RE: "Secure Introduction of Internet-Connected Things" (was Re: [webappsec] Agenda for MONDAY Teleconference 2014-10-20, 12:00 PDT) from David Rogers on 2014-10-22 (public-webappsec@w3.org from October 2014)

From: David Rogers <david.rogers@copperhorse.co.uk>
Date: Wed, 22 Oct 2014 10:30:34 +0100
To: <noloader@gmail.com>, "'Chris Palmer'" <palmer@google.com>
Cc: <public-webappsec@w3.org>
Message-ID: <001b01cfedda$d5043570$7f0ca050$@copperhorse.co.uk>

...ok. Back in the real world - what you really need is to be able to have a mechanism to reliably identify the device and therefore be able to take a decision on whether it is insecure for whatever reason. Abandonment is going to happen anyway (I've seen plenty of open source projects abandoned too!). If it is critically insecure there are effective mechanisms that have worked in the browser world (for example blocking IE6 on websites) to stop it accessing the internet and that change user behaviour in a good way.

We're working on a number of IoT projects at the moment. Secure enrolment / commissioning is difficult and I would be careful about assuming that the user can physically enrol each device manually. I don't think this is practical beyond the home context (which is just one IoT market) and it certainly doesn't scale. You also can't definitely say that the user owns or has access to the gateway. The key storage issue is definitely a difficult issue - the devices are mostly in physically accessible 'hostile' environments and as someone else has said, I don't think we're going to have secure storage or a TEE on the lowest common denominator devices.

In our projects in the mobile world, there are some solutions available that make things a bit easier, but they come at a price compared to the hub and spoke ISM or 802.15.4 -> router model devices.

Having some sort of suicide pill for a device is dangerous from a security perspective and isn't acceptable for purchasers.

Cheers,


David.
___________________________________________________________________
David Rogers
Director
Copper Horse
Web: http://www.copperhorse.co.uk 
Blog: http://blog.mobilephonesecurity.org
___________________________________________________________________



-----Original Message-----
From: Jeffrey Walton [mailto:noloader@gmail.com] 
Sent: 22 October 2014 02:07
To: Chris Palmer
Cc: public-webappsec@w3.org
Subject: Re: "Secure Introduction of Internet-Connected Things" (was Re: [webappsec] Agenda for MONDAY Teleconference 2014-10-20, 12:00 PDT)

>>> if a device is only marketable if its price point is so low that it 
>>> cannot be secure, perhaps it should disable itself after some 
>>> reasonable life-time
>>>
>> -1
>>
>> Users will perceive it as planned obsolescence for business reasons, 
>> and I wouldn't be surprised if producers treated it like that, too.
>
> Otherwise it's planned unsafety.
>
> Perhaps vendors could open source their abandonware.

Dan geer posits the code should be seized and placed into open source.
>From http://www.lawfareblog.com/2014/04/heartbleed-as-metaphor/:

Suppliers that refuse both field upgradability and open source access to their products should be said to be in a kind of default by abandonment.  Abandonment of anything else of value in our world has a regime wrapped around it that eventually allocates the abandoned car, house, bank account, or child to someone new.  All of the technical and procedural fixes to the monoculture problem need that kind of backstop, viz., if you abandon a code base in common use, it will be seized.  That requires a kind of escrow we’ve never had in software and digital gizmos, but if we are to recover from the fragility we are building into our “digital life,” it is time...

Received on Wednesday, 22 October 2014 09:30:59 UTC