Industry standardization: the answer for IoT security

It’s been a busy week for IoT and security. Between the DDos on Krebs’ website and the subsequent release of alleged source code, to Yahoo’s unprecedented, full access custom-built NSA search tool, to the arrest of a purported “Second Snowden” (spoiler alert: not so much), there’s been plenty of news on the wire. But Bruce Schneier’s thoughts IoT security may be the most impactful for IoT security policy in the near future.

For the uninitiated, Mr. Schneier is a world-renowned expert in computer security — he has authored numerous books on the subject in addition to contributing to several cryptographic algorithms. I was thrilled when he joined the board of directors at EFF, enjoy reading his blog, and consider his most recent publication one of the most important books on digital privacy. That said, Mr. Schneier’s solution for IoT security could not be more incorrect; to the point: 

     The IoT will remain insecure unless government steps in and fixes the problem.

This solution is not only the least desirable path, it could cripple innovation within the IoT industry. There is a lot wrong with this approach. Industry standardization, not government regulation, is the better solution:

  • First, government actors are not subject matter experts in either IoT nor security, and will never be held accountable for any failures of government regulation. When market fails, the industry is directly incentivized to repair the damage -- otherwise, they lose our business.
  • Government and market operate under a different set of incentives and measure success differently. We would expect the market to initiate some form of industry standardization — similar standardization generated the USB and Wifi protocols. Further, that the successes of this standardization would benefit both market and consumer; the same is not true of government regulation.
  • While the attack on Krebs was described as “simple and amateurish” (rightly so), there’s a reason why an attack like this would succeed so well at this point in time -- IoT is in the middle of a maturity curve!  No one expected a gigabit throughput on a dial-up modem
  • Most important, this is not a market failure; this is a demonstrated need for stronger security, realized through the test bed of the current state of IoT. Attacks like this are exactly what the field needs to harden IoT systems.

I’ve written before on the dynamics of IoT security — it is more complex than other products, specifically because bad security doesn’t immediately affect the end user. Similar to carbon emissions in cars — legislation there hasn’t filled roadways with a fleet of Priuses and bikes.

I will grant that at the moment, the typical IoT customer probably doesn’t care about the security of their system. But consider two different scenarios:

  1. An IoT attack targets a popular site. The general person’s reaction would be a lot different if NetFlix was targeted instead of Krebs.
  2. Security is a two-way street. If IoT devices are marketed as more secure (and are indeed more secure), its possible the average consumer would be willing to pay for that perceived utility

The economics of IoT doesn’t necessarily mean that exploitable devices will continue because no one cares. Certainly IoT companies are paying attention to event; hopefully this event will precipitate industry standardization of IoT security. I have stated that standardization would be necessary for the IoT security, but the time wasn’t right. Now is the time to reconsider that.

True neutral?

In news that sounds familiar to those of us on this side of the pond, the BBC brings an update on the Swiss referendum that challenged an expansion of surveillance powers that passed the Swiss parliament in 2015; the expansion won the approval of roughly 65% of voters. This should raise a few eyebrows, considering Switzerland’s reputation for neutrality and their stance on privacy. Given the attacks on their neighbors in France and Belgium in the past year, the bill is an understandable reaction — until you realize the it was initially proposed in June of last year, prior to those attacks. However, it may explain the outcome of the recent vote.

Parallels can certainly be drawn between the recent vote in Switzerland and what has happened in the US in the past two or so decades. Currently, the Swiss intelligence community may only rely on publicly-available data. From the above-linked Swissinfo article:

The new legislation being proposed would allow the FIS [Federal Intelligence Service] to carry out investigations in public and private spheres without the authorisation of a judge.

The BBC further details:

It will allow the Federal Intelligence Service and other agencies to put suspects under electronic surveillance if authorised by a court, the defence ministry and the cabinet. 

This sounds similar to the US FISA court, which is more or less a rubber stamp for the NSA — according to EPIC, only 12 of the over 38,000 warrant requests were rejected from 1979 to 2015.

Supporters of the expansion claim it will help Switzerland “catch up with other countries.” This seems like vague language, but consider Switzerland is a member of the 41 Eyes. Further consider its neighbors are closer to the original members of the 5 Eyes (France and the Netherlands are both 9 Eyes members; Belgium the 14 Eyes), and that sentiment becomes more clear -- supporters don't want to be left out of signals intelligence. If history is an indicator, the supporters of this expansion will not be satisfied with non-generalized surveillance.

