Securing the International IoT Supply Chain

Together with Nate Kim (former student) and Trey Herr (Atlantic Council Cyber Statecraft Initiative), I have written a paper on IoT supply chain security. The basic problem we try to solve is: How do you enforce IoT security regulations when most of the stuff is made in other countries? And our solution is: enforce the regulations on the domestic company that's selling the stuff to consumers. There's a lot of detail between here and there, though, and it's all in the paper.

We also wrote a Lawfare post:

...we propose to leverage these supply chains as part of the solution. Selling to U.S. consumers generally requires that IoT manufacturers sell through a U.S. subsidiary or, more commonly, a domestic distributor like Best Buy or Amazon. The Federal Trade Commission can apply regulatory pressure to this distributor to sell only products that meet the requirements of a security framework developed by U.S. cybersecurity agencies. That would put pressure on manufacturers to make sure their products are compliant with the standards set out in this security framework, including pressuring their component vendors and original device manufacturers to make sure they supply parts that meet the recognized security framework.

News article.

Posted on July 1, 2020 at 9:31 AM • 15 Comments

Comments

Clive RobinsonJuly 1, 2020 10:16 AM

@ Bruce,

And our solution is: enforce the regulations on the domestic company that's selling the stuff to consumers.

It's the most expensive and most difficult if not impossible place to do it. Thus the place that is most going to hurt the consumer.

Lets assume the IoT designer / manufacturer decides to "add a little security" the most likely way to do that is with "key signing executable code".

This turns the device into a "walled garden" not just for the consumer but the US distributor as well.

As we've seen with Android and iOS etc smart devices this is not a good idea.

But it gets worse, look at the likes of Amazon they have been known to make IoT and similar hardware such as the "Ring" security fail if it can not "call home to the mothership".

Thus two things can go wrong,

1, The server is turned off and all devices fail shortly there after.

2, The device functionality is changed by changes to the server which is not in US jurisdiction.

Both of these are beyond the ability of the US supplier / distributor to control...

Thus I suspect that those who wish to get around any such legislation will be more than able to do so without any penalties befalling them.

MichelJuly 1, 2020 11:00 AM

... so the remedy is not to let any UI-less IoT access anything that is not one of the non-routable IP addresses - let a separate piece of software, installed and running on a local network, handle further contacts if any.

Having a closed "thing" with unrestricted-Internet access installed in my own home appears to be such an immense opportunity for abuse that I fail to understand how it happened at all.

ChelloveckJuly 1, 2020 11:09 AM

"That would put pressure on manufacturers to make sure their products are labelled as compliant with the standards set out in this security framework"

Call me a cynic, but it's a lot cheaper to just print a UL, CE, or Council of Conscientious Concerned Cryptographers certification logo than to actually do the work. It's not like merchants actually verify manufacturers' certifications. They just sell it and push the blame back if anyone calls them on it. You might successfully block products from being sold by the big names like Amazon or Best Buy, but the falsely-certified products will still be available from fly-by-night merchants on Amazon Marketplace, eBay, and AliExpress. Whack one down and it just comes back a week later with a new name.

ALejandroJuly 1, 2020 11:29 AM

Domestic enforcement sounds like an elegant and viable concept to me.

PhaeteJuly 1, 2020 11:51 AM

Most of the routers in private/smb internet connections are delivered by the ISP with the connection (and upgraded when needed).
And again most of them have some custom firmware from the ISP.
I had to install a separate router instead of their modem/router combination garbage.
Not just for security but mainly to control traffic flow in/out my network.

Just regulating them to install a 'secure' router and maintain it will be a very big deal. They can put the pressure on the manufacturers.

But accountability is going to foil it here, you cannot guarantee a 'secure' router, the environment is too dynamic. No one is going to take responsibility for the signals going through their networks to other networks.
So when those signals do something with that router, there is no one to realistically hold accountable currently.

Nevermind those who have half a brain and follow a youtube video to enable PnP on their router to gain a few ms ping for their online shooting adrenaline/testosterone stimulators.

I'm very skeptical, i think it's more likely that the US and Russia join the EU then that we get effective secure router/modem regulations.

It just cannot be done like with cars. We know all about how they crash, no zero day crash vulnerabilities there monthly.
That steel is not going to bend more because there are some lines written on it by a hacker. It won't crash because it gets spoken to in the wrong language.
(some cars are actually close to that last one)

wiredogJuly 1, 2020 1:01 PM

@Chelloveck
At least with UL listing if the distributor or end user want to validate the listing there's a method to do it. Remember that UL is a private certification, with copyrights (the "UL"), and the insurance companies (the Underwriters in "Underwriters Laboratories") have a strong incentive to protect the brand. UL listing means that there's a lower chance that the device in question will fail catastrophically and generate an insurance claim.

Bob PaddockJuly 1, 2020 1:40 PM

@wiredog

"Remember that UL is a private certification, with copyrights (the "UL"), and the insurance companies (the Underwriters in "Underwriters Laboratories") have a strong incentive to protect the brand."

Speaking from a manufacture perspective we are held hostage to what amounts to high extortion "protection racket" fees, that some government regulations mandate.

Getting UL expensive, especially if you need more than one and are a small company.

If there is going to be approval body certification for this, then it needs to be a 'non-profit' and (sadly?) probably a government division.

Regulations like this hurt the small manufactures the most.


vas pupJuly 1, 2020 2:56 PM

@Bob Paddock said:
"If there is going to be approval body certification for this, then it needs to be a 'non-profit' and (sadly?) probably a government division."
Agree with your point 100%.

Just small addition: often label on products manufactured outside US contains: 'Distributed by [name of US company]', but I hope not only me but other consumers want on the label AS WELL information of the country of origin!, e.g. Made in China, Made in Canada, but our regulators currently is not enforcing even such thing. Distributor is for lawyers where chase money(reactive measure - when something happened to consumer), but consumer wants to know upfront where product was actually made and do educated choice on OWN preferences(proactive).

BoobJuly 1, 2020 4:48 PM

So this doesn't apply to sellers on Amazon Marketplace because they're third party often foreign sellers right?

Sancho_PJuly 1, 2020 5:02 PM

” … to sell only products that meet the requirements of a security framework developed by U.S. cybersecurity agencies. (@Bruce, my emph)
- This is a joke, isn’t it?
Do we know how to correctly spell cybersecurity? Today? Future?

And: SW / FW is legally out of bounds, thanks to Bill G, since decades and forever.

JonJuly 2, 2020 3:35 AM

Unfortunately, money pressure dramatically "rebalances" regulatory pressure. J.

Peder Thorsø LauridsenJuly 2, 2020 5:22 AM

It's exactly that liability that IKEA has to assume from theis costumers end has to enforce on its own suppliers. It will eventually lead to more secure products because the vendors will have to improve in order to keep making money.

Ismar July 2, 2020 7:19 AM

Are there no lessons to be learned from current scenarios where antagonistic countries are forced to use hardware/ software made partly or in full by their opponents? (Same goes for rival companies)
For example, a Russian diplomat using an iPhone made in China running iOS made in USA?
Would not this be a reason enough where market economies force everyone to play nicely OR force everyone to implement the complete supply chain themselves?
Surely, this must be the case already for military equipment at least which should not be too difficult / expensive to migrate them to consumer level equipment?
In other words- don’t we already have a solution for this problem?

Petre Peter July 2, 2020 1:15 PM

5g and digital transformation are coming globally and I don't think that politicians will be willing to interrupt the bonanza that the iot is promising. I am glad these issues are being punished It won't matter to them if it won't matter to us.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Sidebar photo of Bruce Schneier by Joe MacInnis.