Bruce Schneier on the coming IoT security dumpster-fire

I’m beginning to think maybe Cory gets off on dumpster fires

I’ll give you the benefit of the doubt and answer literally.

Who determies for which applications that is “enough” security.

The person with the most leverage. Who has the most leverage can change. See next item.

How many purchasers would know about the backdoor, or what that even means to them?

I think you need an actuary here. I’ll take a stab at it and say it’s proportional to the value of what’s being protected, the cost of the attack, and the likelihood of it occurring.

In other words, it does not matter if something is insecure if a product is not securing anything. It matters a lot if a product is securing something important. It matters a little if it’s securing something of little value. For most people, bandwidth is of little value and their personal identity is of great value.

Something is Pareto secure when it’s dominated by one proportionally easier attack vector - adding additional vectors does little/nothing to make the product less secure provided it’s still dominated by the ‘easy’ vector. Adding “Internet” to a product to make it “smart” without making it less secure is frequently justified this way. Sometimes it’s true.

Historically in bank vaults for instance, this vector was dominated by the cutting torch - time locks, separate master keys requiring two authorized persons, or primitive biometric scanners made little difference to improving or worsening the vault as the dominant means of illegal entry came back to the torch - it was not a question of ‘if’ but ‘how long’ and vaults were accordingly rated by ‘torch time’.

Likewise a weak home router is definitively securing your bandwidth but arguably securing your personal identity. Stealing identities is dominated by other means - stealing bandwidth is dominated by the router. Their ‘protection’ lies in WPA2 - not in ensuring they’re not remotely accessible - the same thing that makes them weak (low memory, low processing power, distributed) makes them bad targets for logging information - easier for your adversary to go phishing or hack some central point of information like a government database. The threat in this case is mitigated by an easier attack happening elsewhere.

Now if you are a CISO at Target or Home Depot it’s your job not to put these ‘home’ grade devices on your network. Congrats, your job just got harder.

When the attack becomes easy enough and the target high value enough the consumer becomes educated. Society adapts and we move on. It is not fatal.

I would like to point out now that I am not arguing for perfect security, it’s just currently set at a very low bar. There is plenty of evidence that IoT devices are being rushed to market without a lot of thought being put into the security aspects.

I don’t disagree.

Good points on the intrusion detection and fire systems, but my question still holds regarding attack surface. How many of these devices sit safely firewalled off with no ability to connect into them, but allow outbound connections? How many of them are currently sitting on poorly protected wifi routers? Is it up to the consumer to configure them correctly?

Some but not all; some but not all; sometimes but not always. IoT is not badly configured LED lightbulbs you control with your phone. If the prophets are right, IoT is coming to everything in the same way electricity came to everything, and the answers are as varied as the applications and value they unlock.

How do we make sure electrical devices are safe? It’s not a simple answer but it boils down to consumer education (“don’t stick a knife into the small outlet socket”), regulatory pressure (things like “UL” for plugged in devices), and industry best practices (“don’t use thin gauge unshielded wire for wiring up the inside of your tea kettle - don’t let unskilled persons work with high voltage”). Does it work? Well - yes and no - clearly people still get shocked - but has society literally burnt down as many predicted would happen if we engaged in the use of unsafe AC power? Yeah, no.

If they self configure, how many of them use things like UPNP to punch holes in the firewall configuration without the owners awareness?

One’s built cheaply? You’ve probably read the same mjg59 posts I have. What I don’t like doing is calling them “cheap Chinese junk” - the Xiaomi stuff isn’t near as simple. Protocol alliances have been surprisingly helpful to ensure the products pass muster. The market corrects and all that.

The car fob example is a case where improvements can be made, but all of the suggested improvements can be made without connecting to the Internet, so it’s not necessarily germane to IoT.

Key words there was “other factors”. Again, it’s access to information - you can make things more secure by giving them access to more information - which is my only point, the one not mentioned in the article, and the point which people equate with making them less secure. I don’t think you have refuted that yet.

It’s not about seeing posts so much as the actual traffic on the wire. I do it for a living.

I think we’re a lot in agreement here, I was only trying to counter the notion that Schneir’s article was not particularly balanced in that it didn’t point out security benefits of IoT.

I also am very concerned about consumers not having a good way to compare the security of products. As you stated above, don’t use x guage wire for however many amps. The problem is, we don’t ask consumers to wire their own appliances. The notion that guaranteeing the security of ones devices is the owners issue should have died a couple of decades ago.

Some but not all; some but not all; sometimes but not always. IoT is not
badly configured LED lightbulbs you control with your phone.

No. They’ve only got microcontrollers in them at best anyway, who cares?

How do we make sure electrical devices are safe? It’s not a simple answer but it boils down to consumer education.

As you stated above, don’t use x guage wire for however many amps. The problem is, we don’t ask consumers to wire their own appliances. The notion that guaranteeing the security of ones devices is the owners issue should have died a couple of decades ago.

