Posted by Taylor Armerding on June 21, 2018
What if it turns out that Big Brother is much more diverse, and a bit more subtle, than a monolithic figure at the head of an intrusive, tyrannical government?
What if a component of an all-seeing, all-knowing dystopian overlord is our business sector—the companies that sell us our electronics, appliances, machines, cars, tools, and just about everything else?
The picture Cory Doctorow painted of the manipulation of the Internet of Things (IoT) this week at the 2018 Security of Things Forum in Boston suggested that is the way IoT is headed if some major modifications aren’t made to a Clinton-era law titled the Digital Millennium Copyright Act (DMCA) of 1998—specifically Section 1201 of that law, which deals with so-called digital rights management (DRM).
In essence, Doctorow said, DRM means you don’t really own anything you buy—you’re just a tenant. And while he didn’t invoke Orwell or “1984” by name, he said manufacturers, through software code, are watching you. And if you try to modify their products, repair them, or buy parts, supplies, or components for a lower price from a third-party vendor, the products won’t work.
Oh, and a by-product of the law, which forbids even disclosing vulnerabilities in that software code, is that it adds to the security nightmare that is IoT.
Doctorow, popular blogger (Boing Boing), journalist, activist, and science fiction author, titled his keynote at Tuesday’s conference “The Internet of Things Is Ground Zero for the War on General Purpose Computers.”
Which, of course, means computer users—as in, just about everybody.
For his most detailed illustration of the way the war is being waged, Doctorow pointed to what Hewlett-Packard did in 2016 with its printers.
The company sent out a security patch that behaved like a normal update at the start. But embedded within it was “a feature that could distinguish between HP ink cartridges and those from a third party,” he said.
It wasn’t activated right away, but six months later, “everybody woke up and their printers had stopped working [if they weren’t using more expensive HP cartridges].”
“There were thousands of complaints,” he said. “And eventually people started to figure out that HP had reached into their homes and gone upside their heads to benefit themselves.”
Doctorow said HP eventually withdrew that component, promising not to do it again “without adding some fine print.”
But, he said, consumers are seeing a lot more of that kind of thing and will see even more, owing to the DMCA.
When it was enacted, the DMCA was aimed mainly at protecting intellectual property in the entertainment industry. The goal was to block people from developing and sharing ways to watch movies, listen to music, read novels, and consume other creative products without paying for them.
But, Doctorow said, manufacturers of products with IoT components, from tractors to cars to medical devices to toasters, quickly figured out that if they included a DRM component—a piece of copyrighted software—in a product, they could force customers to stay within their “ecosystem”—because customers would violate copyright law if they modified the product to work with cheaper parts or supplies from a different vendor.
The results are absurd, like farmers who aren’t allowed to fix their own tractors. “It can take days to get a John Deere guy to come out and type an auth[orization] code [that allows the installation of a part] before you can go out and plow the back forty,” he said.
Likewise, he said, Apple requires an authorization code to replace a cracked iPhone screen, even if that screen comes from another iPhone that is no longer being used.
“It’s an affront to the whole idea of private property,” he said. “It’s like saying you can’t wrap tape around the handle of your hammer to make it fit your hand the way you want.”
The consequences of DRM are not just inconvenience and cost. There is also the issue of security—or lack of it. DRM code is not difficult to crack. Doctorow said “hobbyist teens” can do it. “For DRM to work, you have to have a secret that you hide in a piece of equipment that you give to your adversary. It’s wishful thinking that they’re not going to crack it,” he said.
So, he said, manufacturers try obfuscation. “For it to work, it has to sneak,” he said. “They put it in parts of the file system that aren’t visible.”
But the DRM code and its processes “aren’t any more secure than anything else in your computer,” he said. “If you can get malware into those hidden places, it can operate in total secrecy.”
Meanwhile, Section 1201 of the DMCA forbids disclosing vulnerabilities in DRM code. It is a felony, punishable by up to five years in prison and a $5,000 fine, Doctorow said.
“So you have an unauditable attack surface. That is bad news,” he said. “We need to secure devices that are in people’s homes, and we’re going in the opposite direction.”
He cited a range of examples—compromised baby monitors, a voyeur who tried to blackmail a former Miss Teen USA through the use of a RAT (remote access Trojan) that allowed him to get nude video of her, and the famous demonstration where a couple of security researchers hacked the controls of a Jeep.
Doctorow acknowledged there is no way to make IoT bulletproof, but he said some of the “least worse” things that should be done are to require vendors to be transparent about defects in their products, to establish a “responsible disclosure” protocol that would allow researchers to find and report vulnerabilities, and to put control of products back in the hands of users.
“Anytime a system gets conflicting orders from an owner and a remote party, the owner should prevail,” he said. “Yes, sometimes owners do stupid things, but otherwise, everybody will be subject to a system that is unaccountable.
“We have to fix this,” he said. “That means we have to lay the groundwork for an IoT that is safe for human habitation.”
Get the latest AppSec news and trends sent directly to you.