[personal profile] mjg59
The Wirecutter, an in-depth comparative review site for various electrical and electronic devices, just published an opinion piece on whether users should be worried about security issues in IoT devices. The summary: avoid devices that don't require passwords (or don't force you to change a default and devices that want you to disable security, follow general network security best practices but otherwise don't worry - criminals aren't likely to target you.

This is terrible, irresponsible advice. It's true that most users aren't likely to be individually targeted by random criminals, but that's a poor threat model. As I've mentioned before, you need to worry about people with an interest in you. Making purchasing decisions based on the assumption that you'll never end up dating someone with enough knowledge to compromise a cheap IoT device (or even meeting an especially creepy one in a bar) is not safe, and giving advice that doesn't take that into account is a huge disservice to many potentially vulnerable users.

Of course, there's also the larger question raised by the last week's problems. Insecure IoT devices still pose a threat to the wider internet, even if the owner's data isn't at risk. I may not be optimistic about the ease of fixing this problem, but that doesn't mean we should just give up. It is important that we improve the security of devices, and many vendors are just bad at that.

So, here's a few things that should be a minimum when considering an IoT device:
  • Does the vendor publish a security contact? (If not, they don't care about security)
  • Does the vendor provide frequent software updates, even for devices that are several years old? (If not, they don't care about security)
  • Has the vendor ever denied a security issue that turned out to be real? (If so, they care more about PR than security)
  • Is the vendor able to provide the source code to any open source components they use? (If not, they don't know which software is in their own product and so don't care about security, and also they're probably infringing my copyright)
  • Do they mark updates as fixing security bugs? (If not, they care more about hiding security issues than fixing them)
  • Has the vendor ever threatened to prosecute a security researcher? (If so, again, they care more about PR than security)
  • Does the vendor provide a public minimum support period for the device? (If not, they don't care about security or their users)

    I've worked with big name vendors who did a brilliant job here. I've also worked with big name vendors who responded with hostility when I pointed out that they were selling a device with arbitrary remote code execution. Going with brand names is probably a good proxy for many of these requirements, but it's insufficient.

    So here's my recommendations to The Wirecutter - talk to a wide range of security experts about the issues that users should be concerned about, and figure out how to test these things yourself. Don't just ask vendors whether they care about security, ask them what their processes and procedures look like. Look at their history. And don't assume that just because nobody's interested in you, everybody else's level of risk is equal.
  • From: (Anonymous)
    Seriously. I have opted out of IoT because I have better things to do than deal with a hacked IoT device. My smart TV -- not connected to the internet. No smart lights, etc. Sure it would be nice to have some of this tech. But the downside of dealing with a compromised IoT device is not worth it. It is enough work worrying about my regular computers getting hacked!

    Generally agreeing except for one point

    Date: 2016-10-29 01:37 am (UTC)
    From: (Anonymous)
    >Do they mark updates as fixing security bugs? (If not, they care more about hiding security issues than fixing them)

    Sometimes device updates are marked with "fix" to protect users. Even if iot devices automatically patch themselves, an entire managed fleet does not get patched instantaneously. In my expirence there can be a significant long tail to 99.99% (you never actually get 100% updated). There will always be some percentage that are offline and thus vulnerable to a bug. Not drawing attention to something significant is not alwaysa choice of a fully self-serving nature.

    Re: Generally agreeing except for one point

    Date: 2016-10-29 04:49 am (UTC)
    From: (Anonymous)
    > There will always be some percentage that are offline and thus vulnerable to a bug.

    Though from a security perspective if it's offline it's a lot harder for it to be a threat, or at least as much of one, especially as far as devices for the home market go.

    The sorts of devices that depend on a "cloud" service for meaningful network functionality kinda have an advantage here in a weird way, since there are likely to be incredibly few which are connected to a network where they are vulnerable to attack but unable to reach the vendor's servers where an update could be forced.

    Re: Generally agreeing except for one point

    Date: 2016-10-29 06:51 am (UTC)
    From: (Anonymous)
    Let me disagree. This happens in China all the time if the device is from a non-Chinese manufacturer. Great China Firewall blocks access to lots of update sites by mistake, and nobody is even allowed to complain.

