Dan York: Security issues will not slow down deployment of IoT in the near future

Transcription

1 Dan York: Security issues will not slow down deployment of IoT in the near future Dan York, Senior Content Strategist at the Internet Society, Chairman of the global Voice Over IP Security Alliance (VOIPSA). Focuses on the Deploy360 Programme creating, curating and promoting online content that helps service providers, companies and individuals more quickly deploy Internet technologies such as IPv6 and DNSSEC The rapid development of the Internet of Things (IoT) changes the world and life style we are used to, blurring the boundaries between online and offline activities. New conveniences come in with new hard security-related questions affecting more and more internet-connected devices, and data they generate, and networks to transport that data, etc. In October 2015, the Internet Society (ISOC) released a report The Internet of Things (IoT): An Overview which covers some of the threats and challenges caused by the global development and deployment of IoT technologies. CyberPulse spoke to Dan York, Senior Content Strategist at ISOC, on the threats which IoT brings and the questions it raises with a society as a whole and a common user or a state, or a private company, or the technical community in particular. How does the topic of Internet of Things (IoT) fit into your expertise? I started with the Internet Society four years ago and my focus was on deployment of key technologies to make the internet more secure and accessible: DNSSEC, routing security protocols, IPv6 etc. So, my background is security and communicating about security. But I ve always been interested in IoT. With the growth of the internet- 1

2 connected things gadgets, smartphones, wearables like Apple Watch and more things getting online network security becomes a great concern. Overtime we slowly got better at securing our laptops, smartphones and other devices. But now we re getting our refrigerators, baby-monitors, and all sorts of things on the internet. Look at this explosion of devices! I have a 6-year-old daughter, and I remember, when we got a baby-monitor that was basically a radio-thing. Now they are internet-connected and IPenabled, because people want to be able to go to work and watch their baby. First of all, the device is connected to the internet. And it is sending you data, a video-stream, to a server to which you have access through your phone. That data has to go through a number of points. This raises the question of transport security: is the data encrypted between your home and the server, and from the server to your smartphone? Then there's also the question of the device security. Can the attacker go into you network, get into that device and use it to look inside your house? There was a report a little while ago about the refrigerators that were being used as botnets: an attacker figured out how get into a smart refrigerator s interface, install there some malware that could then be used as bot to do DDoS attacks. I think it was Vint Cerf who said It s my worst nightmare, that a thousand of refrigerators hack Bank of America Exactly. You know, one of the challenges is the upgrade issue. For instance, look at this recent hacking experiment with the Chrysler Jeep in the US, where a journalist arranged for his Jeep to be hacked. The Jeep had an entertainment system that was internetconnected. Speaking of the security concerns around the IoT, that entertainment system was not compartmentalized from the rest of the car. The attackers were able to come in there over the wireless network into the entertainment system, compromise that and take control over the car. One issue is that internet-connected car obviously didn t have the security control in place, meaning that the attacker could compromise the entertainment system, and that system was not air-gapped. Another issue is how you upgrade these devices. When Chrysler Jeep needs an upgrade, you either have to bring your car to a dealer to do it or to download software to your USB-stick to do it yourself. How many people would necessarily do it on their own? There are small things like the Nest thermostat or internet-connected light bulbs that people can turn on remotely. But how much attention will be paid to upgrading their security? On the opposite extreme, Tesla has just released an upgrade for cars to make them selfdriving. Last week, somebody I know posted on social network, that he was downloading this upgrade to his Tesla car. Then he went on a 150 minutes drive, and the whole time the car drove itself but for only two minutes when he had to take control at some difficult parts on the Florida highway. But otherwise, he told the car where to go, and it just drove upon GPS instructions. But the upgrade happened over Wi-Fi. In contrast with the Chrysler model, when you have to upgrade with USB, Tesla is even more connected to the Internet with even more security challenges. It all comes back to trust in so many ways. If we want to use such technology, it is possible only if we trust the internet to be secure. I m wary of the whole self-driving 2

