* Posts by dnlongen

3 posts • joined 24 Feb 2016

No wonder we're being hit by Internet of Things botnets. Ever tried patching a Thing?


Re: Make secure the default state

That is a key issue. automated updates require a degree of trust ... a degree of trust that is not always (perhaps even not often) justified. I've done a few bug disclosures specifically for abusable autoupdate routines :-/

Still, I don't see that consumer IoT devices can be secured at all without building that trustworthy model, and then automating things.


Make secure the default state

IoT security has been a bit of an inside joke for years, but up to now the joke has for the most part been on the owner or user of a device. My pacemaker could be hacked - but hey, it's my pacemaker and my heart, right? That changes when webcams and fridges are conscripted into a giant DDoS weapon.

In the US, Peiter Zatko (better known as "Mudge") is building a "CyberUL" that could define standards for reasonably securable things. At the risk of appearing to pimp my blog, I suggested some basic standards a year ago (https://www.securityforrealpeople.com/2015/09/what-if-connected-devices-were-secure.html) that are every bit as appropriate today. As c1ue suggested, patching is only one part of the puzzle:

1. Installation processes should establish a non-default password unique to the owner. Default passwords are an extremely common way of breaking into connected devices; if turning a product on for the first time involves choosing a password - even a weak password - that eliminates this gaping back door.

2. Products should have automated software and firmware updates available, enabled by default, and *guaranteed for the reasonable lifetime of the product.* How often do home users update their wireless routers, or Internet-connected washing machines? How many smartphones languish with known vulnerabilities simply because the manufacturer chooses not to push updates after a year (or at all)?

3. Features that impact privacy should be clearly presented so the owner can make an informed decision whether to use the feature. Trading personal information for a service (or a mobile game) is not inherently a bad idea - but it should be a conscious decision.

4. Features that involve significant safety or privacy risk should be properly isolated from Internet access. Chris Roberts' "flying sideways," and Charlie Miller and Chris Valasek's research into cellular access to vehicle controls, brilliantly demonstrate the danger when this is overlooked.

5. Documents and content originating from outside the system or device should be automatically untrusted. For example, Windows tags files downloaded from the Internet with a "zone" marking; Microsoft Office products treat these documents as untrusted and disable macros and interactive content by default.

In each of these cases, an informed consumer may have the choice to override the defaults. I can choose to execute a macro in an Internet document, or to connect my home security system controls to the Internet, but it requires intentional choice, rather than default behavior.

Feds spank Asus with 20-year audit probe for router security blunder


Re: Catch 22

Actually, no - the firmware update issue is on their end. The router downloads a file from ASUS servers that specifies the latest available version for every supported router model; ASUS has not done well at keeping this list up to date.

I documented the firmware upgrade process and the source of the flaw in great detail about 2 years ago, at http://www.securityforrealpeople.com/2014/02/breaking-down-asus-router-bug.html (this is the report mentioned in paragraph 28 of the FTC complaint).


Biting the hand that feeds IT © 1998–2021