Follow Slashdot blog updates by subscribing to our blog RSS feed


Forgot your password?
The Internet Security

Bruce Schneier: We Need To Save the Internet From the Internet of Things ( 164

Bruce Schneier, writing for Motherboard:What was new about the Krebs attack was both the massive scale and the particular devices the attackers recruited. Instead of using traditional computers for their botnet, they used CCTV cameras, digital video recorders, home routers, and other embedded computers attached to the internet as part of the Internet of Things. Much has been written about how the IoT is wildly insecure. In fact, the software used to attack Krebs was simple and amateurish. What this attack demonstrates is that the economics of the IoT mean that it will remain insecure unless government steps in to fix the problem. This is a market failure that can't get fixed on its own.
This discussion has been archived. No new comments can be posted.

Bruce Schneier: We Need To Save the Internet From the Internet of Things

Comments Filter:
  • by Anonymous Coward
    Bruce just confirmed we are in the Matrix.
  • by Registered Coward v2 ( 447531 ) on Friday October 07, 2016 @03:43PM (#53033877)
    is when the manufacturers of the devices get hit with DDoS attacks and it disrupts their business. Otherwise, as TFA points out, they had no reason to bear the costs of fixing the problem since it doesn't impact them. Until there is a significant cost associated with making an insecure device they will remain insecure. That's also one of the problems with the internet, there is no way to block access from insecure devices when they become part of a BotNet. If their was, and manufacturers suddenly got lots of warranty calls when it stopped working they might actual care about security.
    • by mlts ( 1038732 ) on Friday October 07, 2016 @03:49PM (#53033923)

      "Security has no ROI" is a mantram I've heard uttered in a lot of places dealing with IoT. They don't care at all, because the EULA protects them from most stuff, the fact they can throw up their hands and say, "the blackhats can break into everything" gives them legitimacy with the press, and if push comes to shove, there are no real laws out there that have any teeth. Someone can have a root shell on a telnet port, and a company having that would not have to fret about stock prices. If people griped, they just tell users to buy the version 2 of the device that might move the open port from 23 to another ID, call it done.

      What would be the ideal, would be something like UL listings, except instead of electrical safety, is for security. However, I wouldn't be surprised if this gets perverted into no real remote security, but "security" from the owner being able to do things with the device.

      • Re: (Score:1, Troll)

        by Grishnakh ( 216268 )

        What would be the ideal, would be something like UL listings, except instead of electrical safety, is for security.

        Won't work. People used to value UL ratings because they were worried about electrical appliances catching on fire. People don't even care about UL ratings any more because this just doesn't happen, except with things that have lithium batteries.

        The fact is, consumers just don't care about security. They don't know anything about it, they don't want to know, they just know the nebulous "hack

    • by gnick ( 1211984 ) on Friday October 07, 2016 @03:49PM (#53033925) Homepage

      is when the manufacturers of the devices get hit with DDoS attacks and it disrupts their business.

      What motivation would vandals have to go after the manufacturers? You'd be begging them to interfere with you with no apparent up-side.

    • by MitchDev ( 2526834 ) on Friday October 07, 2016 @03:55PM (#53033961)

      When they get SUED and pay out the nose is the only time they'll take it seriously

      • by Anonymous Coward

        As long as they're allowed to disclaim liability for obvious problems with their products, there will be no movement on the issue.

        It ought to be illegal to sign away your legal rights, especially in situations where you don't get anything out of the arrangement.

        • by arth1 ( 260657 ) on Friday October 07, 2016 @06:10PM (#53034797) Homepage Journal

          It ought to be illegal to sign away your legal rights, especially in situations where you don't get anything out of the arrangement.

          In many countries, it is, and the right to redress cannot be signed away by a contract. Apple discovered that when they started selling products in Europe and attempted to enforce US style boilerplate contracts.

          So, yes, I can see the manufacturers being sued for damages, no matter what the sales terms say. It just isn't likely to happen in the US.

          • by Bert64 ( 520050 )

            If the manufacturers are not based in europe, nor selling directly in europe then there's not much recourse under european law.
            Most of these devices come from china.

