Legislative proposal sent to my Congressman
In thinking over the last DDos involving IoT devices, I think we don't have a good technical solution to the problem. Cutting off people with defective devices they they don't understand, and have little control over, is an action that makes sense, but hurts the innocent. "Hey, Grandma, did you know your TV set is hurting the Internet?" It's the people who foist bad stuff on the people who need to take the responsibility. Indeed, with enough moxie, we could avoid the net saturation problem in the first place. My proposal, as I sent it to my US House Representative:
Fixing the security of the Internet of Things: Now we have had several distributed denial of service attacks — generating eye-popping amounts of network traffic to bury a web site or gamer — arguably traced to botnets-for-sale of "hacked" common devices with Internet connectivity. It's time to look at the problem bad product design can cause. Not being "computers", many of those devices — cameras, televisions, light bulbs, to name a few — don't have tough-enough security moxie baked in. And it's not enough to solve today's attacks, they have to survive new attacks down the road.
Some of these household items didn't conform to today's Best Practices, taught in Security 101, with the rules learned (painfully) over the last 30 years. And then there is the question of installing security fixes: "Hey, Joe, you have to install an update to your thermostat and washing machine." Right.
This is nothing new. What is new is the tsunami of Internet-capable devices hitting the market and the Internet...and doing it badly. By sheer numbers, the situation rises to a whole new level of risk to the nation's communications infrastructure. The magnitude of the problem? Think how many light bulbs are in the typical house or apartment, and you get the idea.
This note comes a little late to the game, but I thought that one wayto stem the flood of garbage from compromised household stuff is to treat vulnerabilities that cause spew as design defects, defects as serious as the exploding batteries in the Samsung Galaxy Note 7. So, looking at the procedures already in place for dealing with merchandise that can cause harm, this suggestion.
Proposed: GIVEN
* any Internet-connected device, * "pwned" by cybercriminals, * that cause significant harm, * the manufacturer received notice of the defect, and * did not, or cannot, provide a timely, zero-cost update
THEREFORE the Consumer Product Safety Commission shall require that the manufacturer provide a security update to the device within 30 day of first notice; or failing that, to issue a complete recall of the defective devices.
I don't care if it's a television, camera, refrigerator, light bulb, thermostat, washing machine, wireless access router, smart phone, desktop computer, server, you-name-it...if it's broke, and can't (or won't) be fixed, it gets recalled.
That's the only way manufacturers will take Internet security seriously. If they have to upgrade the stuff they sell, without exception, the manufacturers will find a method that will keep their expense for upgrades down. Upgrades should not be charged to the customer — the manufacturer screwed up, they should fix the problem, at their expense. I further suggest that security testing should be specifically permitted under law, not be considered part of "reverse engineering", or other shrink-wrap or copyright restriction.
The CSPC should develop guidelines for product with embedded computers that connect to the Internet at large, either directly or indirectly.
There are a number of things to consider, when building such a regulation, that come into play that complicated things
* orphaned devices, * devices made by companies that have gone out of business, * imported stuff, * methods of notification, and * enforcement
This is an off-the-top-of-my-head idea. I think it's worth consideringover other "solutions" I've seen proposed.
There is precedent for this with radio and the FCC. According to current law, the owner/operator of the radio equipment is ultimately responsible for non-interference by any transmitter used in the United States. This includes so-called unlicensed transmitters. To help the people who are not radio gurus, the FCC also has a type acceptance program, in which radios have to meet certain requirements as built by the manufacturer. There is another possible wrinkle: if there were legal consequences with selling IoT equipment, businesses making the stuff would take out insurance against claims against them. The underwriters would then take notice, and require that policyholders meet some minimum standards. Remember, we are talking about the "underwriters" who form the first part of the name "Underwriters Laboratories". From UL's web page:
UL is a global independent safety science company with more than a century of expertise innovating safety solutions from the public adoption of electricity to new breakthroughs in sustainability, renewable energy and nanotechnology. Dedicated to promoting safe living and working environments, UL helps safeguard people, products and places in important ways, facilitating trade and providing peace of mind.
We could build on these existing frameworks to the advantage of the Internet by mandating certain minimum requirements for equipment sold to the general public. I would suspect that the IETF would need to become involved in this effort, because the standards would have to come from SOMEWHERE. Which is why they are included in the header. There are other people on the Cc: list that might be interested...or might not. Why not nip the IoT problem in the bud?
In thinking over the last DDos involving IoT devices, I think we don't have a good technical solution to the problem. Cutting off people with defective devices they they don't understand, and have little control over, is an action that makes sense, but hurts the innocent. "Hey, Grandma, did you know your TV set is hurting the Internet?"
The way this will get solved is for a couple of large ISPs and DDoS targets to sue a few of these IoT device manufacturers into oblivion. --lyndon
* Lyndon Nerenberg:
In thinking over the last DDos involving IoT devices, I think we don't have a good technical solution to the problem. Cutting off people with defective devices they they don't understand, and have little control over, is an action that makes sense, but hurts the innocent. "Hey, Grandma, did you know your TV set is hurting the Internet?"
