[Cryptography] Fwd: OPENSSL FREAK
Kevin W. Wall
kevin.w.wall at gmail.com
Tue Apr 7 21:26:28 EDT 2015
On Mon, Apr 6, 2015 at 6:08 PM, Ray Dillinger <bear at sonic.net> wrote:
>
> Yes, the Internet of Things as it's being called is scary as hell
> because you know that software will not be updated in any organized
> way - especially when the company that sold the "thing" is out of
> business or loses a patent lawsuit or something. Or somebody
> who makes a business model of "give away the thing, charge for the
> updates" is going to have a bunch of customers are perfectly happy
> with the way their toaster or thermostat or doorbell or whatever
> works now and don't want to pay for a software update for it,
> or whatever.
>
> In the absence of timely, reliable upgrades, there really does
> need to be some kind of "kill switch" to shut down discovered
> vulnerable configuration options, or those "things" will become
> the gateway for crooks to get into the rest of the owner's
> network.
At a minimum, there better be a simple way for the OWNER to
MANUALLY completely disable the Internet connectivity of such
devices without disabling its primary functionality. For example,
if your new IoT refrigerator is pwn'd, as long as you can disconnect
all Internet access and it will still carry out it's primary refrigeration
duties, the device is still usable. Of course we all know that will
never be the case (at least without some laws dictating such or
resulting lawsuits finally making manufactures see the light).
If not, I'm certainly never buying any such IoT device, although I
imagine plenty others will. So the end result is that while you may
only function loss of functionality should you chose to enact
this "kill switch", in reality all those that do not exercise that
(probably because most don't even realize there is a problem) it's
going to result in much larger bot armies to mount DDoS attacks and
the like.
I for one are not hopeful. Even if the designers get all the crypto
right (which they won't), they will fail miserably with other common
attacks, so that rather than the Internet of Things, it's likely to
be the Internet of the Pwn'd.
Lastly, as Christian stated, engineering is about trade-offs. Unless we
can offer businesses some clear ROI, they are likely to never implement
any kill switch (or, at best, disable it by default) even if it is part
of some IETF RFC. Frankly, the only economic incentive that I can
think of is reducing potential liabilities. At first, I'm sure that
IoT manufactures
will try to enforce EULAs that allow them to waive liability for any
software glitches. That probably will inevitably change over time, but
I'm pretty sure things will get a lot worse before they get better.
-kevin
--
Blog: http://off-the-wall-security.blogspot.com/
NSA: All your crypto bit are belong to us.
More information about the cryptography
mailing list