    • by DickBreath ( 207180 ) on Friday October 07, 2016 @04:01PM (#53033999) Homepage
      Maybe the cost needs to be a government fine. That way it has a guarantee of financial impact. No uncertainty about whether a lawsuit will be filed, or whether it will be won. And a private party does not have to bear the cost of initiating the lawsuit.

      Simply have a statutory damages for manufacturing an IoT device that has been used in an attack. The device you made was used in an attack. You have to pay the fine. Simple as that.

      Now to make devices more secure there could be something like a process of getting an "Underwriter's Laboratories" type seal of approval. The seal doesn't mean an appliance won't burn your house down, just that it is very, very unlikely. Unlikely enough to suit the insurance underwriters. Which raises the subject of insurance -- for liability of getting fined for building an unsafe device.

      It seems like this would work. Just like electrical devices are pretty safe -- even though manufacturers have a built in incentive to build them as cheaply and unsafely as possible.
    • by rtkluttz ( 244325 ) on Friday October 07, 2016 @04:09PM (#53034063) Homepage

      Wrong. The only way this gets fixed is if cloud command and control goes away. Internet of things is fine as long as each person gets to control their own security destiny and punch holes in their firewalls in ways that suits them. Configuration differences from one place to another make mass control almost impossible. Yes its much more likely individuals sites gets compromised, but much less likely that huge masses of them do all at once. Plus.... why the F*ck do I have to ask a corporation for permission to log in to something that is behind my own firewall. The CORPORATION is the biggest damn security threat we have.

      • by Bert64 ( 520050 )

        I agree, i want devices that work in exactly the way you describe... I would put them on their own VLAN, access them via VPN and there would be relatively little risk even if the devices themselves are horrendously insecure.

        Unfortunately the vast majority of potential customers are not up to that, most have no idea how to punch holes in their firewall or aren't even able to (carrier NAT for instance) so you have devices that connect out to a server somewhere that the end user has no control over. You end up

    • by Snotnose ( 212196 ) on Friday October 07, 2016 @04:39PM (#53034331)
      Maybe the white hats can help. Get the malware used in subverting the devices, then modify the payload so it changes the network settings to knock the device off the internet. If the owner is knowledgeable they can fix it, probably do so 3-4 times, then return the unit. Everybody else will just return the unit.

      This costs the manufactures big $$$ and removes the threat.
      • Modifying software/firmware on computers and devices that you don't own or have been explicitly granted access to is criminal hacking, and a federal felony. Your suggestion might work, but I suspect that the definition of 'white hat' doesn't include incurring hundreds of thousands counts of a felony activity.

        Perhaps the word you were looking for is 'Vigilante'?
        • by Bert64 ( 520050 )

          Not everywhere, simply get someone in a jurisdiction where it's not illegal to deploy such tools and do the whole world a favor.

    • The only way this will get fixed is when internet providers get serious about IPv6 security and migration, since that's what the internet of things hinges on. Essentially, how to set things so that things like camcorders connected to the internet can't be remotely maneuvered except by network nodes authorized to do that. And before anyone says 'NAT', this is not an issue about NAT: it's an issue about not knowing how to set up IPv6 based VPNs, and have everything operate within that

      • "The only way this will get fixed is when internet providers get serious about IPv6 security and migration"

        So, the problem is stated as being no motivation for the IoT producer to spend on securing their devices and then your proposed solution is for a third party to do something it is even less motivated to do?


    • Actually I think it's time they were made legally responsible for their product's security. Practically speaking they could never know about every single attack vector that could be dreamed up. But using making them (on pain of large, ongoing fines) use decent security protocols and decent, random default passwords would be a start.
    • by Pieroxy ( 222434 )

      What you say is that some "good conscience" grey hats need to write robots that hack through those devices and brick them ? That could work. But then you need to protect yourself pretty well, cause the day one of those manufacturers get a hold of you you're going to get sued down to oblivion.

