RE: "Secure Introduction of Internet-Connected Things" (was Re: [webappsec] Agenda for MONDAY Teleconference 2014-10-20, 12:00 PDT) from David Rogers on 2014-10-22 (public-webappsec@w3.org from October 2014)

From: David Rogers <david.rogers@copperhorse.co.uk>
Date: Wed, 22 Oct 2014 21:15:13 +0100
To: "'Chris Palmer'" <palmer@google.com>
Cc: <noloader@gmail.com>, <public-webappsec@w3.org>
Message-ID: <00e901cfee34$e3598a80$aa0c9f80$@copperhorse.co.uk>

See [DAVID]:

-----Original Message-----
From: Chris Palmer [mailto:palmer@google.com] 
Sent: 22 October 2014 19:02
To: David Rogers
Cc: noloader@gmail.com; public-webappsec@w3.org
Subject: Re: "Secure Introduction of Internet-Connected Things" (was Re: [webappsec] Agenda for MONDAY Teleconference 2014-10-20, 12:00 PDT)

On Wed, Oct 22, 2014 at 2:30 AM, David Rogers <david.rogers@copperhorse.co.uk> wrote:

> ...ok. Back in the real world - what you really need is to be able to have a mechanism to reliably identify the device and therefore be able to take a decision on whether it is insecure for whatever reason. Abandonment is going to happen anyway (I've seen plenty of open source projects abandoned too!). If it is critically insecure there are effective mechanisms that have worked in the browser world (for example blocking IE6 on websites) to stop it accessing the internet and that change user behaviour in a good way.

Yeah, about IE 6 (and Windows XP < SP3)... those are great examples of things that should have gone away a long time ago, and support the argument in favor of device self-euthanasia. Precisely because we are saddled with them, we can't move forward: no SNI, no SHA-256 for certificate signatures... Not that it matters, since Microsoft has not been patching (or even able to patch) many, many vulnerabilities in a product that old. (Many patches make it into >= 7, or even >=8, only.
And I don't blame MS one bit for that.)

Even just dropping all support for SSL v3 (now fully, entirely dead) and RC4 is not a decision that a sane person takes lightly. And those things are older than IE6!

> Having some sort of suicide pill for a device is dangerous from a security perspective and isn't acceptable for purchasers.

Enjoy your RC4 in 2025, then. :)

Look, we all agree that self-euthanasia (or, less drastically,
self-capability-reduction) is not ideal. But the alternative is a commitment to fully support devices for 10+ years. I'd love it if everyone did that.

[DAVID] What I could possibly see is end-of-lifing done in a more organised way as we'll always have legacy problem of some sort. The problem you are likely to also encounter is that some of these devices are going to life-supporting or safety-impacting. Just switching them off is not going to be acceptable, but they need to be aged off gracefully. So a reliable, secure identity is critical. That means a) the user / owner / administrator knowing that there is a critical security issue or that it is insecure and b) being able to replace it in a reasonable timeframe. These are physical world issues that we have to deal with. We have to accept that there will always be equipment out there that doesn't get upgraded for 10 years because it is in a big chemical plant or on a farm. That is different from saying it is technically wrong or right, but then we come down to issues of liability and/or negligence. I think this is what could drive forward mandated, long-term update and support by manufacturers in the IoT space. 

I know the software update discussion is ongoing in the mobile space by regulators because of some mobile manufacturers not upgrading Android on devices or leaving them without support after only a short period, so it will be good to see where that ultimately goes. As a backstop though, knowing what the actual profile of a device is through its identity would enable defensive measures to be deployed against the abuse of it (whether it be to prevent it accessing a network or other methods that would not be safety impacting). I guess an analogy would be that an app store knows all the devices a particular app is downloaded to, so can react when something goes really bad, which the consumer is bought into too. It dramatically reduces the exposure in a very short space of time.

Finally, I totally agree with you that I would like to see a much improved design / security mentality from IoT device manufacturers. As I understand it some white goods vendors are a bit scared about what to do, because they're hearing all this noise about cyber threats but still want to jump into this market, so giving them some meaningful solutions and pointers on where to go would be a good thing.

Received on Wednesday, 22 October 2014 20:15:36 UTC