{{Schneier}} has a recent article on security concerns for {{IoT}} (internet of things) devices – IoT Cybersecurity: What’s Plan B?
We can try to shop our ideals and demand more security, but companies don’t compete on IoT safety — and we security experts aren’t a large enough market force to make a difference.
We need a Plan B, although I’m not sure what that is. Comment if you have any ideas.
There are loads of great comments on the post.
Here’s the start of some of my thoughts:
There are a host of avenues which need to be gone down and addressed regarding device security in general, and IoT security in particular.
Any certification program could be good .. right up until the vendor goes out of business. Or ends the product line. Or ends formal support. Unless we go to a lease model for everything, you’re going to have unsupported/unsupportable devices out there.
We can’t have patches ad infinitum because it’s not practical: every vendor EOLs products (from OSes to firearms to DB servers to cars, etc).
A few things which would be good:
- safe/secure by default from the vendor – you have to manually de-safe it to use it (like a rifle which only becomes usable/dangerous/operable when you load a cartridge and put the safety off)
- well-known, highly-publicized support lifecycles (caveating the vendor going out of business)
- related to the above, notifications from the device as it nears end of support
- notifications from the device as well as the vendor that updates/patches are available
- liability regulations – and an associated insurance structure – affecting businesses which choose to offer IoT devices across a few levels:
- here it is :: you deal with it || no support, no insurance, whatever risk is there is your problem
- patches / updates for 1 year || basic insurance / guarantee of operation through supported period, as long as you’re patched up to date
- patches / updates for 3 years ||
- patches / updates for 5 years || first-level business offering || insurance against hacks / flaws that have been disclosed for more than 90 days so long as you have patched
- patches / updates for 10 years || enterprise / long-term support || “big” insurance coverage (up to a year, so long as you’re yp-to-date) || proactive notifications from the vendor to customers regarding flaws, patches, etc
There are probably other things which need to be considered.
But there’s my start.
It wouldn’t hurt to design these devices to be easily-installable and easily-replaceable. Given that there is an inevitable end-of-life, the “thing” is going to need to be replaced to maintain security. This also requires creating a culture of regularly upgrading these devices, but designing these products to be replaced from the beginning would the be the first step in that process. Then the device could warn you that it’s approaching end-of-life, and needs to be replaced or else it’s at risk of being hacked.
That’d be a clever “buy a new one of me” things – but it’d need to be disableable/ignorable (after all, even if Ecobee goes out of business, the thermostat will still work)
It could also backfire into a “I’m about to die, get a new one” turning into “buy a competitor’s device”
The thermostat may work, but it’s not getting security updates (as you mentioned in your post). I’m assuming if the company is still in business they’ll have made new products by the end-of-life period that would be tempting upgrades. They could also offer to port settings/configurations/preferences over to the new device if you stay “on-brand”. For example, if I replace my 2017 Ecobee thermostat with a 2020 Ecobee thermostat, it’ll migrate over my temperature preferences and save me having to set up and train the new thermostat, vs. me having to train a new Nest thermostat from scratch.
I’m focusing purely on security here, and not on general business practices, although Schneier is correct in pointing out how those 2 conflict (and why security loses). However, having a regular replacement culture for these devices might create the business incentive need to have *some* security support (since it’s not a lifetime commitment at this point).
Part also of why security loses is that it’s not thought about early / first.
And the rational business decision, though not necessarily the best from the customer point of view, is to have the lowest cost widget to sell – even when corners are vut (liek security).