If your smart home gear hasn't updated recently, throw it in the trash
Paul Vixie on how to survive the impending IoT security nightmare
When was the last time your smart thermostat, lights, hub, camera, or power socket was updated? If it was a while ago, you may want to think about chucking it in the garbage.
That's according to DNS mage and security expert Paul Vixie, who has been using his status in the internet world to increasingly warn about the dangers posed by the internet of things.
In a recent keynote and an interview posted on the Internet Society's blog, Vixie the pragmatic engineer has started the push for actual solutions to months of "something must be done" hand-wringing by policy wonks.
The recent DDoS attacks using internet-connected cameras with terrible security to take down part of the DNS has only added pressure. So far, that pressure has been in the least useful direction: a multitude of different organizations, standards bodies and government agencies all pushing themselves as the solution without producing a useful product.
In the medium term, Vixie puts his weight behind the idea of recognized safety standard organization Underwriters Laboratories (UL). You can find UL markings on pretty much every electrical product in the United States – in the UK, the equivalent is the Kitemark – from electrical sockets to kettles.
Back in April, UL announced a new Cybersecurity Assurance Program (UL CAP) and Vixie is behind the idea. "It used to be that if you were going to buy a toaster for your kitchen, you would make sure it was on the UL list to make sure it wasn’t going to start a fire in your house," he notes. "So, we need to get there with Internet-enabled devices. I am glad UL is going to do that."
As many others have noted, the problem is not going to go away, because of the expanding market, the fact it is so easy to connect something to the internet, and the rewards that exist in getting to market fast (and conversely the risk in taking too long).
Some security experts, including Bruce Schneier, have been arguing for legislation to introduce minimum security standards before the problem gets out of control. Vixie appears to agree: "Regulation isn't always the right answer, but I think that in this case, the only way we're going to get wide-spread improvement of software quality is if being a little later to market or costing a little more doesn't make your product uncompetitive – because your competitors have to meet the same quality standards as you do."
Congress is less sure, seemingly arguing that any new rules risk damaging "innovation," even if the shortcuts involved in that innovation end up knocking countless websites and online services offline.
But while the rush to market and lack of any required security standards is what is causing the leap in IoT security issues, the underlying issue remains the DNS itself and the fact that the internet was not designed with security in mind.
Vixie has been pushing technical solutions to this problem for years, but is making little headway it seems. "Let's talk about my special pet peeve," he said. "The thing that makes DDoS possible is the lack of source address validation at the edge of the Internet. That means a computer can send my computer a request pretending to be your computer, and my computer will answer yours.
"The source never used to matter, because the Internet was born in an academic world where everybody knew and trusted everybody else. We took the same technology and gave it to 3 billion people, and they are not all trustworthy and sometimes they hate each other and they abuse this. And Internet service providers have no incentive to spend money to fix this."
ISPs still largely fail to introduce technical constraints on this, such as adding network ingress filtering, which would kill a significant number of spoofed data packets. Use of the BCP 38 standard is growing, but with nearly a fifth of ISPs failing to do so, the problem remains enormous.
Vixie has argued that a future solution would be to make network operators liable for any attack traffic that goes across their system, bringing the internet in line with other systems like money transfers. Unsurprisingly, ISPs are not excited about the idea.
But to the user: what practical steps can you take to help protect yourself and make the IoT ecosystem a little safer?
Vixie has some good suggestions:
- Encrypt: Even if the people you are sending information to do not encrypt, you are at least adding one more stronger link to the overall system.
- Archive: "I don't think we should have access to all of our old email on a daily basis," notes Vixie. Instead, archive old material and stick it behind some security so that one hack doesn't grant access to vast swathes of information.
- Update: All the time. Every time. Every piece of software has bugs and good companies patch them. If you don't add that patch fast, you are simply adding to the security risk.
- Buy cautiously: If consumer behavior can be adjusted a little – so they don't just buy the new exciting thing, but instead consider whether the company is in it for the long haul or goes to some effort to explain its security approach – then the problem can be limited and the market will factor in consumer demand for safety.
- Watch for updates: If your smart home technology isn't getting regular updates, chances are that the company is not actively maintaining its product, or may even have gone out of business.
- Think cautiously: Why does this thing want to connect to my network? Why does this need to be on? Vixie is one of the "sticker on your laptop camera" advocates.
In short, until this giant IoT security mess is sorted out, people will need to look out for themselves. And that means that if the tech you have is not doing the right things, you have to consider getting rid of it.
"Upgrade everything," Vixie notes in closing. "Throw it away if the company goes out of business." ®