With the Internet of Things, the suffering of all users of networked devices is increasing, so that the dreary situation in the area of ​​IT security could change for the better. The “Internet of Things” (IoT) could usher in a paradigm shift, said US encryption expert Bruce Schneier on Sunday at the remote Chaos Communication Congress (rC3). The reason for this is that with networked things “security collides with physical security”.

Software bad and too complex Even if someone hacked his thermostat on the Internet, “the lines could freeze”, Schneier gave an example. With networked homes, cars or even factories, the attack surfaces and threatening effects on the well-being of people and entire social groups multiplied. This could help to iron out the existing errors of the market through stronger state regulation.

Bad and overly complex software, which is the worst enemy of security, is currently following exactly, according to the lecturer at Harvard Kennedy School the laws of the market. In software, for example, these reward more and more functionalities, efficiency and speed, which leads to bloated programs. In contrast, simplicity and security are expensive. Most people did not want to pay extra for it, but deliberately took risks.

When the toaster suddenly e-mails sent Such short-term advantages would in the long run at the expense of society, emphasized Schneier in the online conversation with Frank Rieger from the Chaos Computer Club (CCC), which was interrupted by several technical problems. Politicians must therefore intervene, for example with requirements for food and drug safety. This applies above all to the IoT, since the devices and the associated software are often produced in countries such as China by companies that in some cases quickly went bankrupt. It’s not that far with updates.

In order to still be able to build a reasonably secure home network, routers should first act as watchdogs, suggested the 57 – year olds. You should be able to detect a connected device and get information and updates about it. If the toaster suddenly sends e-mails, this function should be able to be switched off via the intermediate instance.

Fewer connections to the outside world Rieger doubted that manufacturers would be more restrictive than before and would collect less data. Only Microsoft Office 365 on the Mac contact 32 other servers, some of which in China or the USA. Any impartial observer would have to classify such a program as malware. Schneier admitted that a lot of persuasion was still needed in this area. At least Microsoft knows the servers. However, the software giant would do well to gradually reduce the connections to the outside world.

The security expert did not consider a rapid reconstruction of IT landscapes under security aspects to be realistic. However, software should go through more audits, since everyone benefits from such testing processes. In this way, back doors could also be found more quickly, as they would have turned out to be a massive security risk for state and private infrastructures as well as a gateway for Russian hackers in the Orion software of the US service provider SolarWinds. Money should flow into pools to organize audits for open source products.

Encryption is critical infrastructure The idea propagated in the repeatedly flaring up Crypto Wars of weakening encryption and circumventing data protection rules was described by Schneier as “incredibly dangerous”. In particular, cryptographically secured cell phones and applications running on them, such as chats, were used by almost everyone, including government representatives and police officers. It is more or less a critical infrastructure that is important for “our societies and democracy to work”. Even if encryption makes law enforcement a little more difficult here, “it is better for all of us.”

Initially, countries such as the USA, Great Britain and Australia in particular requested access to encrypted communication in plain text, the reported Researcher. “Down under” there is even a relevant law that, as far as he knows, has never been applied. In the meantime, Germany and the EU have made similar appeals. But there is no magic bullet to counter this. The fact that he still calls for the state for IT security is not a shot in the oven: “We are the government,” he referred to the main features of popular rule. Should the government oppose “our interests”, “we need a better one”.

Quantum computer: “crypto apocalypse” canceled In principle, the cryptologist described encryption as a secure mathematical process. In practice, however, it is dependent on computers, software, networks and their users. If, for example, the messenger service Signal is running on a smartphone that has a small weak point and everyone can read what is happening on an unlocked screen, this is just as problematic as users who swear by simple passwords.

Schneier called off the “crypto apocalypse”, which was often linked to quantum computers. On the one hand, many more breakthroughs and manageable applications are necessary for practicable quantum computers before they can break encryption solutions, for example. On the other hand, the US standards organization NIST has already started a competition for quantum-resistant algorithms, in which some hot candidates are in the running. In the case of symmetrical encryption, the keys could also simply be extended. Solutions are still being worked on for public key cryptography, but many programs would get by without this approach.

(tiw)