The way this will get solved is for a couple of large ISPs and DDoS targets to sue a few of these IoT device manufacturers into oblivion.
But that does not remove those devices from the network.
In article <alpine.BSF.2.20.1610031257490.94184@orthanc.ca> you write:
But that does not remove those devices from the network.
That ship has sailed.
This is where device profiles could help. If enough devices register profiles with the local router, at some point the router's default could be closed, so devices with no profile can't talk to the outside. For a lot of devices like lightbulbs, that would probably make no difference at all. It would mean you couldn't remotely monitor your five year old CCTV camera unless you take in the camera for an upgrade or replace it, but I can't get too upset about that. R's, John
On Mon, Oct 3, 2016 at 1:39 PM, John Levine <johnl@iecc.com> wrote:
In article <alpine.BSF.2.20.1610031257490.94184@orthanc.ca> you write:
But that does not remove those devices from the network.
That ship has sailed.
This is where device profiles could help. If enough devices register profiles with the local router, at some point the router's default could be closed, so devices with no profile can't talk to the outside.
Hi John, Are you thinking of MUD ( https://datatracker.ietf.org/doc/draft-ietf-opsawg-mud/) here, when you say "register profiles"? regards, Ted
For a lot of devices like lightbulbs, that would probably make no difference at all. It would mean you couldn't remotely monitor your five year old CCTV camera unless you take in the camera for an upgrade or replace it, but I can't get too upset about that.
R's, John
This is where device profiles could help. If enough devices register profiles with the local router, at some point the router's default could be closed, so devices with no profile can't talk to the outside.
Are you thinking of MUD ( https://datatracker.ietf.org/doc/draft-ietf-opsawg-mud/) here, when you say "register profiles"?
Yes. Eliot Lear said they're working actively on it. Regards, John Levine, johnl@iecc.com, Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. https://jl.ly
This is where device profiles could help. If enough devices register profiles with the local router, at some point the router's default could be closed, so devices with no profile can't talk to the outside.
That would be nice, but a manufacturer who can't be bothered to take even the most basic security precautions certainly isn't going to implement this, either. The only cure to this will be changing the law so that the directors of the companies that ship massively insecure devices like these are personally liable for all the financial loss attributed to their products. Bankrupt a few companies' board of directors and you'll start seeing things change in a hurry. --lyndon
This is where device profiles could help. If enough devices register profiles with the local router, at some point the router's default could be closed, so devices with no profile can't talk to the outside.
That would be nice, but a manufacturer who can't be bothered to take even the most basic security precautions certainly isn't going to implement this, either.
They will if the routers start rejecting their traffic.
The only cure to this will be changing the law so that the directors of the companies that ship massively insecure devices like these are personally liable for all the financial loss attributed to their products. Bankrupt a few companies' board of directors and you'll start seeing things change in a hurry.
Good luck with that. R's, John
On Mon, 3 Oct 2016, Lyndon Nerenberg wrote:
The only cure to this will be changing the law so that the directors of the companies that ship massively insecure devices like these are personally liable for all the financial loss attributed to their products. Bankrupt a few companies' board of directors and you'll start seeing things change in a hurry.
Manufacturers are global, and their distribution is global. Local, technical laws are difficult at best to get enacted, much less consistently and by 190+ countries. And even when technically-minded laws are implemented (see US Federal and State Do Not Call Lists) they are problematic and difficult to enforce when abuse may be coming from outside the US. And the tech usually is far ahead of the legislation. The common device through which all of these smart devices will pass is the router. Router manufacturers often build and sell larger big iron routers to ISPs, or ISPs are buying end-user routers from manufacturers and reselling to their customers. ISPs are motivated financially to avoid unwanted and "bad" traffic on their networks. The global ISP community is in the best position here to pressure their vendors to implement a standard on end-user routers which protects their networks from rogue and unsecured devices. The IoT manufacturers will need to follow standards that the router manufacturers implement to limit the negative impact of IoT devices if they want their devices on the network/Internet. When the standards are available to help protect the ISP networks at the end of the last mile from unwanted and fraudulently created traffic, and the ISPs pressure/demand the router manufacturers to implement the protections, IoT and other device manufacturers will fall in line. Beckman --------------------------------------------------------------------------- Peter Beckman Internet Guy beckman@angryox.com http://www.angryox.com/ ---------------------------------------------------------------------------
----- Original Message -----
From: "Lyndon Nerenberg" <lyndon@orthanc.ca>
But that does not remove those devices from the network.
That ship has sailed.
You're not familiar with CPSC mandatory recalls, are you? Cheers, -- jra -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://www.bcp38.info 2000 Land Rover DII St Petersburg FL USA BCP38: Ask For It By Name! +1 727 647 1274
On Oct 3, 2016, at 5:39 PM, Jay R. Ashworth <jra@baylink.com> wrote:
You're not familiar with CPSC mandatory recalls, are you?
