Is it time to enforce testing and certification of technology?
If Dr Paul Vixie, CompSci PhD and a recongised internet overlord with software such as BIND (Berkeley Internet Name Daemon) to his name, has any say, then yes, it is time.
I met Dr Vixie at the APNIC 38 conference in Brisbane recently, an event that brought together the people who ensure the internet keeps on running.
Typically enough, only a few minutes into the interview with Vixie, my recorder gave up the ghost and I resorted to my iPhone.
Vixie looked at the iPhone recording our conversation with disgust.
“The whole world depends on this crap on the table here… and it is crap.”
Even common household appliances are better tested than smartphones and in fact, certified to have a level of security, Vixie contended.
“If you want to buy a toaster oven for your house in any English speaking or developed country, it requires a certification sticker on the back of it - like the Underwriters’ Laboratory,” Vixie said.
That is how society manages risk, he explained. The toaster oven is tested and certified, and if it isn’t, don’t use it. Without that UL, C-Tick Mark, or similar sticker on it, chances are your insurance is invalidated if the toaster oven malfunctions and sets your house on fire.
“You have a couple of hundred dollar smartphone here on the table that hasn’t been looked at by anyone apart from its maker.
A couple of small components have been looked at by the FCC,” Vixie explained.
Clearly Vixie has a source for cheap iPhones but his point is that even though smartphones are capable of doing more harm than toaster ovens, they’re not subject to testing and certification.
A security breach in a smartphone could result in a user's privacy being violated, or financial loss, and the device can be used as part of denial of service attacks against other networks.
What’s more, there are billions of smartphones, and they cost far more than a toaster oven - but manufacturers are not required to submit them to what Vixie calls “red-teaming”.
This would entail Apple, Samsung and others paying an independent third-party to try really hard to break into the devices. If the break-in succeeds, manufacturers should pay testers more.
That’s not happening however despite the large number of attacks that have taken place, which only seem to intensify in volume.
Another perverse example that we talked about was cars. If you want to build and sell cars, you have to tool up and spend tens of millions on submitting samples to the authorities for destructive safety testing, Vixie said.
Cars are loaded up with dummies and rammed into walls and nobody thinks that’s excessive.
However, this is not how the seemingly harmless personal entertainment electronics in a car are tested.
That technology which is uncertified can do real damage: Vixie mentioned the work done by Stephen Savage and his team at the University of San Diego in California [PDF] as proof of the pudding.
“They recorded a CD with a specially encoded Windows Media Audio file that when you play the fourth song on the disc, it disables the brakes of the car,” Vixie explained.
In other words, the car CD player and sound system are on the same network as the brakes for reasons best known to the vehicle manufacturer. Savage and his team are working to replicate the exploit using Bluetooth, which means attackers don’t even have to have physical access to cars to turn off vital components.
Is it too harsh a call then to insist that technology is tested and certified like Vixie suggests? Would it stifle innovation, create excessive regulation, and cost too much?
Vixie doesn’t think it will if the regulation is done properly. If a manufacturer in China can submit cheap toaster ovens for testing, there’s no reason why a company with multi-billion revenues like Apple couldn’t do the same.
Just like toaster ovens, it’s the tech that needs testing and certification as applying licensing and certification to engineers just wouldn’t be practical Vixie said.
“I would despair at finding someone even vaguely capable of building the framework to certify testing staff,” he said.
Taking risk management through regulation further, Vixie suggested the treaty route.
If a country does not sign and abide by the treaties that regulate civil airlines, they don’t get to fly to those countries.
Likewise, he suggested that we might need a treaty against countries where much of the GDP comes from illicit transfer of wealth from developed countries through exporting malware and operating botnets.
Authorities already do this with nations that undertake drug trafficing, transnational crime, and similar areas. Applying it to the internet, as the doctor ordered, might just work.