Tuesday, September 1, 2015

What if connected devices were secure right out of the box?

For over 120 years, Underwriters Laboratories has given manufacturers and developers a trusted way to assure consumers that products are physically safe. Noted hacker "Mudge" is on a mission to do the same for connected products.

This post was written in September 2015. A year later, a botnet suspected to be made up of IoT devices carried out some of the largest distributed denial of service (DDoS) attacks ever recorded, knocking acclaimed cyber crime investigator Brian Krebs offline for the better part of a week. Insecure devices connected to the Internet no longer affect only the intended users of those devices. When your improperly secured webcam, or my poorly-configured TV, can be conscripted into a weapon powerful enough to cause actual harm, developers need to step up and build connected devices that are secure by default.

In late June, hacker and researcher Peiter Zatko, better known to many by the moniker "Mudge," left a position at Google to launch a so-called "Cyber Underwriters' Laboratory." The concept has been variously celebrated and panned by respected researchers and security experts.

Rob Graham (aka @Errata_Rob) calls it a dumb idea in so many words. Rob goes so far as to call it a "Vogon approach," an allusion to the alien species from Dan Adams' Hitchhiker's Guide to the Galaxy. In Rob's view, the problem isn't hacking or physical quality defects - and in this Rob is exactly right. Elite hackers exist, and they do elite things - but most consumers are not their prey. Their prey by and large is higher value targets - businesses, governments, and perhaps individuals in positions of significant wealth, power, or influence.

Consumers are undone by far more pedestrian problems. Passwords. Outdated software. Phishing. Improperly configured networks. Routine malware. Malicious advertising. Unwittingly trading privacy for "free" services.

So yes, Rob is correct: elite hackers are not the greatest threat most consumers face. A CyberUL that focuses solely on "software quality" and ignores these factors solves nothing.

If that is all the CyberUL accomplishes, then Mudge is wasting his time.

But there's another option - an option I have suggested in private many times, and in public via a an interview with Security Ledger.

Underwriters Laboratories was founded over 120 years ago with the goals of promoting products that are safe, and applying that effort to reduce loss of life or property due to unsafe products. Through 120 years, UL has certified items as diverse as arc lamps and rheostats, matches and fire extinguishers; cash registers; phonographs and CD players; stick-frame and concrete block wall systems. In some cases, product quality is the key element being tested - but in other cases, product design is critical.

Folks such as myself enjoy tinkering with systems, carefully configuring things to fit our liking, and just as often breaking things so we can understand how they work. We however are not the majority. Many consumers simply want their Internet-connected widget to work straight out of the box. Many things do in fact work straight out of the box - but far fewer work securely right out of the box.

This is where a CyberUL could make a tremendous difference. The most common threats consumers face could be reduced through a handful of reasonable practices. In Secure your device (the uncomplicated way) I share a few basic recommendations for individuals. But what if those recommendations were built right in?

A CyberUL that defines "acceptable standards" such as the following, and certifies that connected products meet these standards, would make a tremendous difference, particularly in the so-called Internet of things:

  1. Installation processes should establish a non-default password unique to the owner. Default passwords are an extremely common way of breaking into connected devices; if turning a product on for the first time involves choosing a password - even a weak password - that eliminates this gaping back door.
  2. Products should have automated software and firmware updates available, enabled by default, and guaranteed for the reasonable lifetime of the product. Most major operating systems now come with software updates active by default. Mobile apps likewise frequently will update themselves automatically. How often though do home users update their wireless routers, or Internet-connected washing machines? How many smartphones languish with known vulnerabilities simply because the manufacturer chooses not to push updates after a year (or at all)? Let's make this automatic.
  3. Features that impact privacy should be clearly presented so the owner can make an informed decision whether to use the feature. Trading personal information for a service (or a mobile game) is not inherently a bad idea - but it should be a conscious decision.
  4. Features that involve significant safety or privacy risk should be properly isolated from Internet access. Chris Roberts' research on in-flight entertainment systems for aircraft, and Charlie Miller and Chris Valasek's research into cellular access to vehicle controls, brilliantly demonstrate the danger when this is overlooked.
  5. Documents and content originating from outside the system or device should be automatically untrusted. For example, Windows tags files downloaded from the Internet with a "zone" marking; Microsoft Office products treat these documents as untrusted and disable macros and interactive content by default.
  6. Manufacturer systems supporting IoT devices should be demonstrably free of SQL injection and Cross Site Scripting flaws. This comes closest to the original CyberUL concept proposed by L0pht in 1999 - and to the software quality risks panned by Robert Graham - and yet is an integral piece to the puzzle as IoT devices are by definition connected. In many cases they rely on an upstream service, whether that be maps, game scoreboards, or washing machine custom cycles. Those systems are themselves a natural target for attack because they often contain personal information about the users of that service.

In each of these cases, an informed consumer may have the choice to override the defaults. I can choose to execute a macro in an Internet document, or to connect my home security system controls to the Internet, but it requires intentional choice, rather than default behavior.

Will such standards magically eliminate cyber risk? Of course not - but the goal in security has never been to eliminate all risk. The goal has always been to provide the right level of protection considering the value of the thing being protected and the cost (in dollars and in productivity or convenience) to provide that protection. A CyberUL certifying that items follow some basic standards would make a much greater degree of security economically practical.

This article first appeared in CSOonline

Do you have something to add? A question you'd like answered? Think I'm out of my mind? Join the conversation below, reach out by email at david (at) securityforrealpeople.com, or hit me up on Twitter at @dnlongen