We all should know by now that the state of security of many Internet of Things devices is a shocking mess.
Time and time again security holes are found in IoT devices, providing an opportunity for hackers to spy on unsuspecting users, steal information, or even hijack gadgets to perform internet attacks on others.
The only explanation seems to be that the manufacturers of many so-called “smart” devices have given little thought or effort into how they should properly protect owners and their data from malicious hackers and snoopers.
And although some bodies have called for “security trust marks” so consumers can know which devices they can trust, we still seem to be some way away from agreeing a globally accepted baseline to which IoT devices should adhere.
One group that would like to encourage the adoption of improved cryptography in IoT gadgets is the International Organisation of Standardization (ISO).
And, fascinatingly, the ISO has just voted against two new encryption algorithms specifically designed to secure IoT devices, which typically have limited resources in terms of memory and power.
Why were the algorithms – known as Simon and Speck – rejected? It seems because they were developed by the NSA.
Part of the concern is that Simon and Speck might contain encryption backdoors that would be abused by US authorities. Although nobody has directly accused the NSA of attempting this with Simon and Speck, the agency has something of a chequered history when it comes to subverting and weakening previous standards.
For instance, in 2013 it was discovered that the NSA had sabotaged NIST security standards by incorporating a backdoor into a random number algorithm (known as Dual_EC_DRBG), built into RSA’s widely-used BSAFE encryption libraries.
In a series of tweets, Dr Tomer Ashur, representing the Belgian delegation of the standards body, explained that the NSA had not presented itself well to the ISO:
Being international in nature, ISO’s decision making process is about building consensus. NSA’s aggressive behavior together with half-truths and full lies they provided us with discouraged such consensus which brought us to where we are today.
This is yet another example as to how the NSA’s surveillance program is bad for global security. If they had been more trustworthy, or at least more cooperative, different alliances would have probably been formed.
But instead, they chose to try to bully their way into the standards which almost worked but eventually backfired.
To add insult to injury, Dr Ashur compared America’s NSA unfavourably with the Russian and Chinese authorities, who have also proposed algorithms:
On a personal note: spying agencies have no place in civilian standardization. If you can’t motivate your decisions, we can’t trust you. The Russians and Chinese seem to understand that and are much more cooperative in addressing concerns.
According to a Reuters report from last year, Israeli ISO delegate Orr Dunkelman the distrust of the NSA runs deep:
“I don’t trust the designers. There are quite a lot of people in NSA who think their job is to subvert standards. My job is to secure standards.”
I think we’re all agreed that the Internet of Things needs better security, and strong cryptography standards is an essential part of that. But lets ensure that those standards are bulletproof, and not actually introducing their own intentional flaws which could put us all at risk.
tags
Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s.
View all postsNovember 14, 2024
September 06, 2024