disclosing vulnerabilities and breaches in the …...•the “internet of things” puts computers...
TRANSCRIPT
DisclosingVulnerabilitiesandBreachesinthe‘InternetofThings’
RossAndersonCambridge
CEPS,Sep272017
WhatwilltheIoT change?
• PrivacymadetheearlyrunningwiththesmartTVandtheCayla doll– butyourphonealreadyhearseverythingandisfullofadware
• Denial-of-servicewasnextwiththeMiraibotnet– butwealreadyhavebotnets
• Butsafetylooksliketherealpressurepoint• Phonesandlaptopsdon’tkillmanypeopledirectly;carsandmedicaldevicesdo…
CEPS,Sep272017
HowdoesIoT changesafety?
• Eireann Leverett,RichardClaytonandIdidaprojectfortheEuropeanCommission
• TheEUhascomplexregulatoryregimesforthesafetyofallsortsofdevices
• Howwillthesehavetochangeoncethere’ssoftwareeverywhere?
• Welookedspecificallyatvehicles,medicaldevices,andelectrotechnical equipment
• Butthelessonsaremorewidelyapplicable!
CEPS,Sep272017
EUproblemstatement• Weregulatesafetyinmanyindustries• The“InternetofThings”putscomputersandcommunicationseverywhere
• Thiscreatesnewsafetyrisksaroundsecurity• Indeed,thetwoarethesameinthelanguagesspokenbymostEUcitizens(sicurezza,seguridad,sûreté,Sicherheit,trygghet…)
• Howdoweupdatesafetyregulation(andsafetyregulators)tocope?
CEPS,Sep272017
Background
• Marketsdosafetyinsomeindustries(aviation)waybetterthanothers
• CarsweredreadfuluntilNader’s‘UnsafeatAnySpeed’firedupthepublic,gotinsuranceindustryinvolvementandledtotheNHTSA
• IntheEU,wegottheProductLiabilityDirective85/374/EES,FrameworkDirective2007/43/EContypeapproval,andmuchmuchelse
• Broadprinciples,plusmanydetailedrules
CEPS,Sep272017
Background(2)
• Traditionalcarmakersmovingtoautonomyinsteps(adaptivecruisecontrol,automaticemergencybraking,automaticlanekeeping…)
• TeslahasalreadymovedtoregularupgradesandthelegacyOEMsareracingtofollow
• Butmanagingvulnerabilitiesishard,andexpensive:Androidispatchedfor3years,Windowsfor5
• Sohowwillwepatcha2017carin2037?
CEPS,Sep272017
CEPS,Sep272017
CEPS,Sep272017
Background(3)• TheMedicalDeviceDirectives(90/385EEC,93/42/EEC,98/79/EU)arenowbeingrevised
• ResearchbyHaroldThimbleby:intheUK,hospitalsafetyusabilityfailureskillabout2000p.a.(aboutthesameasroadaccidents)
• Priority:getregulatorstodopost-approvalstudiesandadverseeventreporting
• Atpresentdevicesaretypicallyapprovedonpaperworkalone
• Evenlesspost-marketfeedbackthaninpharma…CEPS,Sep272017
Background(4)
• Usabilityfailuresthatkillaretypicallyblamedonthenurse(ifnoticedatall)
• Butattacksaremuchhardertoignore– a2015wifi tamperingdemoledtheFDAtoblacklisttheHospira Symbiq infusionpump
• 2017:recallof450,000StJudepacemakers• Butsoftwareupgradescanbreakcertification!• Propersafety/securitylifecycleisneeded
CEPS,Sep272017
TheBigChallenge
• Establishednon-ITindustriesusuallyhaveastaticapproach– pre-markettestingwithstandardsthatchangeslowlyifatall
• Thetimeconstantistypicallyadecade• Whenmaliciousadversariescanscalebugsintoattacks,industrieswillneedadynamicapproachwithpatching,asinIT
• Thetimeconstantisthentypicallyamonth
CEPS,Sep272017
Broadquestionsinclude…
• Whowillinvestigateincidents,andtowhomwilltheybereported?
• Howdoweembedresponsibledisclosure?• Howdowebringsafetyengineersandsecurityengineerstogether?
• Willregulatorsallneedsecurityengineers?• Howdowepreventabusivelock-in?NotetheUSDMCAexemptiontorepairtractors…
CEPS,Sep272017
InstitutionalPlayers• DozensofEuropeanregulators(+hundredsinMemberStates)
• Standardsbodies(UNECE,ETSI,CEN,CENELEC)• Safetylabs(KEMA,EuroNCAP,…)• Securitylabs(CLEFs,Underwriters’Labs,commercialpentesters,ENCS,academics…)
• OthercustodiansofthemanysafetyandsecuritystandardsincludingNIST,IEEE,IEC
• Otherprincipals,e.g.insuranceindustry
CEPS,Sep272017
Policyrecommendationsincluded• Requirevendorstoself-certify,fortheirCEmark,thatproductscanbepatchedifneedbe
• Requireasecuredevelopmentlifecyclewithvulnerabilitymanagement(ISO29174,30111)
• CreateaEuropeanSecurityEngineeringAgencytosupportpolicymakers(now:ENISA)
• ExtendProductLiabilityDirectivetoservices• UpdateNISDirectivetoreportbreachesandvulnerabilitiestosafetyregulatorsandusers
CEPS,Sep272017
Translatingthistoengineering• Theproblemasalwayswillbescale• Europehas50,000fatalaccidentsayearandtentimesthatmanycausingseriousinjury
• Futurecarswillgeneratevastamountsofdata• Howdotherightdatagettotrafficcops,insurers,safetyregulatorsandothers?
• Wecan’tjustreportvulnerabilitiesandbreachestoENISA/SIAs/DPagencies!
• Culturechangetoo(e.g.VWvBirmingham)CEPS,Sep272017
Implicationsforcomputerscience• Computersciencehasalwaysbeenaboutmanagingcomplexity
• Safety-criticaldurablegoods,online,andcomposedofheterogeneouscomponentsfrommutuallymistrustfulsuppliers,arethenewgrandchallenge
• SincedoingthisprojectI’vestartedteachingsafetyandsecuritytogetherinthesamecoursetofirst-yearundergraduates
CEPS,Sep272017
Conclusions• TheEUregulatessafetyindozensofindustries• Oncesafety-criticalgoodscanbeattackedonline,it’spatchorscrap
• Fordurablegoodslikecarsandmedicaldevices,thiswillbeareallyreallybigdeal
• Tomanagetheecosystem,avastamountofdataonvulnerabilities,breachesandaccidentswillhavetobemanaged
• Manypolicychallengeslieahead!CEPS,Sep272017
More…
• Ourpaper“Standardisation andCertificationintheInternetofThings”isonmywebpagehttp://www.cl.cam.ac.uk/~rja14/
• Orsee“WhenSafetyandSecurityBecomeOne”onourblog
https://www.lightbluetouchpaper.orgwhichalsohasacoupleofvideos
Cambridge,Sep2017
CEPS,Sep272017