DisclosingVulnerabilitiesandBreachesinthe‘InternetofThings’

RossAndersonCambridge

CEPS,Sep272017

WhatwilltheIoT change?

• PrivacymadetheearlyrunningwiththesmartTVandtheCayla doll– butyourphonealreadyhearseverythingandisfullofadware

• Denial-of-servicewasnextwiththeMiraibotnet– butwealreadyhavebotnets

• Butsafetylooksliketherealpressurepoint• Phonesandlaptopsdon’tkillmanypeopledirectly;carsandmedicaldevicesdo…

CEPS,Sep272017

HowdoesIoT changesafety?

• Eireann Leverett,RichardClaytonandIdidaprojectfortheEuropeanCommission

• TheEUhascomplexregulatoryregimesforthesafetyofallsortsofdevices

• Howwillthesehavetochangeoncethere’ssoftwareeverywhere?

• Welookedspecificallyatvehicles,medicaldevices,andelectrotechnical equipment

• Butthelessonsaremorewidelyapplicable!

CEPS,Sep272017

EUproblemstatement• Weregulatesafetyinmanyindustries• The“InternetofThings”putscomputersandcommunicationseverywhere

• Thiscreatesnewsafetyrisksaroundsecurity• Indeed,thetwoarethesameinthelanguagesspokenbymostEUcitizens(sicurezza,seguridad,sûreté,Sicherheit,trygghet…)

• Howdoweupdatesafetyregulation(andsafetyregulators)tocope?

CEPS,Sep272017

Background

• Marketsdosafetyinsomeindustries(aviation)waybetterthanothers

• CarsweredreadfuluntilNader’s‘UnsafeatAnySpeed’firedupthepublic,gotinsuranceindustryinvolvementandledtotheNHTSA

• IntheEU,wegottheProductLiabilityDirective85/374/EES,FrameworkDirective2007/43/EContypeapproval,andmuchmuchelse

• Broadprinciples,plusmanydetailedrules

CEPS,Sep272017

Background(2)

• Traditionalcarmakersmovingtoautonomyinsteps(adaptivecruisecontrol,automaticemergencybraking,automaticlanekeeping…)

• TeslahasalreadymovedtoregularupgradesandthelegacyOEMsareracingtofollow

• Butmanagingvulnerabilitiesishard,andexpensive:Androidispatchedfor3years,Windowsfor5

• Sohowwillwepatcha2017carin2037?

CEPS,Sep272017

CEPS,Sep272017

CEPS,Sep272017

Background(3)• TheMedicalDeviceDirectives(90/385EEC,93/42/EEC,98/79/EU)arenowbeingrevised

• ResearchbyHaroldThimbleby:intheUK,hospitalsafetyusabilityfailureskillabout2000p.a.(aboutthesameasroadaccidents)

• Priority:getregulatorstodopost-approvalstudiesandadverseeventreporting

• Atpresentdevicesaretypicallyapprovedonpaperworkalone

• Evenlesspost-marketfeedbackthaninpharma…CEPS,Sep272017

Background(4)

• Usabilityfailuresthatkillaretypicallyblamedonthenurse(ifnoticedatall)

• Butattacksaremuchhardertoignore– a2015wifi tamperingdemoledtheFDAtoblacklisttheHospira Symbiq infusionpump

• 2017:recallof450,000StJudepacemakers• Butsoftwareupgradescanbreakcertification!• Propersafety/securitylifecycleisneeded

CEPS,Sep272017

TheBigChallenge

• Establishednon-ITindustriesusuallyhaveastaticapproach– pre-markettestingwithstandardsthatchangeslowlyifatall

• Thetimeconstantistypicallyadecade• Whenmaliciousadversariescanscalebugsintoattacks,industrieswillneedadynamicapproachwithpatching,asinIT

• Thetimeconstantisthentypicallyamonth

CEPS,Sep272017

Broadquestionsinclude…

• Whowillinvestigateincidents,andtowhomwilltheybereported?

• Howdoweembedresponsibledisclosure?• Howdowebringsafetyengineersandsecurityengineerstogether?

• Willregulatorsallneedsecurityengineers?• Howdowepreventabusivelock-in?NotetheUSDMCAexemptiontorepairtractors…

CEPS,Sep272017

InstitutionalPlayers• DozensofEuropeanregulators(+hundredsinMemberStates)

• Standardsbodies(UNECE,ETSI,CEN,CENELEC)• Safetylabs(KEMA,EuroNCAP,…)• Securitylabs(CLEFs,Underwriters’Labs,commercialpentesters,ENCS,academics…)

• OthercustodiansofthemanysafetyandsecuritystandardsincludingNIST,IEEE,IEC

• Otherprincipals,e.g.insuranceindustry

CEPS,Sep272017

Policyrecommendationsincluded• Requirevendorstoself-certify,fortheirCEmark,thatproductscanbepatchedifneedbe

• Requireasecuredevelopmentlifecyclewithvulnerabilitymanagement(ISO29174,30111)

• CreateaEuropeanSecurityEngineeringAgencytosupportpolicymakers(now:ENISA)

• ExtendProductLiabilityDirectivetoservices• UpdateNISDirectivetoreportbreachesandvulnerabilitiestosafetyregulatorsandusers

CEPS,Sep272017

Translatingthistoengineering• Theproblemasalwayswillbescale• Europehas50,000fatalaccidentsayearandtentimesthatmanycausingseriousinjury

• Futurecarswillgeneratevastamountsofdata• Howdotherightdatagettotrafficcops,insurers,safetyregulatorsandothers?

• Wecan’tjustreportvulnerabilitiesandbreachestoENISA/SIAs/DPagencies!

• Culturechangetoo(e.g.VWvBirmingham)CEPS,Sep272017

Implicationsforcomputerscience• Computersciencehasalwaysbeenaboutmanagingcomplexity

• Safety-criticaldurablegoods,online,andcomposedofheterogeneouscomponentsfrommutuallymistrustfulsuppliers,arethenewgrandchallenge

• SincedoingthisprojectI’vestartedteachingsafetyandsecuritytogetherinthesamecoursetofirst-yearundergraduates

CEPS,Sep272017

Conclusions• TheEUregulatessafetyindozensofindustries• Oncesafety-criticalgoodscanbeattackedonline,it’spatchorscrap

• Fordurablegoodslikecarsandmedicaldevices,thiswillbeareallyreallybigdeal

• Tomanagetheecosystem,avastamountofdataonvulnerabilities,breachesandaccidentswillhavetobemanaged

• Manypolicychallengeslieahead!CEPS,Sep272017

More…

• Ourpaper“Standardisation andCertificationintheInternetofThings”isonmywebpagehttp://www.cl.cam.ac.uk/~rja14/

• Orsee“WhenSafetyandSecurityBecomeOne”onourblog

https://www.lightbluetouchpaper.orgwhichalsohasacoupleofvideos

Cambridge,Sep2017

CEPS,Sep272017