Unfortunately, forced firmware updating is an area our governments should not be mandating. That puts unnecessary strain on small companies and creates a larger gap that companies must cross to become commercially viable
> Unfortunately, forced firmware updating is an area our governments should not be mandating.
It absolutely is an area that governments should be mandating, because the problem is an externality. These attacks are a cost imposed on neither the producer nor the consumer of the device itself, and (apart from some highly speculative libertarian conjectures) the only things that can fix externalities are taxes, regulations, and lawsuits.
Lawsuits are infeasible in this case since we probably can't prove whose devices were involved in any given attack, so that leaves taxes and regulations - and the latter would be better so we don't have to go through the business of collecting taxes from manufacturers and then distributing them to the victims of attacks.
> That puts unnecessary strain on small companies
Clearly it isn't unnecessary, because I can't get to any friggin websites today. If small companies don't have the resources to update the devices, they shouldn't be building them in the first place.
Yeah, this seems, to me, the most apt existing analog. We have regulation for environmental pollution, this would be digital pollution (of a sort). Insecure devices create a harm to the digital environment.
But this is incredibly hard, due to ease of manufacture and distribution, to regulate in the case of IoT devices and software.
- planned obsolescence cranked to 11, you must replace everything in your house every month
- monthly subscription fees for each lightbulb, refrigerator, and everything else
- all products must refuse to operate unless they can connect to a central update server (which is being DDOSed by competing products made in a country without that government mandate, that are still working, while no products made in your country work)
- company shuts down, goes out of business, and a new company with a different name (but all the same employees and products except for the logo) opens every month
- all software created must be maintained indefinitely into the infinite future for free by...magic elves?
This one: Companies offer products that meet a consumer need without creating an effective, easily accessed platform for criminal third parties to tax the rest of us. If they can't do that, then they don't fucking offer the product. "The only way we can sell this is to enable DDOSes by Russian hackers!" is a reason to say "then don't offer the product!"
Fun fact, we have working systems for peer-to-peer publish/subscribe systems that only need a known peer to bootstrap off of, and then are reasonably resilient to nodes disappearing etc. No need to have central update servers - just push a signed message into some random selection of machines and go!
The consumer takes on some of the cost. But the only reason you are so for this legislation is because you don't understand the full-scale logistics involved in mandating such a feat as well implementing them as a tech company. If you want to mandate security to include well-established, cost-appropriate solutions, that's cool, but requiring future updates to these IoT devices is not the correct solution. It brings into question free speech issues for one, requiring companies to support the life of products they no longer wish to support. And the only companies who will not feel the full brunt of this would be the elite.
I don't think that's necessarily a bad thing. If a company doesn't have the resources to create secure products, then maybe it shouldn't be in that business in the first place.
The problem is not whether they can create a secure product, but whether they can afford to certify their products as secure.
From my experience in the aviation software world, we spend a great deal more on demonstrating reliability than in producing it. This forces a huge amount of overhead on our projects. This isn't a bad thing, mind you, but it is a thing to consider.
It is hard for a couple engineers to start a new company making these sorts of systems. The only practical way is to have a truly good and demonstrably better solution, or be inside a large corporation with already deep pockets.
> From my experience in the aviation software world, we spend a great deal more on demonstrating reliability than in producing it.
The same is true in organic produce. I hear of a lot of farms that follow all the rules to raise organic goods but can't label them "certified USDA organic" because the certification process is too expensive.
This is what I was responding to in the original comment:
> forced firmware updating is an area our governments should not be mandating
I think that if a company can't maintain a team to deliver regular security updates to their internet-connected products, then they shouldn't be producing internet-connected products in the first place.
I agree with you that government-mandated aviation-software levels of product certification would be destructive overkill.
Firmware updating isn't exactly a "hard tech" problem, even if it is hard to do right. I suspect we'll see some generic firmware update frameworks/solutions emerge in the coming decade, and at that point adoption will pick up rapidly because being able to push updates is good for business.
In an age where security vulnerabilities can cause your thermostat to overheat your house and your smart lock to lock you out, maybe it'll be a good thing that companies that don't have good security practices and update mechanisms will be locked out of the IoT market.
Yea, it's a hard problem. While there's clearly a lot of vulnerabilities out there that emerge because it's cheaper to ignore security until you're large enough for a breach to be a big issue, forcing mandatory updates is a great way to discourage anyone from attempting to try something new. There might be a tipping point at which the costs of a breach outweighs the benefit, and maybe we've hit it already, but government mandates should be something we discuss cautiously and should prefer to avoid.
