Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

9/24/2016
09:30 AM
Lysa Myers
Lysa Myers
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

7 New Rules For IoT Safety & Vuln Disclosure

In the Internet of Things, even the lowliest smart device can be used for a malicious purpose. Manufacturers take heed!

If you've ever been irked by someone who has spent an entire shared meal staring at their phone, you know that social norms around technology are slow to catch up with our actual use of it. It's no secret that most "smart" devices haven’t kept up with the state of the art in security knowledge, but manufacturers of the Internet of Things are also failing to keep up to date when it comes to safety notification and vulnerability disclosure. Here are seven new rules to safeguard users from the unknown "things" that could do them harm.

Rule #1 – Notify Users of Significant Changes
If a device is designed to be interacted with several times a day, repeated actions will quickly become muscle memory. Once that memory is in place, you'll probably always interact with a device in that way. People need to be clearly (maybe even repeatedly) notified of significant changes. Any feature changes that remove or alter safety features, or that would introduce a safety hazard, should be not be considered a feasible option.

Rule #2 – Be Thorough with Vulnerability Reports
Device manufacturers should have a protocol for handling vulnerability reports, and a responsible disclosure policy posted in a prominent place on their website. Because vulnerabilities in medical devices may literally be a matter of life and death, it is a good idea – especially if a vendor does not yet have a publicly posted responsible disclosure policy – to send vulnerability reports to the attention of the Food and Drug Administration (FDA) via
MedWatcher.

Rule #3 – Give Humans Veto Power
While no one would argue that humans are infallible, there are times when it is imperative to let a human expert give the final decision. If reputations, livelihoods, health, or lives are on the line, software makers have a moral obligation to give the most qualified available human the ability to weigh in on the decision. In the case of automated medical diagnosis, that will most likely be a doctor. In the case of an auto-piloted car, that should be a driver who is still responding to what's on the road even if they’re not pressing pedals or steering. The more serious the potential outcome of the choice, the more heavily the inclusion of human decision (or at least active interaction) should be weighted towards being mandatory.

Rule #4 – Provide a Method for Prompt and Easy Updates
The code used for just about any sort of software application is incredibly long and complex, and with complexity come errors. Devices need to have the ability to quickly and easily update software when an error is identified. Whatever method is used, it should be easy for customers to spot fraudulent updates and it should not require them to go to a service center that may be hundreds of miles away from rural users.

Rule #5 – Provide a Method for Audit Logging
While we might like to think our Internet-connected washing machine might be too uninteresting for criminals to bother with, this line of thought is simply naïve. Even the lowliest devices can hold some utility for malicious purposes such as spamming or DDoS. And without behavior-logging functions to keep track of what’s happening, we can't know when that's occurring. When limited storage dictates a diminutively-sized log file, users should have the option to export or sync that file with another device.

Rule #6 – Authenticate Input
I’m sure we've all had the experience where a child or a pet pressed a button that made unexpected changes to some setting or other. When the change is something benign like enabling foreign subtitles, the stakes are fairly low. When devices have the ability or information to affect our lives, our health, or our reputations, even simple changes can have very powerful effects. This being the case, we need to make extra sure that changes are made by the authorized user or a designated representative, rather than a malicious individual or a meandering pet.

Rule #7 – Have an Exit Plan
Many IoT devices require cloud-based services to operate. If a company is discontinuing a device, going out of business or otherwise ending support for the cloud-based service, provide a mechanism for allowing users to transition the service. This could include selecting an alternate cloud-based service or publishing enough technical information so that users can create their own replacement.

It takes time for appropriate social mores to coalesce for new things, and while we might like for certain norms and rules to be obvious right out of the gate where security and safety are concerned, that is not the case. Until we get an official Miss Manners guide dictating etiquette for new technology, vendors and users will likely create some awkward situations. Hopefully, in higher-risk areas this will be hashed out more quickly so there will be little loss of life and limb and the lessons learned can then trickle down to lower-risk devices. 

Related Content:

Lysa Myers began her tenure in malware research labs in the weeks before the Melissa virus outbreak in 1999. She has watched both the malware landscape and the security technologies used to prevent threats from growing and changing dramatically. Because keeping up with all ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Inside North Korea's Rapid Evolution to Cyber Superpower
Kelly Sheridan, Staff Editor, Dark Reading,  12/1/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Assessing Cybersecurity Risk in Todays Enterprises
Assessing Cybersecurity Risk in Todays Enterprises
COVID-19 has created a new IT paradigm in the enterprise and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-25465
PUBLISHED: 2020-12-04
Null Pointer Dereference. in xObjectBindingFromExpression at moddable/xs/sources/xsSyntaxical.c:3419 in Moddable SDK before OS200908 causes a denial of service (SEGV).
CVE-2020-25461
PUBLISHED: 2020-12-04
Invalid Memory Access in the fxProxyGetter function in moddable/xs/sources/xsProxy.c in Moddable SDK before OS200908 causes a denial of service (SEGV).
CVE-2020-25462
PUBLISHED: 2020-12-04
Heap buffer overflow in the fxCheckArrowFunction function at moddable/xs/sources/xsSyntaxical.c:3562 in Moddable SDK before OS200903.
CVE-2020-25463
PUBLISHED: 2020-12-04
Invalid Memory Access in fxUTF8Decode at moddable/xs/sources/xsCommon.c:916 in Moddable SDK before OS200908 causes a denial of service (SEGV).
CVE-2020-25464
PUBLISHED: 2020-12-04
Heap buffer overflow at moddable/xs/sources/xsDebug.c in Moddable SDK before before 20200903. The top stack frame is only partially initialized because the stack overflowed while creating the frame. This leads to a crash in the code sending the stack frame to the debugger.