SSL to NTIA: Secure Software Updates on the IoT

On May 11, President Trump issued an Executive Order to improve the “cybersecurity of Federal networks and critical infrastructure.” The document is a call to action to a number of Federal agencies, each of which is charged with developing strategies and policies to better protect key government networks, systems, and data resources from attack. In seeking out the best strategies for addressing one identified vulnerability, “Resilience Against Botnets and Other Automated, Distributed Threats,” the National Telecommunications and Information Administration (NTIA) issued a “request for comments” (RFC) on June 8. The RFC invited all stakeholders, “including private industry, academia, civil society, and other security experts” to share “ways to improve industry’s ability to reduce threats perpetuated by automated distributed attacks, such as botnets, and what role, if any, the U.S. Government should play in this area.”

As a group that has long advocated the role of secure software update strategies in addressing these types of vulnerabilities, our lab viewed this RFC as a way to evangelize for these strategies, particularly in the fast-growing area of the Internet of Things (IoT). A response, primarily crafted by SSL summer intern Shikhar Sakhuja, was prepared over the past few weeks to emphasize the need for all IoT items to be securely updated to fix vulnerabilities—even those currently deemed by their manufacturers as too inexpensive to warrant such treatment. In doing so, the response emphasized that, without secure updates to patch vulnerabilities, malware can be downloaded and signed like a regular update. In turn, this malware can convert any smart device, even medical equipment like defibrillators or imaging machines, into functional bots in a botnet.

The response was built around three main points, which are listed below along with a few quotes from the arguments used to support them.

• NTIA should establish a Security Standard for Software Updates on IoT devices, regardless of the manufacturer or brand of the product, as such a uniform standard would establish a significant barrier for would-be attackers. Standardization can strengthen the security of IoT devices by removing the argument that, since “many IoT devices are inexpensive, and likely to be replaced after only a few years,” it would be “economically irrational” to update them. “Since software updates can be key in securing IoT devices and preventing their use as bots in the next DDoS attack, such an investment must be encouraged.”

• NTIA should make compromise-resilience a mandatory component of the IoT update security standards to protect vulnerable endpoints Requiring compromise resilience be built into any framework for updates can ensure that, even after a successful attack, “the least number of IoT devices are affected and minimal damage can be inflicted upon the affected devices.” In addition, such a framework can better deal with new vulnerabilities as they are discovered, as well as, “fix system crippling bugs and combat malware.”

• The NTIA and the Federal government have strong roles to play in establishing an IOT consortium in which all the stakeholders in the IoT sphere can jointly develop a compromise-resilient security update framework. Here, the response outlines a policy that SSL has pursued from the beginning: a commitment to open source development, in which nothing is proprietary, and code and knowledge is shared with the community so we can reach mutually-achieved solutions. “We want to work with other stakeholders to design a compromise-resilient system that would allow us to secure the chain of updates that could address security bugs in IoTs, improve the devices’ performance, and defend the interconnected web of devices that could redefine everything from manufacturing to medical practices to the way we heat our water.”

You can read the entire SSL response to NTIA at https://docs.google.com/document/d/1ZHc5t8YtIxi3CwWcwfhtZJ_DPPHUu0oScgxvwlO8G-c/edit. Executive Order 13800 and the original RFC from NTIA are both available via the Federal Register.