I think that the negative externalities of poorly secured IoT devices scale linearly with the number attached to the internet whereas the cost of writing more secure software and keeping it updated scales much much more slowly with the number of installs. I think this means that the best solution is to have tiered levels of certification and regulatory burden based on the number of times a piece of software is installed. Ideally tiering would be done on the total bandwidth of all devices with a piece of software installed but this would be much more difficult to measure and enforce then counting installs.
If no product with less then X thousand installs has to deal with the regulatory overhead of certification then experiments and early stage companies are less likely to be squashed. I would also exempt open source software from having forced audits or minimum standards for security. This would have the side effect of encouraging more companies to publish their firmware open source which would also not be a bad outcome.
To prevent companies manufacturing lots of almost identical product lines each individually under the limit for audits I think it would also be necessary to count all products that share more then half their code as one product.
Liability should be on the people who connect these things to the public internet. The owners of the devices. Like with cars, you have certain responsibilities and liabilities when you operate a potential dangerous machine on the public roads.
In the case of ISPs providing cable modems and routers and DVRs and other boxes to their customers, they should be responsible for keeping those secure.
If people start getting fines or sued over what their internet-connected devices are doing, they might stop connecting them to the internet, or shop more carefully for devices or providers that are secure.
So grandpa goes to Home Depot, buys a fancy new thermostat and installs it at his home, the device gets hijacked by the archetypal 400 lb hacker, and is used to take down a major commercial site, and then grandpa is liable for the whole thing?
I don't think so.
You make a little gizmo with shitty security, you are liable. Full stop.
So grampa doesn't take care of his car, the brakes fail and he kills a family with four kids. Is he liable? Yes. He may not know the first thing about brakes or car repair but owns the car, and he took it out on the road without being sure it was in safe operating condition.
But to steal an idea from another comment, make the ISPs liable also for routing the malicious traffic onto the internet. They will then have incentive to monitor their networks and they can take homes offline until their customers fix or disconnect their hacked devices.
I'm the "head fred" networking/infrastructure guy at an ISP. I want to avoid, as much as possible, peeking at my customer's traffic.
In my personal opinion, an ISP should be a dumb pipe. I'm providing you with the ability to send/receive "n" bits per second; I don't care whether you use it to participate in e-mail discussions with your church group or stream pornography and play online poker.
Are you certain you want ISPs to be responsible for monitoring all of your traffic and what you're doing online? Do you really want somebody else deciding -- at their own discretion -- what is "acceptable" for you to do online?
I'm very pro-privacy, pro-encryption, "pro-Internet freedom", etc., but the next guy may not be.
And so grandpa needs to become a network security expert to avoid getting sued. Right, "makes sense". ;)
This is not like not doing maintenance on your car. This is like buying a car with faulty airbags. The manufacturer needs to issue a recall and fix the darn thing - or else face legal action.
That's not the same thing at all. For a car to hurt somebody, the owner has to be actively using it, and doing so in a reckless or negligent manner; and furthermore, note that reckless operation of a car can hurt somebody even if the manufacturer built it perfectly. (if your car somehow did hurt somebody when nobody was using it, then the liability probably would belong to the manufacturer).
IoT devices are the exact opposite: they can cause harm when the owner has done nothing wrong, and they can only cause harm if the manufacturer screwed up and did not secure it propertly.
This makes a case for data caps or charging internet by usage which frankly nobody really likes. Maybe outbound caps for home users (if thats where a lot of the DDOS are coming from).
The risk of getting shut off or a higher bill if your transmitting to much data might make people start noticing and securing their devices.
Ok, then they should be liable for any damage their lack of maintenance causes. The cost of properly maintaining your product is nothing compared to the lost business and repair costs caused by these DDOS attacks.
Being a small company doesn't mean you should be able to ship a defective product that is guaranteed to eventually become part of a botnet.
It absolutely is an area that governments should be mandating, because the problem is an externality. These attacks are a cost imposed on neither the producer nor the consumer of the device itself, and (apart from some highly speculative libertarian conjectures) the only things that can fix externalities are taxes, regulations, and lawsuits.
Lawsuits are infeasible in this case since we probably can't prove whose devices were involved in any given attack, so that leaves taxes and regulations - and the latter would be better so we don't have to go through the business of collecting taxes from manufacturers and then distributing them to the victims of attacks.
> That puts unnecessary strain on small companies
Clearly it isn't unnecessary, because I can't get to any friggin websites today. If small companies don't have the resources to update the devices, they shouldn't be building them in the first place.