[personal profile] mjg59
The Wirecutter, an in-depth comparative review site for various electrical and electronic devices, just published an opinion piece on whether users should be worried about security issues in IoT devices. The summary: avoid devices that don't require passwords (or don't force you to change a default and devices that want you to disable security, follow general network security best practices but otherwise don't worry - criminals aren't likely to target you.

This is terrible, irresponsible advice. It's true that most users aren't likely to be individually targeted by random criminals, but that's a poor threat model. As I've mentioned before, you need to worry about people with an interest in you. Making purchasing decisions based on the assumption that you'll never end up dating someone with enough knowledge to compromise a cheap IoT device (or even meeting an especially creepy one in a bar) is not safe, and giving advice that doesn't take that into account is a huge disservice to many potentially vulnerable users.

Of course, there's also the larger question raised by the last week's problems. Insecure IoT devices still pose a threat to the wider internet, even if the owner's data isn't at risk. I may not be optimistic about the ease of fixing this problem, but that doesn't mean we should just give up. It is important that we improve the security of devices, and many vendors are just bad at that.

So, here's a few things that should be a minimum when considering an IoT device:
  • Does the vendor publish a security contact? (If not, they don't care about security)
  • Does the vendor provide frequent software updates, even for devices that are several years old? (If not, they don't care about security)
  • Has the vendor ever denied a security issue that turned out to be real? (If so, they care more about PR than security)
  • Is the vendor able to provide the source code to any open source components they use? (If not, they don't know which software is in their own product and so don't care about security, and also they're probably infringing my copyright)
  • Do they mark updates as fixing security bugs? (If not, they care more about hiding security issues than fixing them)
  • Has the vendor ever threatened to prosecute a security researcher? (If so, again, they care more about PR than security)
  • Does the vendor provide a public minimum support period for the device? (If not, they don't care about security or their users)

    I've worked with big name vendors who did a brilliant job here. I've also worked with big name vendors who responded with hostility when I pointed out that they were selling a device with arbitrary remote code execution. Going with brand names is probably a good proxy for many of these requirements, but it's insufficient.

    So here's my recommendations to The Wirecutter - talk to a wide range of security experts about the issues that users should be concerned about, and figure out how to test these things yourself. Don't just ask vendors whether they care about security, ask them what their processes and procedures look like. Look at their history. And don't assume that just because nobody's interested in you, everybody else's level of risk is equal.
  • Date: 2016-10-29 08:01 pm (UTC)
    From: (Anonymous)
    We're at the point where it's time for action: we see the problem, we have people committed to solving the problem, and the problem is reaching peak visibility. What we lack are goals, leadership and manpower.

    From a point of abstraction this is all helpful advice, however users often aren't able to or committed enough to get this information themselves, and this is one of those things we need the participation of the majority to fix. What we really need is for network security experts to publish a single professional, authoritative* document full of general rules of thumb that the average user can understand to protect themselves a bit better. For instance:

    "As of 2016/10/29 we recommend these brands and these models, and here is how to secure them."
    "You should be wary of buying devices that require you to modify your firewall in order to use them. Ask whether you will have to open ports to use this device remotely."
    "The problem with webcams and security"
    "Here are some routers that support the ability to connect to your home network securely, and here's how you can set that up"
    "Here is a list of things you should think about reviewing after a messy breakup"
    "Here are some tips on how to manage social engineers and stalkers"
    "Did you know that iPhones can be set up to forward text messages to phones other than your own? Here's how to fix that."
    "How to practice good password management that won't slow you down (that much)"
    "Further reading"

    Though obviously inexact and not a 100% guarantee of security, adherence to even basic security protocols would significantly improve the security ills we face today. Sometimes it's a mistake to get pissed at backward-thinking vendors instead of encouraging consumers to get something else that will actually protect them.

    * These are both critically important, yet often overlooked. Maybe a committee should be formed.


    Matthew Garrett

    About Matthew

    Power management, mobile and firmware developer on Linux. Security developer at Google. Ex-biologist. @mjg59 on Twitter. Content here should not be interpreted as the opinion of my employer.

    Page Summary

    Expand Cut Tags

    No cut tags