[Cryptography] Internet of things - can we secure it by going simple?
Ray Dillinger
bear at sonic.net
Thu Jan 5 21:21:12 EST 2017
If we put no more software and complexity in these devices than they
actually need, don't we suppose that they could be made secure?
Web interfaces on these devices only need to be able to understand eight
or so different HTML tags. Skip implementing the rest. A device that
never executes anything downloaded, ever, can't easily be recruited into
a botnet. Command lines on these devices (if they expose command lines
at all) should only understand three or four different commands. They
should not even have access to utilities like "ls" and "cat" and "mv"
and "copy", let alone interpret pipes and things. I mean, is there an
explicit reason, for each and every one of those tools, why it's needed
for device configuration?. Because device configuration is the only
thing these command lines exist for.
If someone breaks into a thermostat and can install shell scripts on it
- what the hell was a thermostat doing with a command shell capable of
running scripts? If someone can use it for a reflector to poke around
your network - what the hell did a thermostat need with a repertoire of
utilities like 'mount' and 'rlogin' and whatever else would get used to
do that?
The complexities of protocol conformance are sometimes beyond the
capabilities of simple IoT devices, and secure implementations for them
are, well, no better than secure implementations for other platforms -
you're still hosed if you haven't got monthly updates.
But the manufacturers of these devices don't DO monthly updates. They
want to forget about a device as soon as it's sold. It's not a contract
or a subscription, it's just inventory. Their goto model for service or
updates is "get a new one," whether that's by another sale or a product
recall or a guarantee fulfillment.
So we need to build devices which need security updates no more often
than the length of time a typical customer goes before getting a new one.
That's not so difficult as the complex protocols we're using on desktops
makes it. These are simple devices and the protocols and capabilities
they actually need are also very simple. They could use protocols with
two moving parts instead of fifty. And I think elementally simple
protocols, running on simple single-tasking machines can in fact be
implemented securely enough not to need updates more than, say, once in
six years on average.
Bear
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20170105/c032ec5d/attachment.sig>
More information about the cryptography
mailing list