iTnews

A tick symbol for tech

By Juha Saarinen on Oct 1, 2014 10:06AM
A tick symbol for tech

Risk management through regulation.

Is it time to enforce testing and certification of technology?

If Dr Paul Vixie, CompSci PhD and a recongised internet overlord with software such as BIND (Berkeley Internet Name Daemon) to his name, has any say, then yes, it is time.

I met Dr Vixie at the APNIC 38 conference in Brisbane recently, an event that brought together the people who ensure the internet keeps on running.

Typically enough, only a few minutes into the interview with Vixie, my recorder gave up the ghost and I resorted to my iPhone.

Vixie looked at the iPhone recording our conversation with disgust.

“The whole world depends on this crap on the table here… and it is crap.”

Even common household appliances are better tested than smartphones and in fact, certified to have a level of security, Vixie contended.

“If you want to buy a toaster oven for your house in any English speaking or developed country, it requires a certification sticker on the back of it - like the Underwriters’ Laboratory,” Vixie said.

That is how society manages risk, he explained. The toaster oven is tested and certified, and if it isn’t, don’t use it. Without that UL, C-Tick Mark, or similar sticker on it, chances are your insurance is invalidated if the toaster oven malfunctions and sets your house on fire.

“You have a couple of hundred dollar smartphone here on the table that hasn’t been looked at by anyone apart from its maker.

A couple of small components have been looked at by the FCC,” Vixie explained.

Clearly Vixie has a source for cheap iPhones but his point is that even though smartphones are capable of doing more harm than toaster ovens, they’re not subject to testing and certification.

A security breach in a smartphone could result in a user's privacy being violated, or financial loss, and the device can be used as part of denial of service attacks against other networks.

What’s more, there are billions of smartphones, and they cost far more than a toaster oven - but manufacturers are not required to submit them to what Vixie calls “red-teaming”.

This would entail Apple, Samsung and others paying an independent third-party to try really hard to break into the devices. If the break-in succeeds, manufacturers should pay testers more.

That’s not happening however despite the large number of attacks that have taken place, which only seem to intensify in volume.

Another perverse example that we talked about was cars. If you want to build and sell cars, you have to tool up and spend tens of millions on submitting samples to the authorities for destructive safety testing, Vixie said.

Cars are loaded up with dummies and rammed into walls and nobody thinks that’s excessive.

However, this is not how the seemingly harmless personal entertainment electronics in a car are tested.

That technology which is uncertified can do real damage: Vixie mentioned the work done by Stephen Savage and his team at the University of San Diego in California [PDF] as proof of the pudding.

“They recorded a CD with a specially encoded Windows Media Audio file that when you play the fourth song on the disc, it disables the brakes of the car,” Vixie explained.

In other words, the car CD player and sound system are on the same network as the brakes for reasons best known to the vehicle manufacturer. Savage and his team are working to replicate the exploit using Bluetooth, which means attackers don’t even have to have physical access to cars to turn off vital components.

Is it too harsh a call then to insist that technology is tested and certified like Vixie suggests? Would it stifle innovation, create excessive regulation, and cost too much?

Vixie doesn’t think it will if the regulation is done properly. If a manufacturer in China can submit cheap toaster ovens for testing, there’s no reason why a company with multi-billion revenues like Apple couldn’t do the same.

Just like toaster ovens, it’s the tech that needs testing and certification as applying licensing and certification to engineers just wouldn’t be practical Vixie said.

“I would despair at finding someone even vaguely capable of building the framework to certify testing staff,” he said.

Taking risk management through regulation further, Vixie suggested the treaty route.

If a country does not sign and abide by the treaties that regulate civil airlines, they don’t get to fly to those countries.

Likewise, he suggested that we might need a treaty against countries where much of the GDP comes from illicit transfer of wealth from developed countries through exporting malware and operating botnets.

Authorities already do this with nations that undertake drug trafficing, transnational crime, and similar areas. Applying it to the internet, as the doctor ordered, might just work.

 

Got a news tip for our journalists? Share it with us anonymously here.
Tags:
certificationdosregulationsecuritytesting
Juha Saarinen
Juha Saarinen has been covering the technology sector since the mid-1990s for publications around the world. He has been writing for iTnews since 2010 and also contributes to the New Zealand Herald, the Guardian and Wired's Threat Level section. He is based in Auckland, New Zealand. Google
Read more from this blog: SigInt

Partner Content

The case for postponing mainframe migration has eroded
Partner Content The case for postponing mainframe migration has eroded
Tick off the ransomware bandits
Promoted Content Tick off the ransomware bandits
How a 'micro data centre' enables your business, your way
Promoted Content How a 'micro data centre' enables your business, your way
Security through visibility: supporting Essential Eight cyber mitigation strategies
Promoted Content Security through visibility: supporting Essential Eight cyber mitigation strategies

Sponsored Whitepapers

Planning before the breach: You can’t protect what you can’t see
Planning before the breach: You can’t protect what you can’t see
Beyond FTP: Securing and Managing File Transfers
Beyond FTP: Securing and Managing File Transfers
NextGen Security Operations: A Roadmap for the Future
NextGen Security Operations: A Roadmap for the Future
Video: Watch Juniper talk about its Aston Martin partnership
Video: Watch Juniper talk about its Aston Martin partnership
Don’t pay the ransom: A three-step guide to ransomware protection
Don’t pay the ransom: A three-step guide to ransomware protection

Events

  • iTnews Benchmark Awards 2022 - Finalist Showcase
  • 11th Annual Fraud Prevention Summit 2022
  • IoT Impact Conference
  • Cyber Security for Government Summit
By Juha Saarinen
Oct 1 2014
10:06AM
0 Comments

Related Articles

  • Australia's banks wanted more control over consumer devices
  • Ukraine says another cyber attack downs state websites and banks
  • China spied on Russian defence research institutes
  • 'White hat' hackers no longer risk prosecution by the US
Share on Twitter Share on Facebook Share on LinkedIn Share on Whatsapp Email A Friend

Most Read Articles

Kmart Australia stands up consent-as-a-service platform

Kmart Australia stands up consent-as-a-service platform

NSW digital driver's licences 'easily forgeable'

NSW digital driver's licences 'easily forgeable'

Kmart Australia re-platforms ecommerce site to AWS

Kmart Australia re-platforms ecommerce site to AWS

NBN Co's 250Mbps and gigabit growth is finally clear

NBN Co's 250Mbps and gigabit growth is finally clear

Digital Nation

COVER STORY: From cost control to customer fanatics, AI is transforming the contact centre
COVER STORY: From cost control to customer fanatics, AI is transforming the contact centre
Case Study: PlayHQ leverages graph technologies for sports administration
Case Study: PlayHQ leverages graph technologies for sports administration
As NFTs gain traction, businesses start taking early bets
As NFTs gain traction, businesses start taking early bets
Metaverse hype will transition into new business models by mid decade: Gartner
Metaverse hype will transition into new business models by mid decade: Gartner
The other ‘CTO’: The emerging role of the chief transformation officer
The other ‘CTO’: The emerging role of the chief transformation officer
All rights reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorisation.
Your use of this website constitutes acceptance of nextmedia's Privacy Policy and Terms & Conditions.