This month I had the good fortune to keynote at OWASP AppSec EU 2015 on the Internet of Things. It was my first keynote, and as conferences go, quite an experience. I last spoke at AppSec EU in 2009 on using WordPress as a framework and the vulnerabilities that you’d commonly find and I’d like to thank Martin, Tobias, Carol and all the organisers for the opportunity to speak again. If you’d like a copy of the slides, you can find them here.
Understanding The IoT Landscape
The Internet of Things (IoT) covers a wide range of different technologies and vertical market applications. A primary driver for venture capitalist funding in the IoT space is the access to new forms of data of intrinsic value, combined with the relatively low cost of “putting a chip on it”, compared to the costs of investing in startups in other markets.
When it comes to technologies, there are common elements that appear time and time again, as illustrated in what I affectionately refer to as, “The IoT hipster moustache”:
In almost all cases, an IoT device connects knowledge about the world around us to global systems that collate and integrate that knowledge, providing us with a means of managing and influencing that knowledge, and vendors with a means of tracking that knowledge. This is implemented through the use of a widget (aka a device or “Thing”), that uses sensors for feedback and communicates with a service (aka the “Internet of”), often consisting of an application with some degree of cloud connectivity.
As you might imagine, with a threat surface that large and that complex, there’s a demand for some degree of security. At one end of the spectrum you have Josh Corman’s I am the Cavalry, looking to provide baseline standards of security for critical things, at the other end of the spectrum there’s a small OWASP project that could do with some love.
Openness In The Internet of Things
I’ve been analysing IoT devices for years now, and there are several recurring patterns that I see:
- The Widget uses open source code, often under a GPL licence
- The service runs on open source code, often under a GPL licence
- The intermediary communications all happen using open source code, often under a GPL or LGPL licence
- The IoT developer does not comply with the open source licencing requirements to release such code
Yet somehow, we are often told that having a general purpose computing platform made available to compute according to general purposes is not realistic. After all, if you let people run Doom on their pacemakers, bad guys could kill people! Yes they can, but it’s easy to get lost in the idea that closed systems are more secure. That’s not to say they aren’t, but open systems are easier to verify, and just because a vulnerability is obscured doesn’t mean that it doesn’t exist.
Furthermore, when you use software licenced under an Open Source licence you are legally obliged to distribute your software in accordance with that licence. You cannot claim that you can’t release the open source code you use because of some perceived safety or security excuse.
It’s surprising how few IoT projects appear to care about being compliant with the need for Openness, with users often having to resort to reverse engineering in order to get the functionality they want without having to sign up to a service they neither want nor need.
The fact of the matter is that very little consideration has been given to the need for Open Source and Openness in the IoT space. While it’s understandable that some mission critical IoT applications (for example in the automotive or medical spaces) may desire the ability to close off access to unauthorised modifications to the devices themselves, they need to do so without restricting the ability for users and researchers to verify the security aspects of the code they run.
The sad thing is that the acceptance of closed sytems in the IoT space, particularly in transport and medical appears to be described as some sort of security benefit, when in fact this isn’t really the case.
OWASP’s Role In The IoT Space
OWASP have an IoT Top 10 project, but the maintainer’s been struggling to get feedback and participation. I highly suggest signing up to take part on the mailing list if you have any interest in IoT security.
On reviewing the Top 10, I hit a stumbling block common within the IoT space. Several of the Top 10 recommend practices that go against the very spirit of openness that allows these devices to exist at all. When recommendations for encrypted firmware, encrypted updates, locking down service ports, then they may do so with good intentions, but instead of providing security for the end user, they provide security for the vendor.
To be fair to the Top 10’s author, Daniel Miessler, he asked for feedback and didn’t receive it. There’s a question of whether a keynote in a flagship conference is the right place to provide it, but if I can encourage participation and debate on the subject in person, then hopefully I can encourage participation and debate on the subject online.
There are many people in the IoT space advocating the idea of closing off elements of the ability to verify the security of an IoT device, but they do so misunderstanding the threat surface. Closing off the ability to view firmware or debug devices does not remove bugs, it only increases the barrier to entry for finding them, even if they’re still there. As I couldn’t find people advocating a position of freedom by default in the IoT space, I decided that I would ask perhaps the most awkward question you could ever ask a group of Europe’s OWASP leadership:
This is a question that goes way beyond the scope of IoT. If we can secure web applications by streaming images of them to users instead of the HTML itself, should that be considered a valid security strategy? If so, should that even be a recommended security strategy? If we can secure web applications with DRM, should OWASP support and recommend the deployment of DRM, knowing the impact it will have on users elsewhere. Ultimately, the question that needs to be asked is who OWASP represents. When there’s a conflict of interest, should OWASP fight for the manufacturer or the user?
It’s a valid question and one I feel that cuts right through to the very soul of OWASP as an organisation, and it’s not one I have an answer to, nor do I expect one (given that OWASP is a collection of volunteers with different goals and ideals, and not a singular cohesive group organised around a goal of openness or closedness).
However, I would suggest (and did) that OWASP fights for the user, for a very simple reason:
Without a rational speaker of authority in the IoT space to promote openness, I staunchly believe that we’ll continue to see an endless stream of GPL violations and closed products reliant on obfuscation instead of actual security across all sectors in the IoT space. I made a tongue-in-cheek suggestion for the Top 10, which while not a real suggestion, is something I think is certainly a point for discussion:
The Internet of course, reacted:
OWASP IoT Top 10 Since AppSec EU
The discussion’s still ongoing on the OWASP Top 10 mailing list, and I encourage anyone with a voice to join in. The only way OWASP will be able to provide a genuine voice for users of IoT technology, is if users of IoT technology speak up, so come and join in, the water’s lovely.