3 car concept when thinking of all the ways the car could be attacked. But I also know the benefits. I was flying back to Connecticut one night and I was too tired to drive home. So, I had to stay at the hotel that was a1 hour 30 minutes drive from my house and get some sleep so that I could drive home. In a self-driving car world I could have just said hey, drive me home, and if I trusted it and today it would still need some human intervention - I would be home with my family sooner. Would you say that the security challenge can slow down the deployment of IoT globally? At the moment, I don t think the security issues will slow it down because people want programmed convenience. From the market perspective, the vendors are rushing right ahead to win the market share. I think, at some point, there will be large-scale security issues for security incidents, which will cause more reflections and call for governments to get involved around consumer liability issues. If the vendors don t pay much attention to the security issues now, other players might get involved, which then can cause market impacts. Different levels of regulation could end up creating cost that could stifle innovation. That is why we believe that vendors need to be thinking about the security issues right now. Besides, security is a business issue in itself. Right. If a company is not paying attention to security, you will end up at some point with security breaches that are going to impact the trust in your product, in your credibility. If you look at the recent DEFCON security conference in Las Vegas area, a lot of the demos this year were all about IoT. It s a gigantic playground for people who are security researchers whether they are white hat or black hat. They want to do that, because so many devices get onto the market unprotected. This year the Chrysler Jeep story was partially done for that kind of audience. But there was also a live hack of a sniper rifle where you could change its orientation a little bit. So, if you re thinking that you devices security will not be tested by other people, you re naïve, because it will be. Another security report came out regarding baby-monitors security challenges, which were then filed with the respective companies. This was an ethical security research, but there could be less ethical people doing such testing. Are security solutions mostly focused on consumer devices or there are already some applying to businesses, industrial objects, like critical infrastructure that side of Internet of Things? Yes, there are lot of different layers to IoT, each of which has its own challenges, its own audiences on the security side and on the privacy side as well. It is interesting to look at the architectural models of your devices at home, or business, or anywhere else, that are communicating to the central hub, which then communicates back to servers. There s a number of different architectures each of which has different security and privacy concerns. Basically, you can learn about the internal infrastructure of a company from these servers. There are some security choices that we have of how these things are deployed that we are not necessarily thinking through. But we just rush to 3

4 get those technology benefits but we also need to make sure we re securing them correctly and we create a proper layer of trust. Would it be correct to say that for the moment there are efforts to create the uniformity in terms of standardization or finding solutions that would serve not just the particular niche, but a cluster? I think, we re seeing a lot of closed proprietary systems being developed right now, what we would call walled gardens. Because it is easier for a vendor to decide where they want to go, and you end up with a collection of solutions. But that s what we are seeing right now various alliances and consortiums emerge representing different vendors and different things in their closed environments. The problem is that when somebody stands out with innovative work that is often proprietary, at some point they would say it s in our business interests and come up with a new standard which would present a problem in terms of compatibility. But I think we re at the stage where we need to see where the market goes as people rush products to market, and try to win that space. At some point, the companies or the consumers might push back against being tied to one vendor or one consortium because of localized standard uniformity. At the moment, different standards are being developed at different platforms and at various levels. Within the IETF for instance there s a number of groups that are working on the IoT-related standards related to network transport level. The radio-related standards are developed within the ITU. But how global can standardization and regulation go when apparently different countries will want to have their own national legislation and their own certification. Could we probably end up with regional clusters? Yes. I think that s certainly one of those fragmentation issues around the standards. It s a very big concern for us globally for the internet in general because we see a lot of pressure from different areas, regions, countries running to set their own control over internet-related standards in general. It s not as plain as in ICANN, for instance, where all revolves around DNS and is based on the open internet standards which are the IETF standards. When you re getting to IoT, you re dealing with embedded operating systems, you re dealing with radios, and IEEE gets involved in some of the different physical interfaces. And then you get IETF standards as the network player with IP and IPv6 issues etc. So, you have a number of different standards there, that make it tricky in the regulatory sense too. And from what you ve seen there hasn t been a meaningful effort to unite all that? No, there have been groups, which are liaisoning between different standards organisations around these different topics. I m not personally involved, I m writing myself a note, that would be an excellent theme for us to talk about. In terms of IPv6, how much its slow development could or is slowing down IoT development? This is indeed a challenge, which has the potential to slow it down. We ve run out of IPv4 blocks here in Europe, in North America and Asia-Pacific as well. It s the case of 4