    Re: Generally agreeing except for one point

    Date: 2016-10-29 03:42 pm (UTC)
    From: (Anonymous)
    A completely valid point, I am of course coming from a US perspective where internet brokeness is an intermittent and temporary matter rather than a way of life.

    Date: 2016-10-29 08:01 pm (UTC)
    From: (Anonymous)
    We're at the point where it's time for action: we see the problem, we have people committed to solving the problem, and the problem is reaching peak visibility. What we lack are goals, leadership and manpower.

    From a point of abstraction this is all helpful advice, however users often aren't able to or committed enough to get this information themselves, and this is one of those things we need the participation of the majority to fix. What we really need is for network security experts to publish a single professional, authoritative* document full of general rules of thumb that the average user can understand to protect themselves a bit better. For instance:

    "As of 2016/10/29 we recommend these brands and these models, and here is how to secure them."
    "You should be wary of buying devices that require you to modify your firewall in order to use them. Ask whether you will have to open ports to use this device remotely."
    "The problem with webcams and security"
    "Here are some routers that support the ability to connect to your home network securely, and here's how you can set that up"
    "Here is a list of things you should think about reviewing after a messy breakup"
    "Here are some tips on how to manage social engineers and stalkers"
    "Did you know that iPhones can be set up to forward text messages to phones other than your own? Here's how to fix that."
    "How to practice good password management that won't slow you down (that much)"
    "Further reading"

    Though obviously inexact and not a 100% guarantee of security, adherence to even basic security protocols would significantly improve the security ills we face today. Sometimes it's a mistake to get pissed at backward-thinking vendors instead of encouraging consumers to get something else that will actually protect them.

    * These are both critically important, yet often overlooked. Maybe a committee should be formed.

    Price point

    Date: 2016-10-31 03:42 am (UTC)
    From: (Anonymous)
    Any products where at least 5/7 of the li's in your post are true, you're looking at a price point that is far out of the realms of your average consumer.

    Look at the IP Camera market. We have a bunch of Hikvision cameras, and whilst they're okay to a degree, they're still horribly maintained compared to other more expensive vendors (Axis, Samsung, Bosch, etc). Luckily, being the good sysadmin/nerd that I am, we can mitigate these downfalls, but I'm sure as shit others don't/can't/are too lazy to do the same.

    Date: 2016-11-04 03:18 pm (UTC)
    From: [personal profile] mikeberk
    Matthew,

    I'm the executive editor over at The Wirecutter; I responded to your comment over on our site but came over here after another commenter mentioned that you'd had more to say via your own social accounts (and then I figured I'd come read your full argument here).

    I think one issue we have at WC when dealing with these kinds of issues is framing them in a way that speaks to readers who aren't always very tech-savvy, so often we are looking, as you mention here, recommending things like "Going with brand names is probably a good proxy for many of these requirements." We tend to take a most people perspective. Grant's argument in that piece is coming from a statistical perspective, rather than one that attempts to encompass all possible situations — and those situations do include real threats to real people.

    We don't want to give up on the idea of IoT security in any way, and we do understand that there are cases where this is going to be insufficient, and I do think we caution our readers in that post that there is always a risk, and that any device out there is exploitable.

    The case you mention (a threat from someone known to the user) is one we didn't address in particular, and it's a good point. I'd love to see more data about the frequency of this sort of attack if you can link me to some resources.

    As I'd mentioned over on our site I'd love to be in touch further as we work on developing a protocol for testing the variety of random IoT objects we're coming across in increasing numbers.

    Thanks much, and keep up the good work,

    Mike
    Edited Date: 2016-11-04 03:19 pm (UTC)

    Profile

    Matthew Garrett

    About Matthew

    Power management, mobile and firmware developer on Linux. Security developer at Google. Ex-biologist. @mjg59 on Twitter. Content here should not be interpreted as the opinion of my employer.

    Expand Cut Tags

    No cut tags