chinese gearmakers (a major source of the problem) can just ignore the law. Others state California’s solution is superficial at best, given that just “adding security features” doesn’t really help if the technology is just fundamentally unsecure on the skeletal level:
“It?s based on the misconception of adding security features. It?s like dieting, where people insist you should eat more kale, which does little to address the problem you are pigging out on potato chips. The key to dieting is not eating more but eating less. The same is true of cybersecurity, where the point is not to add ?security features? but to remove ?insecure features?. For IoT devices, that means removing listening ports and cross-site/injection issues in web management. Adding features is typical ?magic pill? or ?silver bullet? thinking that we spend much of our time in infosec fighting against.”
So if legislation isn’t the solution, what is? Some believe transparency is a better bet, as exemplified by the Princeton computer science department’s IOT Inspector, which aims to better educate users as to what their devices are actually doing on the internet. Others, like Consumer Reports, have been pushing to include privacy and security issues as standard operating procedure in hardware reviews. Both could go a long way toward making it much clearer as to what kind of product you’re actually buying and what it’s doing, since many vendors (and their user interfaces) refuse to.
Whatever the solution, it’s going to likely require a coordinated response by consumers, hardware vendors, governments, and security professionals alike. While there have been some scattered efforts around the world on this front, as a whole that’s generally not yet happening. As folks like Schneier continue to argue, it’s likely going to require IOT devices causing massive damage and a potential loss of life (say, via attacks on core infrastructure) before the willpower for such a super-union truly materializes.
Filed Under: california, iot, security
Comments on “California Eyes Questionable Legislation In Bid To Fix The Internet Of Broken Things”
Why buy these things?
I have yet to figure out why someone can be so obsessive that they want to check their stove using their phone but does not obsess more about someone else burning down their house. People who put this much blind trust in corporations are mystifying.
Re: Why buy these things?
I think it’s because shiny beats sensible every time. Being cool is better than being safe, especially when the ‘danger’ is unseen and ethereal. There is also a severe lack of technical understanding.
Re: Why buy these things?
In the case of TVs, at least, it’s because you can’t get dumb ones anymore; they’re no longer manufactured.
Re: Re: Why buy these things?
Soon they will make the tvs so that internet connection is required. I could do without.
Re: Re: Re: Why buy these things?
“Do without” might mean you don’t get to watch any DRMed media (there was a lot of worry some years ago that Bluray might would require an internet connection; I think they still don’t).
This is going to be stupid hard to legislate.
I design embedded stuff for large corporations used in medical devices. I can assure you we take the security of our solutions extremely seriously as they are sometimes class 2 and class 3 medical devices. I have seen threads where a camera manufacturer talks about being able to get into a camera even if the user has changed all user name and passwords.
Then some companies are farming their development out to places like the Ukraine and India. If you dont control your source then you have no idea what it really does. I have seen companies that have four engineers that act as managers of a project and then they farm out the rest of their development to Indonesia. Then when there is a problem they start looking locally for a fix.
Like that isnt some deep ass soup to wade through.
Re: This is going to be stupid hard to legislate.
I respectfully disagree.
Instead of saying (legislating) that IoT devices must be more secure, California could simply implement the “All Things Cause Cancer” concept into a rating system for these units.
For instance, a board/commission/bureau could apply a meaningful set of tests to a device, and develop a rating that would be required to be displayed prominently on boxes at the retail level. Likewise for advertising, both online and off. Failure to display said ratings as required would simply mean “no sales allowed here”.
California, like it or not, has more than 10% of the total American population, thus setting it up as a leader in potential sales. If something fails in Cal., likely it won’t go over too well in the rest of the country. Again, like it or not, that’s the way of things in these times.
I’d suggest that Cal “draft” some of the industry big-wigs like Bruce Schneier and others of like knowledge, to get a first-pass methodology for this kind of testing. Obviously it will need to be monitored and modified as real-world devices come in for testing, but in esssence, a Rating System of any kind will be a good measure for retail-level buyers to think about, as they make their decisions.
Enforcement efforts might include Mystery Shoppers who can be on the lookout for unrated devices, plus sales people that espouse that buyers “just ignore that rating, it’s worthless”.
sumgai
Re: Re: This is going to be stupid hard to legislate.
