rC3: The Internet of Things as a killer app for IT security


With the Internet of Things, the suffering of all users of networked devices is increasing, so that the dreary situation in the area of ​​IT security could change for the better. The “Internet of Things” (IoT) could usher in a paradigm shift, said US encryption expert Bruce Schneier on Sunday at the remote Chaos Communication Congress (rC3). The reason for this is that “security collides with physical security” for networked things.

Schneier gave an example if someone hacked his thermostat on the Internet, “the lines could freeze”. With networked homes, cars or even factories, the attack surfaces and threatening effects on the well-being of people and entire social groups multiplied. This could help to iron out the existing flaws in the market through stronger government regulation.

According to the lecturer at the Harvard Kennedy School, poor and overly complex software, which is the worst enemy of security, currently follows the laws of the market exactly. In software, for example, these reward more and more functionalities, efficiency and speed, which leads to bloated programs. In contrast, simplicity and security are expensive. Most people did not want to pay extra for it, but instead consciously took risks.

Such short-term advantages were in the long run at the expense of society, stressed Schneier in the interrupted by several technical malfunctions Online conversation with Frank Rieger from the Chaos Computer Club (CCC). Politicians must therefore intervene, for example with requirements for food and drug safety. This applies above all to the IoT, since the devices and the associated software are often produced in countries such as China by companies that in some cases quickly went bankrupt. It’s not that far with updates.

In order to still be able to build a reasonably secure home network, routers should first act as watchdogs, suggested the 57-year-old. You should be able to detect a connected device and get information and updates about it. If the toaster suddenly sends e-mails, this function should be able to be switched off via the intermediate instance.

Rieger doubted that manufacturers would be more restrictive than before and would collect less data. Microsoft Office 365 on the Mac alone contacts 32 other servers, some of which are located in China or the USA. Any impartial observer would have to classify such a program as malware. Schneier admitted that a lot of persuasion was still needed in this area. At least Microsoft knows the servers. However, the software giant would do well to gradually reduce the connections to the outside world.

The security expert did not consider a rapid reconstruction of IT landscapes under security aspects to be realistic. However, software should go through more audits, since everyone benefits from such testing processes. In this way, back doors could also be found more quickly, as they would have turned out to be a massive security risk for state and private infrastructures as well as a gateway for Russian hackers in the Orion software of the US service provider SolarWinds. Funds should go into pools to organize audits for open source products.

The idea propagated in the repeatedly flaring up Crypto Wars of weakening encryption and circumventing data protection rules was described by Schneier as “incredibly dangerous”. In particular, cryptographically secured cell phones and applications running on them, such as chats, were used by almost everyone, including government representatives and police officers. It is more or less a critical infrastructure that is important for “our societies and democracy to work”. Even if encryption makes law enforcement a little more difficult, “it’s better for all of us”.

Initially, countries such as the USA, Great Britain and Australia in particular requested access to encrypted communication in plain text, the researcher reported. “Down under” there is even a relevant law that, as far as he knows, has never been applied. In the meantime, Germany and the EU have made similar appeals. But there is no magic bullet to counter this. The fact that he still calls for the state for IT security is not a shot in the oven: “We are the government,” he referred to the main features of popular rule. Should the government oppose “our interests”, “we need a better one”.