At least, right now it is. Trey Herr, Nathaniel Kim, and Bruce Schneier are concerned about the lack of security standards when it comes to routers and the Internet of Things (IoT), the idea that damn well everything really ought to be on the Internet because, well, just because.
The “internet of things” (IoT) has been insecure since the first connected refrigerator woke up and asked for more milk. But while having your fridge hacked seems at best amusing and at worst inconvenient, the nightmare scenario is a matter of national security. Imagine hundreds of thousands of smart refrigerators, all with the same default password, hacked to direct a flood of web traffic against key internet servers, paralyzing them. Swap smart fridges for security cameras and DVD players, and you have the Dyn cyberattack of 2016. [Lawfare]
I personally prefer the story of the data breach at a Las Vegas hotel where the hackers used an insecure thermostat to get at the data. But to each their own.
At the heart of most home networks, and many industrial ones, is the humble wireless router. The security of these popular hubs is a prominent concern because they form the core of IoT networks. Against the steady drumbeat of major security flaws disclosed in the code running these devices—including several in just the past month—researchers have seen little progress in router security over the past 15 years. Serious vulnerabilities in home Wi-Fi routers can open the door for attackers to gain access to local networks and other connected systems. As the U.S. faces a surge of attacks exploiting the widespread uncertainty and confusion wrought by the coronavirus pandemic, these concerns have become all the more urgent.
In fact, the problem is so bad that I would give serious consideration to somehow not permitting insecure routers to connect to the Internet, although I’m at a loss as to how to accomplish that. In a sense, we need a complete reset or replacement of all the hardware that is typically vulnerable at the network level.
But Herr, et al, are thinking institutionally:
In a new paper, we propose to leverage these supply chains as part of the solution. Selling to U.S. consumers generally requires that IoT manufacturers sell through a U.S. subsidiary or, more commonly, a domestic distributor like Best Buy or Amazon. The Federal Trade Commission can apply regulatory pressure to this distributor to sell only products that meet the requirements of a security framework developed by U.S. cybersecurity agencies. That would put pressure on manufacturers to make sure their products are compliant with the standards set out in this security framework, including pressuring their component vendors and original device manufacturers to make sure they supply parts that meet the recognized security framework.
I’ll decline to criticize their proposal, although it sounds likely to succeed.
But what piques me is that we have to worry about these things at all. A generation ago these were not the concerns of your average citizen; hell, I’m old enough to remember when computer viruses were the new, theoretical thing on the horizon – and the shock of the night, sitting in a Perkin’s, and hearing a family two tables over discussing the potential problems of a virus impacting their little IBM PC.
For today, one of the things we do when evaluating a potential new purchase is to ask whether there are potential security holes in the product, and whether or not that risk is justified by the positives the product brings to our house. For example, we’ve given thought to replacing our TV with an LG OLED TV, but because it appears to only come with one of the commercial digital assistants built in, which means a microphone that is not under our physical control, we’ve delayed that purchase.
Or, for a hypothetical, why the hell does your refrigerator need to be on the Internet, folks?