A Good Day to Die? IoT End of Life presented at BSidesLasVegas 2018

by Allan Friedman, Jessica Wilkerson, Karl Grindal,

Summary : IoT security is a known hard problem. A number of efforts are devoted to addressing risks in new devices by codifying and standardizing better security and development practices. The broader challenge will be to understand how these technical and policy efforts overlap–and where they don’t. Moreover, things that were built with better security when new can emerge as risks as they –and the underlying code–ages and more vulnerabilities are discovered. This panel will explore the dynamics of three different IoT security proposals, focusing on coordination around the underlying standards, components, and end-of-life decisions.We will first share work that picks up where the National Telecommunications and Information Administration’s IoT working groups left off, mapping overlapping security controls in existing IoT standards. Amongst this blooming buzzing confusion, and despite unique sectoral attributes, these IoT security standards face similar challenges with respect to patching, cryptography, and supply chain security. By initiating conversations across sector and technical layer we hope to accelerate learning, and improve on current best practices.We’ll then highlight a new NTIA initiative on transparency around third party software components, sometimes referred to as a “software bill of materials.” We’ll review that initiative, and highlight a sometimes overlooked feature of an SBOM–helping vendors and customers make better end-of-life decisions for connected products.Lastly, we’ll explore a topic that some have suggested to help navigate the complexity and information asymmetries of the IoT space: a device registration database. In our vision, hierarchical governance model, device registration with a trusted entity could allow new nodes to be securely authenticated, creating a network of trusted devices. Registration allows the cross-referencing of known threats to preexisting IoT networks, and, upon discovery of a security problem after the fact, allows the identification and sunsetting of compromised devices. Yet, an IoT registry – whether mandated through government regulations or an industry-based initiative – requires a trusted anchor to seed the system, a serious security drawback. Certain registration schemes could also have lasting implications for privacy, censorship, and permissionless innovation.