  • by JcMorin ( 930466 ) on Friday October 07, 2016 @03:44PM (#53033893)
    So the government will pass a law and all IoT will be secure... that would be the US gouv I assume? All companies in the world will be complying to the new law? I would not count that for sure.
    • by Anonymous Coward

      The government is complicit not responsible. Chaos is good for them; it creates a demand for control that we refused them over and over again. They either gonna let it rot to replace it or fix it in their own mischievous way.

    • by Anonymous Coward

      Well, the US, or the EU, or another country or bunch of countries with a sufficiently large population. It just takes a big enough segment of the market to demand better security, either through consumer or legislative action, that the loss of sales would outweigh the cost of better development.

    • It gets even better. He's declaring the free market as incapable to solve a situation that is well and truly in its infancy.

      You know parents don't take kindly to people calling their toddlers retarded.

    • So the government will pass a law and all IoT will be secure... that would be the US gouv I assume? All companies in the world will be complying to the new law?

      I would not count that for sure.

      99% of all those IOT devices are made in China. If the U.S. created tougher regulations regarding security, it seems unlikely that Chinese manufacturers would make one set of devices for the U.S. and one for everyone else. So the rest of the world would end up getting more secure devices also.

      • by lgw ( 121541 )

        seems unlikely that Chinese manufacturers would make one set of devices for the U.S. and one for everyone else.

        They do this with almost everything manufactured in China - including the version with the branding, and the (sometimes local-only) cheap version without logos. Chinese manufacturing companies are really good at manufacturing these days, and can do custom runs easily.

        In the case of IoT, there'd certainly be a version with a backdoor for the Chinese government, so we can only hope there would be 2 versions.

  • Really? The same one who let 30m clearance files on people get stolen by the Chinese because they didn't even leverage basic encryption? The congress which thinks the internet is just tubes? The FBI that thinks math is stupid and you can limit encryption?

    Yes, brilliant, you fucking idiot.
    • Not directly, as you point out, but if they passed a law stating that the IoT makers were liable for misuse and made it easy to pin them on these things they'd be sure to secure them.
      • by hsmith ( 818216 )
        What makes anyone think the government would want to do that? They'd much rather it be wide open so they can get into systems. The last thing they want is to push down hardened security.
  • All IOT products need to be labeled as such. Then I can avoid them...

    • Great. You avoid them. So do I. That's already half the problem done, now let's go and educate the millions of others who will buy those things.

      The problem is not you or me. The problem is that "internet connectivity" is another checkbox in the little card that gives people information about the appliance they're looking at at Wal-Mart, Cosco and whatever other chains there are that can't give you any idea about the things they sell 'cause they themselves have no idea about them.

      And this TV has 6 checkboxes

    • by SeaFox ( 739806 )

      All IOT products need to be labeled as such. Then I can avoid them...

      This isn't hard.

      The device I'm about to purchase (check all that apply)
      __ has existed for decades, but has a computer built into it now, and did not normally have one prior to the year 2000.
      __ can control other simpler items in my house (i.e. lamps, garage doors, entry doors, climate control systems, security systems).
      __ connects to my household LAN.
      __ can be used from outside my own local area network through a smartphone app or a publicly accessible website that was not written by me.
      __ was made by a comp

  • Can we have a botnet that scans the internet for insecure devices and changes their password?
    • by b0bby ( 201198 )

      It would actually be pretty great if there were a site which would let you scan the ip address you were coming from (so you couldn't use it against others) with a full Metasploit style array of checks. It could be helpful to a lot of home users who have a basic NAT router going on, maybe with some port forwarding so they can get to various devices like DVRs.

      Hopefully someone is going to chime in "You mean like..."

  • or just turn of upnp on your firewall?

    IoT to the cloud is a problem security wise. The bigger issue IoT devices should not be throw away stuff. That means designing them to function as part of a home for 20+ years, the smarts need to be a IoT controller not some cloud service that might still be around.

    • Duuuuuh, upnp... is that the new detergent?

      Please realize what dimwits buy those crappy pieces of junk hardware. You honestly expect them to even know what they're doing?