5 the source of the river, which has dried out. Now we are just dealing with the capacity of the river as it slowly continues to drain. This is the thing that puzzles me sometimes, when I talk to some vendors: I ask on IPv6, they say, Ah, we don t want to think about it. I ask: Do you understand, you are trying to deploy billions of new devices, and you just don t have the address block ranges? The good news is that the smarter IoT vendors realize the importance of the issue. Let us shift to the other side of this security complex. When we talk about devices and privacy concerns, companies always say, OK, you go to that tab, you opt out you re out of the game. How meaningful is that? There are all sorts of privacy concerns around IoT just because of the increasing amount of communicated data. One of the specific privacy challenges related to IoT is that, if we use an app or something like that, we can see those Terms of service, we can agree to it. But you ve got a smart refrigerator or a light bulb. Where is the user interface to say you want to opt in or opt out? There isn t. So, you have actually no way for a model where you have Terms of Service that you agree to. It simply doesn t work in an environment where everything is network-embedded and you have no user interfaces to it. And I don t know if there is an easy answer to that yet. But it seems to be less and less realistic to be able to give up a service not just technically but because we all don t live in a vacuum, we live in a social system, we are integrated in certain relationships within the community. I see that as a situation where you basically can t opt out because you can t opt out from a certain environment you live in, unless you just going to live in a forest. Exactly. It comes back to the question on how much of our privacy are we willing to give up for convenience of the service. If I want to be able to reach my home or office remotely, control my electricity spending etc., I need to admit that these services are building their business models around monetizing the data that circulates between home or office, central hub and the device. Besides, the whole talk around Save Harbor agenda might add yet another layer to this debate, like data transfer. Do you have any idea where this is potentially going? Yes indeed! That decision by the European Court of Justice is an interesting one. Before I joined the Internet Society, I had worked for a cloud vendor. We had this exact issue the European customers wanted their applications data to reside on servers that are not in the US, where the Patriot Act was enacted. So, it creates a really interesting challenge because we talk a lot about permission-less innovations whereby you don t have to ask permission from anybody to start up your own service. Wherever this service is started, you can do that and be able to access of the entire internet to make your service available to everyone. Now, if your innovation means you re storing user data, will you have to ensure that your European customers data is on European servers, or Russian customers data is on Russian servers? And we are back to the fragmentation issue. 5

