[personal profile] mjg59
The Wirecutter, an in-depth comparative review site for various electrical and electronic devices, just published an opinion piece on whether users should be worried about security issues in IoT devices. The summary: avoid devices that don't require passwords (or don't force you to change a default and devices that want you to disable security, follow general network security best practices but otherwise don't worry - criminals aren't likely to target you.

This is terrible, irresponsible advice. It's true that most users aren't likely to be individually targeted by random criminals, but that's a poor threat model. As I've mentioned before, you need to worry about people with an interest in you. Making purchasing decisions based on the assumption that you'll never end up dating someone with enough knowledge to compromise a cheap IoT device (or even meeting an especially creepy one in a bar) is not safe, and giving advice that doesn't take that into account is a huge disservice to many potentially vulnerable users.

Of course, there's also the larger question raised by the last week's problems. Insecure IoT devices still pose a threat to the wider internet, even if the owner's data isn't at risk. I may not be optimistic about the ease of fixing this problem, but that doesn't mean we should just give up. It is important that we improve the security of devices, and many vendors are just bad at that.

So, here's a few things that should be a minimum when considering an IoT device:
  • Does the vendor publish a security contact? (If not, they don't care about security)
  • Does the vendor provide frequent software updates, even for devices that are several years old? (If not, they don't care about security)
  • Has the vendor ever denied a security issue that turned out to be real? (If so, they care more about PR than security)
  • Is the vendor able to provide the source code to any open source components they use? (If not, they don't know which software is in their own product and so don't care about security, and also they're probably infringing my copyright)
  • Do they mark updates as fixing security bugs? (If not, they care more about hiding security issues than fixing them)
  • Has the vendor ever threatened to prosecute a security researcher? (If so, again, they care more about PR than security)
  • Does the vendor provide a public minimum support period for the device? (If not, they don't care about security or their users)

    I've worked with big name vendors who did a brilliant job here. I've also worked with big name vendors who responded with hostility when I pointed out that they were selling a device with arbitrary remote code execution. Going with brand names is probably a good proxy for many of these requirements, but it's insufficient.

    So here's my recommendations to The Wirecutter - talk to a wide range of security experts about the issues that users should be concerned about, and figure out how to test these things yourself. Don't just ask vendors whether they care about security, ask them what their processes and procedures look like. Look at their history. And don't assume that just because nobody's interested in you, everybody else's level of risk is equal.
  • Date: 2016-11-04 03:18 pm (UTC)
    From: [personal profile] mikeberk
    Matthew,

    I'm the executive editor over at The Wirecutter; I responded to your comment over on our site but came over here after another commenter mentioned that you'd had more to say via your own social accounts (and then I figured I'd come read your full argument here).

    I think one issue we have at WC when dealing with these kinds of issues is framing them in a way that speaks to readers who aren't always very tech-savvy, so often we are looking, as you mention here, recommending things like "Going with brand names is probably a good proxy for many of these requirements." We tend to take a most people perspective. Grant's argument in that piece is coming from a statistical perspective, rather than one that attempts to encompass all possible situations — and those situations do include real threats to real people.

    We don't want to give up on the idea of IoT security in any way, and we do understand that there are cases where this is going to be insufficient, and I do think we caution our readers in that post that there is always a risk, and that any device out there is exploitable.

    The case you mention (a threat from someone known to the user) is one we didn't address in particular, and it's a good point. I'd love to see more data about the frequency of this sort of attack if you can link me to some resources.

    As I'd mentioned over on our site I'd love to be in touch further as we work on developing a protocol for testing the variety of random IoT objects we're coming across in increasing numbers.

    Thanks much, and keep up the good work,

    Mike
    Edited Date: 2016-11-04 03:19 pm (UTC)

    Profile

    Matthew Garrett

    About Matthew

    Power management, mobile and firmware developer on Linux. Security developer at Google. Member of the Free Software Foundation board of directors. Ex-biologist. @mjg59 on Twitter. Content here should not be interpreted as the opinion of my employer.

    Page Summary

    Expand Cut Tags

    No cut tags