I am not Swiss, but I hope Switzerland and others can learn from other countries’ past mistakes. The bill is due to go into law 1 Sept 2017.

My open letter to reps regarding Rule 41

Today, the EFF spear-headed a great campaign to protest the recent changes to Rule 41. I've covered that previously.  Below is my open letter to my representatives on why they should reject the recent changes to Rule 41. It's important to support the advocacy groups that work to support everyone's digital rights and civil liberties.

Hello,

I am writing to show my support of the Stopping Mass Hacking Act to order to reject recent changes to Rule 41 of the Federal Rules of Criminal Procedure.

My support of rejecting the changes to Rule 41 is two-fold:

1) Concerning the language of that allows a warrant to be issued against those using privacy tools, such as a VPN. This language assumes any user of privacy tools is automatically guilty of some future crime and effectively removes burden of proof from law enforcement and intelligence agencies. Burden of proof is a foundation of a justice system that prevent conviction and sentencing of those innocent of a crime.

We have existing policies in place that allow for due process in issuing warrants and gathering evidence within a judge's jurisdiction. I agree that policy must change with technology in order to be relevant -- hopefully to secure civil liberties -- but this is a clear case of over reach.

2) Concerning the language of the changes to Rule 41 that allow for unwarranted searches to systems that have been infected by a botnet: a person without a search warrant against them has a reasonable expectation of privacy for their computer/device and its contents. Certainly language in discussions of the fourth amendment concern personal effects such as opaque containers. Many people use opaque containers as some guarantee of privacy; similarly, most people apply these same privacy principles to their electronic property by utilizing passwords and storing their devices in secure places.

Allowing an unwarranted search of an innocent person's computer system that has been infected by botnet is illegal and no different than seizing and searching that person's property simply because a criminal leaves near them.

Based on these facts, I urge you to reject the changes to Rule 41 and pass the Stopping Mass Hacking Act.

IoT lessons from mobile: digital property

This has been a tough week for privacy advocates. On Monday, the Intercept brings news that the 4th Circuit Court of Appeals rules that obtaining location data from a cell phone company doesn't require a warrant; today, the Verge reports agencies are filing warrants seeking phone location data so precise it can track you down to a specific building. Some agencies even have a manual to assist with filing practices.

Since this isn't a mobile technology blog or a law blog, you might ask why I would bother covering that news. With an emerging field like IoT, it's critical to understand the domain, from both in a technical and law approach. Mobile is a connected technology just like IoT, so there are lessons to be learned, whether from similar tech or precedents.

For the 4th Circuit case, it's an example of the interpretation of the third party doctrine. I've warned previously about being judicious concerning your data and who can access it. Maintaining presumption of innocence, most people caught in a drag net like that would probably want evidence in the form of location data supporting their innocence; as an aside, this is why dash cams are popular in some countries.

But the point is not how this data may benefit you; the point is if access to it should be granted without your consent. We have protections in place for other instances of your property, like needing a warrant to access your home or a locked car trunk. So why is it different for your data and phone companies? Nicholas Weaver sums it up: it all depends on a company's willingness to fight subpoenas; there are no legal protections for your digital property.

IoT to overtake mobile

When talking about IoT, people will referred to the billions of devices that are projected to be connected by the next decade. That can be hard to wrap your head around, so keep two things in mind -- your current data plan and the ubiquity of cell phones, in terms of sheer number; Wikipedia tells us it was around seven billion in 2014.

Today, Mashable is reporting that in five years, it is estimated the average mobile user in the US will use 22GB of data per month -- better lock in that data plan now! Assuming IoT services scale similarly, it's interesting is to anticipate how that would impact bandwidth for connected devices. As the mobile infrastructure scales, I would assume IoT would as well; especially if it is built on top of cellular technology.

And while IoT is a growing market projected to include several billion more devices in the coming years, that's nothing new. But In the linked Ericsson report, not only does it agree with that projections, anywhere from 16 to 28 billion devices by the early 20s, but also by 2018, we may see IoT devices overtaking mobile devices as the largest category of connected things. 

While IoT traffic probably won't overtake mobile traffic for a while (the majority of mobile traffic is video), with the projected increase in both number of devices and bandwidth, it will be interesting to see what sort of services become available and how current services scale.