    • or just turn of upnp on your firewall?

      Break my internet connection because of a misbehaving insecure device that should instead simply be blacklisted? No thanks.

      I have better things to do than manually manage port forwarding, and the collective world's shrug of shoulders when it comes to IP address space exhaustion has already broken end-to-end connectivity of the internet enough without disabling about the only part of home infrastructure that still prevents me from getting daily "son the internet isn't working again, can you drop by" calls.

      • Break what exactly? upnp is not assumed to work it's not some ancient protocol it was a hack to get home users to let devices do whatever they want.

  • But markets solve ALL problems!
  • If these devices are so trivially insecure and easy to get into, maybe the best way to deal with them currently is to use the same exploits used by blackhats to knock them offline.

    • And exactly that is illegal. Sure, a blackhat doesn't care, but a company that could (and, in this lawsuit-happy country, certainly WOULD) be sued does.

      In that fucked up system someone who is not only stupid enough to buy such a crappy piece of junk but also stupid enough to not even WANT to know a thing about its function and dangers could actually sue someone trying to fix the problem AND get rewarded. Yes, this system rewards stupidity and punishes anyone trying to save it from the stupid. Wrap your mind

      • by phorm ( 591458 )

        Yup. I wasn't suggesting that just anyone should do it, but - assuming that laws might be passed regarding the securing of IOT devices - there could probably also be dispensations made for removing bad devices from the internet.

        • Whoa, careful there! Who gets to define what a "bad device" is?

          • by phorm ( 591458 )

            Infected devices shown to be participating in a botnet/attack?

            • No matter how you word it, you can bet your CPU that the ??AAs will try to make computers running torrent software "bad devices".

          • by phorm ( 591458 )

            I should clarify that I've had something similar to this happen to me in the past.
            (a long time ago) I had a server which was running a squid proxy. The proxy was fairly open but the firewall rules prevented it from being accessible outside of my LAN unless one SSH'ed in. During an upgrade I broke the firewall rules and accidentally had it open to the world, after which some jerk/jerks hijacked it for nefarious purposes.

            Somebody traced it back to my IP, and my ISP verified it was an issue then killed my inte

  • Tech-clueless buyers will naturally gravitate to Internet-enabled toasters and refrigerators that cost twice as much money but can't be pwned with minimal effort by fourth-graders; and the problem will solve itself -- right after donkeys fly.
  • Seriously, we built cameras that watched coffee pots, and coke machines, and watched the crystallography doors to see if people went to lunch so we could get console zero and run stuff.

    It's just you n00bZ that think it's all you unwashed masses that we built it for.

    That said, just because you can do something, doesn't mean you should.

    My fridge should stop pinging the toaster, it's just rude.

  • The market is the only thing that could save us. Government is bad! BAD, I tell you! Trust the invisible hand to squash those problems! The market will sort it out!

  • by h8sg8s ( 559966 )

    No, we need to save the Internet from the Internet Of insecure Things. Manufacturers of crap like this should be fined until they take security seriously.

    • No, we need to save the Internet from the Internet Of insecure Things. Manufacturers of crap like this should be fined until they take security seriously.

      I see comments flipping out already about "how can government fix things?". Well, thru stuff like fines. I've heard the FCC is investigating IoT type vendors. If the FCC can fine companies, or even ban them from selling products in the US until they meet a minimum standard, that will have a huge effect on these companies' behavior.

      So far, they make cheap crappy things with crappy firmware, and users/customers aren't tech savvy enough to know how to pick a device with better security features. In fact, there

  • There would be a government mandated certification that wouldn't actually ensure things are more secure.
    It would be an expensive and slow process so start-ups and small scale companies can't compete with the big corporations.
  • by DriveDog ( 822962 ) on Friday October 07, 2016 @04:31PM (#53034265)
    ...a national government can fix this, and I believe in appropriate laws and regulations. Unless we wall off the internet into national subnets, and I sure don't want that. I can imagine an international organization in which states become members by agreeing to track and prosecute DDOSers and manufacturers of insecure devices and disallow nonmember states from connecting. Works for a year or two until scope creep turns the organization into a surveillance and enforcement nightmare.
    • by Wyzard ( 110714 )

      Can't see how a national government can fix this

      By making manufacturers liable for damage done by their insecure devices.

