The Internet of Things is new, exciting, and unregulated. What could possibly go wrong? Security analyst Emma Lilliestam highlights the shortcomings of IoT security and explains why self-regulation is a necessary step towards increased IoT security.
I am terrified of flying. As a security analyst, I know it doesn’t make sense. Planes are the safest way of traveling – at least when you fly regular traffic. But why is it so safe?
Imagine that the airplane that you were about to board was constructed by an average agile software team.
- Initial sketches drafted with interior design and entertainment system in mind.
- Documentation is in part old, but mostly nonexistent.
- Tail wing is patched in at the last minute in the spirit of continuous deployment.
- The Definition of Done does not include any safety testing.
- There’s no regulatory body controlling, and no legal repercussions if the plane crashes into a kindergarten.
- The body of the plane is made of Duroplast, proven not to withstand lightning. When you ask the material engineer about this, he says that it’s okay, “A skilled pilot avoids lightning anyway. Besides, we wrote it on page 532 in the manual.”
Would you board that plane? I sure wouldn’t.
Lack of standardized crypto frameworks
“One of the most singular characteristics of the art of deciphering is the strong conviction possessed by every person, even moderately acquainted with it, that he is able to construct a cipher which nobody else can decipher.” – Charles Babbage, 1864.
When I create a new server, I can implement state-of-the-art communication security in an hour. Everything I need is documented and peer reviewed and there are tons of free tools to use to test my HTTPS configurations.
As of October 2016, more than half of the requests on the web are encrypted. But keep in mind that the SSL/TLS that we now take for granted wasn’t conceptualized until 1994, and the first two versions were more or less immediate failures. It took a long time of prototyping and failing to reach the standardized frameworks for encryption that we use today.
For me, the warnings about not rolling your own crypto seemed meaningless for a long time – why would you even think that you need to do it when implementing great and cheap standards is so easy? However, in the world of microcontrollers it’s a different story.
I really avoid talking about security as something hard – it isn’t. But implementing good security on an IoT device is nowhere near as easy as when all your end points are servers.
Software running on regular computers is seldom constrained by hardware resources. It doesn’t matter if the size of your artifact is 199 or 202 kilobytes, but in the embedded world it can make all the difference.
Hardware components
“Cryptography transforms (communications) security problems into key management problems.” – Dr. Dieter Gollman, 2011
There are components of varying quality on the market. Available communication chips may have support for good encryption but will leave the key management as a bleeding wound!
This is not necessarily a problem if you order a few million units, but the firms that manufacture chips will often not even talk to small scale companies. The Arduino hobbyists and startups are left with products where good security is harder to implement.
Culture
“As security enthusiasts it is our obligation to create a culture of sharing and non-blame.” – Johan Rydberg Möller, 2017
I wrote earlier that I avoid talking about security as something hard. There’s a myth flourishing out there that security is something mysterious that common techies can’t understand. This myth is nourished by security people and non-security people alike. Both groups have something to gain from it: security people can keep an air of importance and their consultancy fees high, while non-security people are excused for screwing up on basic IT hygiene.
Cloudpets: 40 dollar teddies on sale for 99 cents. Monetary damage from IoT insecurity can be harsh. (Source: Twitter)
When asked what they know about security, many programmers say they don’t know anything. Then they get to work and do input validation, ssh into their servers, perform code analysis and code review… As soon as a security practice is commonplace, it stops being “security”. It’s just something that one does.
Truth is, most tech people need a bit of mentoring, googling and interest in order to become decent security analysts. There are tons of easy and open resources that are already available to you such as OWASP cheat sheets.
Regulation
“The market can’t fix this because neither the buyer nor the seller cares. … the insecurity is what economists call an externality: It’s an effect of the purchasing decision that affects other people. Think of it kind of like invisible pollution.” – Bruce Schneier, 2017
Security researcher Bruce Schneier proposed in February that security-interested IT businesses need to lobby for regulation of the Internet of Things. He argues that the days of security as an afterthought in a benevolent computer network are over. If we don’t set the agenda now, regulation will happen to us – by legislators and lobby groups that don’t understand the fundamentals of the connected world.
Schneier’s reasoning revolves around an American context. With the year-old EU General Data Protection Regulation, GDPR, negligence to secure data will in a best case scenario be punished with substantial fines. I say best case, because the regulation will not be used for another year. There are vested interests with big money that want to set a precedence rendering the legislation an expensive but toothless paper tiger.
A few months back, non-secured IoT cameras brought down parts of the internet. Information Technology security is now a question of Physical World Security.
My proposal – a voluntary IoT security seal
Bruce Schneier sees the IoT security issues as a market failure, and thus we must resort to legislation. I am much less pessimistic! Should we regulate the Internet of Things? My answer is “No! Not yet.” I think that the huge brand damage that IoT insecurity has proven to be in recent time will continue, and the incentive for companies to do something about it increases.
I would argue that self regulation is more effective than legislation.
I would like to suggest a seal for voluntary certification of products, following the lead of the pioneers of organic food seals like Swedish KRAV. A non-profit funded by the members would handle the issuing and auditing.
The seal would cover the most important and IoT relevant parts of ISO 27000, GDPR, Hacker Ethics, and relevant OWASP best practices. Moreover, it must be communicated to the general public so that they can make an active choice for a reasonably secure product.
I would suggest the following simple baseline:
* Ensure that the product is protected from trivial or cheap attacks
* Commit to patching critical vulnerabilities
* Commit to following the intentions of GDPR
* Having and following a Security Vulnerability Disclosure Policy
* Not prosecuting security researchers and reverse engineers
Even if this seal only reaches a small percentage of the market, it will be a huge win.
If self regulation fails, sooner or later, a tedious, and in the worst case ineffective, compliance process on the EU level will be forced upon us. And if that day comes, it’s much better to showcase a proven and continuously improved framework that will provide actual security and not just another layer of costly bureaucracy.
About the author:
Emma Lilliestam is an IT security technician and DevOps manager of the IoT company Ewa Home. She will talk at Security Fest in Gothenburg the 1st of June.
Twitter: @emalstm