I'm not sure how you could make the case that a compromised DVR, e.g., directly creates a risk of physical injury to a person. Without that, I don't see how the CPSA would apply. But even if a mandatory recall was made under some law, how many of those devices do you think would be returned/exchanged, realistically. And what percentage of those devices would fall under the jurisdiction of any one country's laws? The only way to stop this sort of thing once and for all is to make it punitively costly to the humans at the helm of the corporations selling this crap in the first place. Under corporate law, this almost always means the directors. Only when they start losing their homes/yachts/Jaguars, or start spending some quality time in jail, will this problem go away. Of course, this does require governments to grow some balls :-P --lyndon
On Mon, Oct 3, 2016 at 6:15 PM, Lyndon Nerenberg <lyndon@orthanc.ca> wrote:
[...]
The only way to stop this sort of thing once and for all is to make it punitively costly to the humans at the helm of the corporations selling this crap in the first place. Under corporate law, this almost always means the directors. Only when they start losing their homes/yachts/Jaguars, or start spending some quality time in jail, will this problem go away.
Of course, this does require governments to grow some balls :-P
--lyndon
Please, no. This will put a sword through the heart of open source. If you hold the executives of the hardware manufacturer responsible for the software running on their devices, then the next generation of hardware from every manufacturer is going to be hardware locked to ONLY run their software. No OpenWRT, no Tomato, no third party software that could be compromised and leave them holding the liability bag. If you want a world in which only a handful of companies make the hardware and software, with commensurately higher prices, and no freedom to select what software you'd like to load on it, I suspect this is a good path towards it. I think there's got to be solutions that don't drive us into a closed-software world. Before we start asking the government and the lawyers to solve this in ways we'll come to hate down the road, let's give it a few more tries ourselves, shall we? Thanks! Matt
On Oct 3, 2016, at 6:33 PM, Matthew Petach <mpetach@netflight.com> wrote:
If you hold the executives of the hardware manufacturer responsible for the software running on their devices, then the next generation of hardware from every manufacturer is going to be hardware locked to ONLY run their software. No OpenWRT, no Tomato, no third party software that could be compromised and leave them holding the liability bag.
It's the closed software that is fscking everything up right now. A little sunshine on the code base will go a long way towards those people not losing their Ferrari's after all.
On Oct 3, 2016, at 6:52 PM, Lyndon Nerenberg <lyndon@orthanc.ca> wrote:
It's the closed software that is fscking everything up right now. A little sunshine on the code base will go a long way towards those people not losing their Ferrari's after all.
Or coming from a more legalistic view, if they lock things down that hard, they cannot possibly blame anyone else for having "rooted" the gear, therefore no passing the buck. They would have to admit that it was their - and only their - code that was responsible for inflicting the damages. I've been in the tech biz for 30+ years, and have worked for a wide range of organizations over that time. The only common denominator across them all (small, large, and everything between - commercial and not) is that rapid response high level organizational change ONLY happen when the executives see the possibility of an imminent, significant, personal loss. That might be monetary loss, or loss of reputation. But it must be personally hurtful. When the reaper appears on the horizon, it's amazing how quickly they see the path to redemption. The sooner we all admit this is not a *technical* problem, the sooner we will eradicate it. --lyndon
On Mon, 03 Oct 2016 18:33:38 -0700, Matthew Petach said:
If you hold the executives of the hardware manufacturer responsible for the software running on their devices, then the next generation of hardware from every manufacturer is going to be hardware locked to ONLY run their software. No OpenWRT, no Tomato, no third party software that could be compromised and leave them holding the liability bag.
Turn it on its ear. Liability only attaches if the product is closed-source. Sure, that leaves us with lots of open-source light bulbs that are basically abandonware 5 years later, but at least at that point it's more possible to fix any remaining issues...
On Monday, October 3, 2016, Lyndon Nerenberg <lyndon@orthanc.ca> wrote:
In thinking over the last DDos involving IoT devices, I think we don't
have a good technical solution to the problem. Cutting off people with defective devices they they don't understand, and have little control over, is an action that makes sense, but hurts the innocent. "Hey, Grandma, did you know your TV set is hurting the Internet?"
The way this will get solved is for a couple of large ISPs and DDoS targets to sue a few of these IoT device manufacturers into oblivion.
--lyndon
FTC has a hand in this area https://www.ftc.gov/news-events/press-releases/2016/02/asus-settles-ftc-char...
On Mon, 03 Oct 2016 11:58:10 -0700, Stephen Satchell said:
THEREFORE the Consumer Product Safety Commission shall require that the manufacturer provide a security update to the device within 30 day of first notice; or failing that, to issue a complete recall of the defective devices.
What percent of recalled devices are actually replaced/repaired? It's not too hard to (in principle) track down all owners of 2014 Ford Escapes. But how do you track down all purchasers of a light bulb? That's been sold in multiple continents with differing legal environments?
participants (11)
-
Ca By
-
Florian Weimer
-
Jay R. Ashworth
-
John Levine
-
John R. Levine
-
Lyndon Nerenberg
-
Matthew Petach
-
Peter Beckman
-
Stephen Satchell
-
Ted Hardie
-
Valdis.Kletnieks@vt.edu