      Insecure software is an externality []: the manufacturer creates the vulnerability, but the customer (or the whole public) bears the cost when it's exploited. Free-market competition is good at optimizing for minimum cost, but by default, externalities aren't included in the cost being optimized. That's why you get cheap, insecure devices.

      If manufacturers are held liable for damage done by

  • by Anonymous Coward

    Just pass a law that allows anybody to brick or take offline any insecure IoT device found on the internet. Problem solved.

    Script kiddies can then have fun bricking insecure devices found on the internet, and users will be force to care about the security of the IoT devices that they run. And if users care more, then device manufactures will respond.

  • Many of these 'IoT' devices are literally solutions in search of a problem, being pushed by overeager marketers looking for a new way to get your hard-earned dollars. Honestly, ask yourself how many of these things do you really need? Some of the are useful, granted, but most of them are just toys that you can get along just fine without, and remove a layer of complication from your life in the process.
  • That's not a "market failure", it's a government failure: the way liability is handled for software and security, companies get away with selling insecure crap without anybody being able to sue them for damages.

  • " will remain insecure unless government steps in to fix the problem. This is a market failure that can't get fixed on its own."

    Are you kidding me? I work for a company that is betting it's future on IoT in the manufacturing and heavy equipment area. I promise you, it's the evil 'ole "market" that is causing us to focus a HUGE portion of our resources on security. How do you figure it isn't in every IoT makers best interest to deliver secure products? They may be failing right now but those that do i
  • the free market can fix all things, regulation is bad and hampers the self correcting free market.

  • Surely most IoT devices need very little bandwidth to call home. Let's limit that to the minimum and call it standards based. For example, if an IoT device truly only needs say 5k of bandwidth here and there, then limit it to that. Better yet, work to limit the bandwidth all IoT devices need. Real security is even better, but we all know that takes a back seat.
    • by I4ko ( 695382 )
      Hard with cameras. They really need to be able to upload to the offsite FTP server as fast as possible
  • I feel like in a way we need more open source firmware options. Sure most of these run Linux, but it's the configuration and front end custom software that's the problem. If there were a good standard open source distribution for different devices that was secure by default maybe this would be better.

  • On its surface, the IoT sounds like a neat idea.

    Unfortunately, in implementation, it's a raging clusterfuck.

    Basically, just because you can connect ANYTHING to a network doesn't mean you SHOULD.

  • The government proposes to add a backdoor to all encryption systems, and Schneier, an encryption expert, immediately goes to bat, contributing to and promoting large amounts of nuanced study on the matter to explain why such a proposal will fail. Then, on this networking issue, Schneier provides a completely unbacked claim that the Government is somehow going to magically fix something. I guess because Schneier is a "good guy" I should just assume that his completely unsubstantiated, critical-thinking-free

  • As with other instances where the ROI for implementing good computer security is not there, with potentially disastrous societal consequences...

    Make manufacturers liable for damages if their devices are compromised for malicious purposes (DDOS, PII extraction, etc.). Make anyone collecting PII or selling a network-connected device have insurance to cover liability for losses due to security. Bam, problem solved: the insurance market will create the implied ROI (vis-a-vis reduced insurance costs), and busine

  • If he is so smart, why is he writing letters to the editor instead of working toward a solution?
    • Bruce Schneier is a journalist/popular-writer. He wrote a precedent-breaking book on Cryptography. He didn't write it because he was a cryptographer, he wrote it because he dared to do so when a lot of other people were afraid to do so. Out of this, he established a punditry that allows him to pretend to be a 'smart cryptography expert.' Sometimes he's even billed as a 'security expert.' But really he's a popular writer who writes for nerds. Not an expert who could contribute a solution.

  • The internet will never be secure while it is based on insecure hardware and protocols.

Nondeterminism means never having to say you are wrong.