PCI DSS for the IoT

Disconnecting is never the answer.

Disconnecting is never the answer.

In the past few weeks, prominent hacks like the Mirai botnet taking down a significant chunk of the internet have made IoT security the butt of many a joke like this one.

It's always easy to kick someone when he's down, and so both Internet pundits and legislators have jumped on this bandwagon: the liberals of D66 have proposed a ban on unsafe Internet of Things equipment by proposing a government-regulated seal. Neither have actually proposed a real way to solve this situation.

We don't need to look far for a solution: I propose reusing parts of the PCI DSS, the set of hygiene-rules that govern the data security in the payment card industry, and extending that with IoT-specific guidelines on,

  • device upgrades,
  • credential control, and
  • device discoverability.

This will get us to a base level of security, after which we can start worrying about the real issues in IoT. Such as, how can I make sure the babysitter understands how to operate my smart lights.

How did we get here?

I, too, have bought into the promise of the Internet of Things. I've had a smart scale since 2011, upgraded some of my lights to Philips Hue, and have even invested in a connected Ring Doorbell.

That scale didn't have much of an attack surface. However, a few trends over the past few years have made IoT devices a rich target.

  • Power. Devices are getting ever more powerful. Where embedded applications used either ASICs or a low-powered microcontroller, modern scales now use 72 MHz MCUs, and my router has a 500 MHz dual core CPU. Plenty of power in a small package.
  • Homogeneity. The devices form a manageable population. Producers are lazy, and reuse reference designs, apply cheap, common chips, or rebadge low-cost devices with their own brand.
  • Connectivity. Devices need to be reachable. They use technologies like UPnP to open up ports on your router so you don't have to, but can still reach them with your mobile application. This makes them discoverable for apps and hackers alike.
  • Bandwidth. They're sitting on a huge internet pipe. That few hundred Mbit connection you buy for € 50 or so goes unused most the time, and can be used for malicious purposes.
  • Perimeter security. We know how to secure corporate networks relatively well, but your and my home network does not have a stateful firewall and a professional administrator. These devices are by definition in a hostile environment.

Without diving into the economics of hacking, it's clear that these devices are juicy targets.

Why secure it when there's no revenue in that?

For consumers, however, these devices are appliances, not computers. Buy a device, use it for a few years, replace it, discard the old one. After the sale, the relation between producer and consumer is over. Since security is rarely a factor in the purchase decision, there is no incentive for producers to secure their devices.

Security of a device is hard to judge for a non-expert--hell, even I need to rely on just buying my hardware from reputable sources that have earned my trust. This creates a lemon market: without an assertion of security, the consumer assumes all devices are unsafe, and will not reward producers that actually do secure their systems.

I used to believe security breaches would have a major reputation cost. Adobe and LinkedIn, both of which had horrible security practices, proved me wrong: security fatigue has set in. I believe that even Yahoo could have gotten away with their massive breach and terrible response, if they weren't a dying company already.

I don't believe the market will sort this out, the incentives are all wrong. Just as politicians want government intervention, I too believe that this is the only to get out of the current situation.

Enforcing IoT security

Any regulatory framework has two components: rules (what you should do) and enforcement (what happens if you don't).

Enforcement

Just as D66 say, "no cars are allowed to be sold that don't have proper seat belts." Governments can control their markets using a number of means (fines, sales rights, etc), and often rely on external compliance frameworks.

With the sign of approval in hand, we can leave it to the government to enforce this. Measures could range from a validated seal of approval that can only be used by reputable companies, to outright banning the sale of unapproved devices.

Seal of approval: digital hygiene

The set of rules should not be a specification. Cooks may disagree on the best way to cook risotto, they all need to wash their hands and keep rodents out of the kitchen; a similar level of hygiene is both an improvement on the current situation, and easier to mandate.

The PCI DSS

A legislative shift in the 60s moved the burden for credit card fraud to card processing networks. As a card holder, your damages are usually limited, and it's up to the processor to either shoulder the cost of fraud, or to prevent it. This gives an incentive for processors to not only secure their own systems, but the entire chain. With the rising problem of online fraud, in 2004 the Payment Card Industry Data Security Standard, PCI DSS, was born.

The standard is not a reference architecture. Rather, it reads like the notes of a competent professional that jots down do's and don'ts.

The standard combines technical rules with ways to embed them in the organization.

  • Technical guidelines. Things like installing a firewall, not using default passwords, mandatory encryption of cardholder data both in transit and at rest, and having an audit trail of data access. Pretty low level solutions, that you should implement regardless of industry.
  • Organizational measures. Good advice is one thing, following it another. PCI DSS has measures like quarterly audits, having documentation on security, and, since the latest 3.2 version of the standard, making sure that company executives actually know what is going on.

The standard is now well-accepted within the payment industry, and anyone processing payment information in some way has to abide by it to work with the major credit card companies. As a side effect, many companies don't build their own credit card processing, but rely on accredited suppliers in stead.

IoT DSS

I propose creating a similar standard for Internet of Things-applications: hygiene rules, raising the baseline of security around the industry.

First up, we can steal some basic rules from PCI DSS,

  • Maintain internal network security by a.o. including a firewall, using proper passwords on systems, and having a good patch policy.
  • Monitor network security, and have regular security scans.
  • Encrypt customer data both in transit and at rest.
  • Limit access to customer data--including data that could lead to compromise of the devices out in the wild--to necessary personnel, having these accesses auditable.
  • Maintain a security policy, including executive visibility.

The specifics of the IoT need a few additional rules.

  • All devices must be upgradeable using a secure update path.
  • Devices need to be secured for their economic lifespan. This span is often dictated by law.
  • If passwords-based security is necessary, make it so that default credentials cannot be used to operate the device. Either use generated credentials, or force the user to change them.
  • Don't make devices directly addressable from the internet. Use techniques like NAT traversal or VPN if you need to reach out to the device.

These simple rules can make us all more secure, and will reward companies that actually do a proper job. Barring some liability shift or change in economics of security, there is no way the industry will regulate this. Government, this is your cue!