As someone who lives in California, the “All Things Cause Cancer” solution (aka Prop 65) is worthless, because its every where.
My car causes cancer (it has a prop 65 sticker). Food causes cancer (Every restaurant and supermarket that I’ve gone to has a sticker) . Coffee causes cancer, apparently(Starbucks has a warning).
It would be worse, in my opinion, because with the IoT, because everything actually IS a security risk. With security, the question is not “if” but “when” (so the solution is to make security modular so that it can be upgradable).
Re: Re: Re: This is going to be stupid hard to legislate.
If you live in smoggy places, the AIR in California causes cancer. But air is noticeably difficult to apply a sticker to.
Re: This is going to be stupid hard to legislate.
IOT medical devices, what a horrible idea.
What’s next, the House of Harkonnen heart plug?
Re: Re: This is going to be stupid hard to legislate.
They’ll tell you it’s good for you till Paul Atreides shows up.
Unfortunately it’s going to take large parts of the internet to go down. Again.
It’s one reason I don’t buy IoT devices. I am a Homekit house. Where there are standards and it’s all encrypted. Security is high on the list. The only problem is, if you’re an Android household, your out of luck. Homekit is Apple’s format.
I do have to say it’s really nice being able to turn on/off lights and open and close the garage door and adjusting the temp. I have one side of my garage lights linked to my garage door using Apple’s Home App so that when the door starts to open, the garage lights turn on, and when the door is closing, the lights turn off. It makes such a HUGE difference at night. So much more light than what little I get from the garage door opener. Best of all, it doesn’t matter if you use Siri, or you pushing the button on the garage wall, or use the normal remote in your car. The garage in the main way we come and go. Not the front door. So having the garage light come on in the area we’re walking through has been great.
Being able to open my garage hands free on my Harley using Siri, with my Bluetooth in my Helmet, Nice!!! I don’t have to deal with any remotes. I do have to shut off my Motorcycle first, tell Siri to open the garage, and then start back up again. I can do it pretty fast. Siri can’t hear me otherwise.
There’s a lot of benefits to having a Smart house. But you only really need to make things smart where it makes sense. So you need a SMart Light switch for a closet? Not really. Baby Monitors have had some of the worst security around. IoT devices can be good. The Ring Doorbell uses IoT, but they keep the software updated and care about security. The login and password are not hardcoded where you can’t change it like a number of IoT devices.
A lot of IoT devices just thrown out of China with little care in the world. California can’t legislate it away. In general, Politicians have to much time on their hands and just keep growing everything. They all should really only work for maybe 2-3 months at most, and the rest of the time, working a real job.
Re: Working Politicians
There are actually US states that do this I believe (have part time legislatures). Does anyone from those states have any input on how well they work?
Re: Re: Working Politicians
The Texas legislature holds its regular session for 180 days every 2 years. It seems to work well enough (that is, not appreciably worse than states that have longer and/or more frequent sessions); though there is a common joke that the authors of the state constitution got it backward and should have made it meet 2 days every 180 years.
thanxs
nice discussing keeep it bro
Chinese manufacturers
That part’s easy. Just convince the current administration that we need crushing tariffs on imported Chinese IoT devices, and then it won’t matter how good or bad those devices are from a security or compliance perspective. Development will necessarily move on-shore, where it can be properly ignored by local regulators.
Linux and lazy developers are the problem
The fundamental source of the problem is that developers are lazy.
It’s far easier to start with something that already does 98% of what you need (like Linux), and add the last 2%.
Harder is to build up 100% of your application from scratch, using simple, relatively bulletproof things like state machines and (at worst) simple RTOSes.
But most of the current generation of programmers wouldn’t know where to start if not handed a full-blown OS with TCP/IP, CLI, a filesystem, USB, WiFi, graphics, multitasking, etc. already running.
There’s simply NO WAY to build a secure device that way – every unused and unneeded “feature” hosts a swarm of security holes.
If you want a secure device, you’ve got to design it bottom-up from the hardware, adding only what you need, not top-down by stripping away functionality from a general-purpose OS.
(Kindly remove yourself from my lawn.)