6 Russia has passed a law requiring Russians personal data storage on the territory of the Russian Federation, which came into effect on 1 September This is the question of how do you support innovation that is fueled with the growth of internet-based economy. It looks that I can t offer my services to you in Russia unless I somehow figure out how to deal with the personal data of the Russian users of my product which I wrote with my two friends in my bedroom because we have this amazing new idea which will be the next Facebook. Now to make it in Russia, I ve got to be able to locate the data on a Russian server. The IoT plays right into that. If I want to sell my smart light bulbs in Russia, all that data that I m collecting from the Russian light bulbs users has to somehow come back to a Russian data-center which I then somehow have to connect to my data-center that might be in Europe, or in North America, or wherever. It is a serious business issue. It was a pain for my former employer to have to go to set up a separate data center and put up appropriate airgaps between the code and everything else. To go and make sure that European data stay in European servers. That was extra expense, extra software development. At the moment, many companies disclose in their transparency reports the law enforcement requests for user data which they receive. If this trend continues, triggered much by Snowden s revelations, when everyone rushed to publish their reports or at least retain the trust which was there, how can this be meaningfully continued? I agree that is certainly a challenge. Say, law-enforcement holds an investigation and needs to know if you were home on a certain day. You say you were home, they might want to subpoena your refrigerator records which show how many times the door was opened on that particular night. And all of a sudden you say you were home having dinner and drinking beer, and your refrigerator says, the door was not opened at all the entire time and the lights sensor says the no lights were on in your house. Then maybe your alibi doesn t really stand up! On the other hand, how trusted are those records? How do we know they were not compromised by somebody else or changed? Did anybody get in there and adjusted data so you weren t home even if you actually were? These are those security concerns, which are part of the grand scheme of things, which we have to work at. How do we ensure that law-enforcement can get the appropriate access where appropriate will vary by culture? The European version of what is appropriate access for lawenforcement will be different from the US version, which will be different from the Russian version. Obviously, some countries have a long history of privacy concerns and questions, and certainly others that do not necessarily have the same expectations. It is that question of how do we ensure necessary security capacity and do it in a way that doesn t block all developmental and convenience opportunities. What s your view of the communications encryption debate? How would that work with the proliferation of IoT? The debate is still on the table whether this should be default end-to-end encryption of communication, and as you know some 6

7 governments argue that they need to get backdoor opportunities to carry our effective law enforcement, but the techies say either you have it all, or nothing: you can t have preferential backdoors. We as the Internet Society have come out very strongly on this issue it s one of the few, I guess, extremely strong positions we have taken in supporting the Internet Architecture Board s statement. Encryption should be the default norm for all communications protocols across the internet. And we ve come out with that primarily because of the large-scale state surveillance issue, saying that the communication that implies privacy especially needs to be encrypted. Certainly, there are those among us who feel it should be end-to-end, there are others who want to focus on the transport ensuring that the state actors can t necessarily get to it on the network. That goes back to the question how we balance it with the legitimate needs of law-enforcement to obtain the information appropriately. You know, if my child is in danger I would want the law-enforcement every possible means to go and find the person. That becomes again a societal balancing. From the encryption point of view, we think that products should use encrypted protocols. That should be a norm of how these devices are developed, and law-enforcement needs to review their methods. We ve gone too far in having the large levels of mass surveillance, we need to look at how we protect ourselves. It s not just in sense of individuals, but also corporations and states which go for each others data which they have always done but with different means. There are efforts now to work out norms of state behavior in cyberspace at different levels. We see the UN Group of Governmental Experts, OSCE, Shanghai Cooperation Organization, even Microsoft as a private sector actor are all trying to work out these principles. There is another challenge that we focus on what we call a model of collaborate security which is this idea that no government alone can solve these security issues. We need to work together in this space. A number of governments including Russia call for an international treaty to ensure global security, but can the governments alone enforce it? And by the time we arrive at a treaty, it will be already outdated by the scope of technological evolution. Too often we are legislating things which are no longer relevant. One of the issues we ve been working on with the routing vendors is a project called MANRS which is mutually assured norms for routing security. It s a nonbinding, voluntary agreement between the entities that say, We re going to practice good hygiene on our data. This is a collaborative model of responsible behaviour as we like to say. In general, I think that security alone and privacy issues can overwhelm one when start to look through different things here and there. But if you look at the consumer benefits, the business benefits, the economic benefits, you get a different picture. I was a sceptic when I considered self-driving cars but then another friend of mine said, You know, I can t drive at night very well my eyesight is not very good. I would love a selfdriving car, because I can go longer distances at night. And you start to think the IoT has this capacity to change people s lives in very positive ways. I think the question we have as a society is how we enable the appropriate level of trust in the IoT and Internet of Everything as well to give us those opportunities. 7