Security Risks of Embedded Systems by Bruce Schneier.
From the post:
We’re at a crisis point now with regard to the security of embedded systems, where computing is embedded into the hardware itself — as with the Internet of Things. These embedded computers are riddled with vulnerabilities, and there’s no good way to patch them.
….
If we don’t solve this soon, we’re in for a security disaster as hackers figure out that it’s easier to hack routers than computers. At a recent Def Con, a researcher looked at thirty home routers and broke into half of them — including some of the most popular and common brands.
Bruce does a great job of explaining the embedded systems market and the lack of economic incentives to improve the security of embedded systems.
Where I disagree with Bruce is when he says:
The economic incentives point to large ISPs as the driver for change. Whether they’re to blame or not, the ISPs are the ones who get the service calls for crashes. They often have to send users new hardware because it’s the only way to update a router or modem, and that can easily cost a year’s worth of profit from that customer. This problem is only going to get worse, and more expensive. Paying the cost up front for better embedded systems is much cheaper than paying the costs of the resultant security disasters.
Large ISPs are an easy target but it would federal legislation to impose a uniform responsibility for embedded systems and what liability an ISP would incur for failure to upgrade. That is ignoring international issues with regard to ISPs. Not to mention not all “embedded systems” are routers. Who is responsible for all other “embedded systems?” Sounds like a sticky wicket that will take longer than the WWW has been around to solve.
A non-starter in other words.
We already have mechanisms in place to create the economic incentives Bruce is looking for, it’s called insurance.
If you have purchased anything at Target recently, you have probably been offered “replacement insurance”
Protect every important purchase with a Target Replacement Plan and we’ll help get your covered breakdown resolved. If your product qualifies for replacement, we will issue you a Target Gift Card for the original purchase price. You can then replace your non-working product with a new one—perhaps even the latest version!*
This plan protects your new product against common failures, and protects you from unexpected repair bills. Coverage is for 2 years, starting from the date of purchase, inclusive of the original manufacturer’s warranty.*
What if the sales of embedded systems were accompanied by an offer of embedded system insurance?
That would be insurance that will pay for either replacement or repair in the event of a security flaw in software or hardware of the embedded system. Where would the economic incentives be then?
Insurers will have an incentive to reduce their economic risk so they will be testing products, visiting manufacturers, funding research, etc., so they can make good decisions on their risk for particular products.
At the same time, government and industry, having the most to lose from security breaches, can refuse to buy embedded systems that are not insurable or that are insurable but have a higher premium. That would have the happy consequence of driving questionable manufacturers from the embedded systems marketplace.
The practical advantage to embedded system insurance is it only takes demand for insurable embedded system products to start the process.
Demand will attract insurers into the marketplace, local security policies will drive purchasing insured products, and when breaches are found (there is no magic bullet), customers will no disincentives to upgrading.
It won’t be quite that smooth but it has the advantage of no mandated NSA backdoors in the replacement software/embedded systems.