Re: Linux and lazy developers are the problem
Do not blame developers for the mistakes of management. In the Agile world of today the developer is even less involved in the design and integration of code.
Re: Re: Linux and lazy developers are the problem
By “developers” I mean all involved in the design and implementation of IoT gadgets.
But I know a number of very smart and (otherwise) competent developers who simply have no bare-metal experience at all. The very idea of building up a system from scratch doesn’t occur to them, and they wouldn’t know where to start.
And they don’t understand that the more moving parts anything has, the more likely it is for something to go wrong.
Re: Linux and lazy developers are the problem
It is not the platform but the user to blame in this case. Ask people to reinvent the wheel badly and you’ll get the quality of a sophomore computer networking class weak against known vulnerabilities because they are too complicated. If you think their misconfigured SSH servers are bad try having them write it from scratch.
A better designed toolkit could reduce misconfiguration issues but they are often determined to be complete idiots who would insist upon doing things like recording passwords in the clear for the sake of “ease of use”.
People can and have secured systens via accounting for every possibility. Indeed just deleting every single unneeded function or setting them all accessible via permissions would create a pretty secure system.
Wow Mikey has a TINFOIL HAT!! I bet the hat is wired to the IOT as well.
These CRAZY CONSPIRACY THEORIES are great entertainment….
/sarcasm
Maybe they’re right, maybe not. Wouldn’t shock me if they are. One kid was suspended from school after they spied on him in his bedroom through his webcam. It’s easy to just assume we’re being watched 24/7, though many of us do that out of narcissism and we are “big brother.”
It’s amazing how there is always someone willing to poison something by doing something intrusive or stupid.
Re: Re:
What’s your point?
Yeah, that child was eating Mike ‘n Ike candy and the stupid ass school administrator thought he could claim it was drugs and not be called out for the spyware they put on laptops prior to giving them to students. They should be brought up on pedo charges. But that story had nothing to do with IOT did it?
Sure, legislation is the answer
Just not THAT legislation.
How about “you are 100 percent liable for all damage to your customer or ANY THIRD PARTY caused by any deliberately induced unintentional or undisclosed behavior of your product”?
problem might be that no one is responsible
Schneier has done some stuff on the economics and lack of responsibility. I think the ‘if legislation isn’t the solution’ bit in this story is somewhat premature. bad bills and bad reactive and specific targeted bills don’t mean that no legislation will work. a few of the key problems here are a total lack of interest, accountability and the ever present race to the bottom economic incentive.
Legislation should address these issues. A way to do that is to make sure those that benefit from a situation will feel it when things go bad.
So, the consumer and the people that sell iot devices should feel the pain when things go bad. ie. they should be held accountable for when devices end up doing harm.
Consumers should be aware of the risks, and do what they can to minimize risk, manufacturers and sellers should be made accountable if they provide iot devices that cannot be repaired/updated/made safe, or if they do not provide the means (patches, instructions, support) to consumers.
SIOT (subversive IOT) not IOT…ftfy
Re: Re:
or SHiot, as in ‘Shhhhhh’ iot…they’re listening
A Quiet Place
Product Safety
I have mixed feeling about legislation solutions too. Hard to write laws that are enforceable and keep up with the technology.
I have been thinking that we currently have lots of existing product safety rules. I think these can be applied to IoT devices. If they proved to be vulnerable, then they can be declared unsafe and banned from sale. Then retailers like Amazon and the like would stop selling the bad ones.
Going after the people who sell them, vs. the user or the vendor, should have a bigger effect.
Re: Product Safety
One way to do that is setting up liability of hacked devices on the maintainer including loss of functionality. They can have the control they want /if/ they can keep everything perfectly secured.
Admittedly I have a bit of an agenda in wanting hardware to be free as in freedom, private maintainable, and workable without an external connection instead of shutting down once they get bought out (cough Nest).
Security is not port-based
By "listening ports" they might mean "servers", but we need to be clear with suggestions like this. Shunting every service onto port 80 won’t improve security (we’re already here: port-based firewalls mean most new protocols use 80 or 443). Merging all the code into one giant server won’t improve security. It’s the size of the attack surface, and the quality of the code behind it, that determine security.