Australia's IoT security rating might work, if done right
Cyber kangaroo isn't loose in minister Teehan's top paddock
INTERVIEW As Vulture South reported Monday, Australia's government hopes to have consumer Internet of Things products given security “star ratings” of some kind, so consumers know what they're buying.
The notion seems problematic: for example, what does a five-star security rating on a security camera mean, if it's attached to a router with admin:password as its login credentials?
So we took our concerns to two experts: Matt Tett, boss of Enex Test Labs and chair of the Internet of Things Alliance Australia's (IoTAA's) Cybersecurity and Network Resilience working group; and Justin Clacherty, managing director of hardware and software designer Redfish Group.
False sense of security
Clacherty's most serious concern is simple: there's nothing so dangerous as the false sense of security a rating system might give consumers.
“The worst place to be is to think you're safe,” he said, because “you'll do even stupider things on the Internet. If someone buys 'certified' products, will that give them a false sense of security?”
He's also concerned at how a product might achieve a two-star or three-star rating, when “nobody gets any stars today, in my opinion”.
Tett isn't so pessimistic, instead hoping that the IoTAA's work can help provide the government the model for its strategy.
“There is an opportunity for security to take a front foot, and try to be more proactive not just in terms of raising the consumer/demand side, but to raise the awareness that security's important from the beginning.”
IoTAA, he said, “wants to put manufacturers on notice” that they need security in their products.
Tett and Clacherty agree that any certification has to be independent of the manufacturer – as Tett said, the kind of self-certification that's used in product energy ratings won't do for IoT security.
The Achilles' heel of updates
This week's double-whammy of security issues – the WPA2 “Krack attack”, and Infineon's RSA woes – sent vendors and sysadmins into a flurry of patching, but what do you do with a vulnerable refrigerator?
“You need updates continuously,” Clacherty said, “and you need systems capable of doing that, and you need to be able to test that they're doing it.”
The tech industry, Tett said, hasn't quite caught up with the different product life-cycles they're working with – which is why, for example, US lawmakers are wondering whether they have to write it into legislation that all devices should be patchable.
Refrigerators or washing machines that could cost thousands of dollars might have an eight to 12 year life cycle, he added. Vendors cannot therefore assume that product replacement cycles will take care of insecurity.
In markets as diverse as security camera and industrial automation (where, Tett notes, there's an incentive for vendors to sell maintenance plans), devices need automatic patching schemes handled by vendors.
It's not only about the owner's interests, he noted. From a security perspective, “the devices we're connecting aren't so different, but more and more things are connected into that ecosystem.”
If they can't be controlled, he said, the least we can expect is devices being recruited into botnets.
Tett added that connected thing-makers also need to design products that fail safely: if the IoT controller on an oven fails, it should shut the oven down; a homeowner needs to both access and secure their home even if the controller loses Internet access; and so on.
Whether it's stars or a “cyber-kangaroo”, the non-technical challenge is getting people to care about the product labelling more than they care about grabbing the cool product.
“People shrug their shoulders, they don't care,” Clacherty said.
Sorry tech libertarians: public indifference will put an onus on regulatory action, such as the Australian Competition and Consumer Commission (ACCC) getting more active about applying product safety laws to IoT gadgets.
Both Clacherty and Tett agreed that regulators need teeth in this space.
“Giving the ACCC some teeth, and the ability to stop things from being sold would be useful,” Clacherty said.
Tett said a certification regime that tested product security against what manufacturers claim for it would play into that discussion.
An organisation like IoTAA is evaluating products against vendors' claims, he said, would play into a regulator's need for evidence. ®