(things like “UL” for plugged in devices)

Are you familiar with Mudge’s proposal in this area? I think he’s actually looking at something more like Consumer Reports, but it sounds promising.

you can make things more secure by giving them access to more
information - which is my only point, the one not mentioned in the
article, and the point which people equate with making them less secure.
I don’t think you have refuted that yet.

I’m not sure I need to. My primary point was that the article did not seem unbalanced to me. It still doesn’t.

While I haven’t got much to add, I’ve generally had a ton of respect for Schneier’s work (though I haven’t read every book of his, I plan to eventually), and this article is no exception. I think the points he made were quite measured, important, and well explained, while his recommendations were reasonable and helpful for the issues described.

There not all on the same level, but I always get asked my opinion about them from people I know. A lot of them are at the interface of security and those that don’t usually keep up on the topic, so I feel a bit obligated.

@tropo I was only trying to counter the notion that Schneir’s article was not particularly balanced in that it didn’t point out security benefits of IoT.

I think it is important not because we need to show both sides, I think it’s important because it’s the way out of this mess. (Yes, also more Mudge.)

You’re right, for residential applications, consumer’s shouldn’t have to manage this. Enterprises should. OnHub sets a good precedent. It’s more secure for the typical consumer because it’s more connected not despite it. That’s my thesis. It’s a counter-point to a well written article by a smart guy that is largely saying the opposite.

Lastly on a lighter note:

The problem is, we don’t ask consumers to wire their own appliances.

Well maybe not in your country.

Right now, the only way to patch most home routers is to throw them away and buy new ones.

Am I only the only one calling bullshit on this? Every router I’ve owned has had updateable firmware.

How long did the manufacturer continue providing updates for, and how quick were they to patch vulnerabilities? The industry as a whole doesn’t have a good track record, and I commonly see people with routers that haven’t had a vendor provided update in years.

I should have looked up the name earlier. I see why you have an investment in IoT now. I’m still not in agreement that the market is the best way to sort a lot of these issues out.

I only buy routers I can install something like DD-WRT on because manufacturers are so bad with writing firmware.

I primarily use openWRT or home builds with FreeBSD for similar reasons. Doesn’t mean the average consumer shouldn’t get better.

Yup, those are pretty great, too. Bottom line, while some are better than others, manufacturer supplied firmware usually stinks.

Yes. I’d really like to see more people pushing to get industry to raise the bar.

If that’s what the author means when they say “the only way to patch most home routers is to throw them away and buy new ones” then they are being too laconic for even my hardened sensibilities.

Perhaps he should have been more verbose there. Speaking from personal experience / research as well as having followed the work of people who have put far more time and money into it, consumer router firmware updates from the manufacturers are seldom kept up to date for anywhere near the serviceable life of router hardware.

I’ve also never seen a router that didn’t have upgradeable firmware. However, there’s one other thing: has the router manufacturer ever provided actual firmware updates?

One more reason to go with a router that will accept third-party firmware. But even then, how much can you trust the radio chipset firmware? This is now even more of a problem with recent FCC rules. Of course, if the router manufacturer is smart, the radio won’t have access to main memory. Too bad cellphone manufacturers can’t be that smart; in most smartphones, the radio subsystem DOES have full access.

I’m still not in agreement that the market is the best way to sort a lot of these issues out.

I didn’t say that. I am saying it is a corrective force. The best way to sort a lot these issues for people to invest their time and energy into fixing them. That’s what I am doing.

No doubt. Nobody’s saying vendors shouldn’t work on keeping their things up to date. The question is how to get that to happen. It hasn’t been happening effectively at all, market forces fail dismally in the security domain which consumers are barely aware of and shouldn’t be expected to understand, and so we’re left with the current bot armies of pwn3ed routers/iOT devices out there blasting DDOS attacks and being exploited for other purposes (which will become worse as devices become more useful). The reality is there are a lot of 5+ year old SOHO routers/cameras/etc. out there with vendors that don’t fix vulnerabilities. The industry is a pathetic mess of actors who are focused on pumping out the latest and greatest and abandoning support for “legacy” devices consumers still use after a few years. You might not like Schneier’s solution, but you haven’t offered any solution other than a status quo that will only get worse as more types of devices come online and more devices fall into the cracks of not being supported by vendors/terribly supported by vendors and turning into more fodder for the bots.

Me either, but I have seen routers that don’t allow 3rd party firmware.

The last time I was in the market for a wireless AP, I bought one that looked great without doing any real research, took it home, and found that the manufacturer had locked it to only take manufacturer-signed updates. That didn’t work for me since a feature I needed (that’s typically on 3rd party FW) was missing. I immediately returned it and bought a more expensive one that I could put DD-WRT on.

I abandoned my argument in this thread. My main router is an ASUS N-56U, a popular model, so I decided to check on the latest firmware for it and see where I stood.

The link from the admin interface for the router took me to the Taiwanese website. When I found the firmware page in English for my router, in a section called “drivers”, the last update was early 2015 and it was still classed as beta…