Security Awareness Blog

What IoT (and Security) Needs to Learn From the DeWalt Mitre Saw

DeWalt780-MireSawI recently purchased my first power tool ever, a DeWalt Compound Mitre Saw, an intimidating piece of machinery that can not only rip through huge pieces of wood, but potentially chop your hand/arm clean off. As such I was very nervous when I received it, to include reading through the safety manual several times and numerous YouTube videos. Once I had reviewed everything and started playing with this tool, I came to an amazing realization. This device is so well designed from a safety perspective that I would have to try really hard to harm myself. Even better I did not have to really think about all the safety measures as they were built into the device, they were designed to work with me, not against me. I list some of the key safety features that impressed me at the bottom but something really else hit home for me. Why are we struggling so hard to do the same for security? Right now IoT is one of our biggest security challenges, with millions of IoT devices being used for DDoS attacks. The challenge? People are not changing the default passwords. Our communities response? Security professional around the world are lamenting why people are so stupid/lazy as not to change the default passwords.

*sigh*, this says it all right here about our profession and why we are failing. Instead of blaming people, we should be taking a long, hard look at ourselves. Why do IoT devices even need a password? If they do, why are those passwords so hard to find/change on the device? Remember, you may think changing a password is easy, but security is your job. For most people they don't want to think about security and/or find technology intimidating (like I found the Mitre Saw). In addition, when you have 5, 10 or even 15 IoT devices changing passwords on all of them becomes a real PITA. Just like DeWalt and any other large power tool company, we need to take people into account and make security simple. We have to stop blaming others and look at ourselves. Until we do, the bad guys are going to continue to win.

By the way, here are some of the key safety features that are built into the DeWalt Mitre Saw. Notice in all three of these examples you do not have to do anything special, just use the device. This is how we need to think from a security perspective.

  • Safety Cover: There is a plastic safety cover that protects the entire rotating blade. The only time the blade is actually exposed is when you lower the saw to actually cut into the wood. The moment you start to raise the blade after cutting, the plastic cover protects everything again. This means to hurt yourself you have to manually lower the blade with one hand then insert your hand into the cutting blade zone.
  • Power Switch: Actually, there is no power switch. Instead, after the saw is plugged in, to activate the saw you have to depress a lever. Let the lever go and saw stops. This means if you fall, slip, blackout, have a heart attack or any other type of accident and let go of the lever, the saw automatically stops. In other words, the saw always fails to the off (safe) position.
  • Shadow: The saw has a light that projects a shadow of the cutting blade precisely on the wood where the blade will cut. No guessing where the blade is going to cut.

Safety is like security, you cannot eliminate risk. But I feel this is a great example of how security can learn from others on how to take people into account.

10 Comments

Posted October 19, 2016 at 1:51 PM | Permalink | Reply

Dave Jones

To take it one step further, go look at a SawStop saw. When you're talking security, don't you think you have to go to the SawStop level vs just the miter saw you described?

Posted October 19, 2016 at 2:07 PM | Permalink | Reply

lspitzner

Dave, impressive. Just went to their site. I love the additional safety feature that the saw blade actually detects contact with human skin. *sigh*, cybersecurity has a long way too go. But I feel we are making the first step in that journey, we are realizing we have a problem.

Posted October 19, 2016 at 3:29 PM | Permalink | Reply

BDJ

Keep in mind that we've had power tools for a long time and they represent very clear and immediate risks to health and safety, and even with that combination, such safety features are a relatively recent (past 30 years) occurrence. Given that interconnected consumer technology is much more recent and represents a much less clear and immediate risk to less critical resources, I don't expect it to "catch up" to power tool features anytime soon. And this is a perfectly logical situation.

Posted October 19, 2016 at 3:37 PM | Permalink | Reply

lspitzner

BDJ, totally agree with your assessment. Power tools have been around alot longer, and their accidents are much ''messier'. The problem we face is with the advent of IoT and ICS (Industrial Control Systems) accidents and mistakes will have a profound impact on just not our digital world but our physical world (think cars, elevators, water systems, heating, medical devices, etc). The more interconnected we are, the greater the risk and harder it will be to clean up.

Posted October 19, 2016 at 4:16 PM | Permalink | Reply

BDJ

Yes, ICS security issues can lead to physical safety risks, but they weren't mentioned in this article. The recent DDoS from IoT that you reference was a nuisance compared to permanent physical injury. FWIW, many new consumer devices now do have either randomly generated admin passwords and/or force you to set one when they are initially configured. For example, this is standard practice for consumer DSL/Cable routers. It's also pretty standard for many other newly sold devices. The problem is largely with the millions of existing devices. In short, those plastic guards *are* in many new products. But, just like my old circular saw has no safety features, the existing install base has many issues. On the plus side, turn over for tech devices is much shorter than power tools so attrition is in our favor.
On a side note, it's poor form to reveal the name of someone who didn't publish their name directly.

Posted October 19, 2016 at 4:29 PM | Permalink | Reply

lspitzner

BDJ, all good points. I also like you point of attrition, that is one thing that does work in our favor.

Posted October 19, 2016 at 6:47 PM | Permalink | Reply

Gary Hinson

Hi Lance.
Both electro-mechanical and cybersecurity controls are fallible. Well-designed safety-critical controls generally fail-safe, leaving the protected device in a safe if non-operational or only partly functional state. Do we even consider that angle when designing business-critical cybersecurity? Or do we, on the whole, assume that our beloved controls will simply work?
http://blog.noticebored.com/2016/10/there-must-be-50-ways.html
Rgds, Gary

Posted October 19, 2016 at 6:47 PM | Permalink | Reply

TdB

As an IT professional, I couldn't agree more ''" it's our responsibility to understand how our software will be used and make security a seamless part of the experience, not rely on the end user to understand risks or take specific actions. Did DeWalt require you to assemble and attach the guard yourself? Change the power switch on every saw or require you to replace it every 6 months? Nope.
OTOH, as an experienced DIYer who has lost two fingertips to this exact saw, you don't have a clue how quickly you can still get hurt in the wrong circumstances. You don't need to

Posted October 19, 2016 at 7:47 PM | Permalink | Reply

koanhead

Passwords are wrong, and the security field has known this for a long time. The requirements of high-entropy and memorability are fundamentally incompatible. If IoT vendors are going to come to security professionals for advice (I have not heard of this happening, but I can dream) they need to be talked out of the whole ''password-based auth on embedded Web server without https or with a self-signed cert' thing.
Everything doesn't need to be a Web page. Web technologies are great at processing documents. The Web has not been designed as an application platform nor for orchestration.
An IoT vendor using SSH with keys could provide an Ansible-like app (or just a frontend to ansible with a set of baked-in configs) which would allow the user to control *all* their devices from one app, with One Password to Rule Them All. Most of the work is already done; with my weak coding skills I could make such a thing in a month or so.
Obviously such a solution would be more complex than I'm presenting, but it's simpler than the CGI-over-embedded-httpd method; vendors would not use that if they had to build and package it themselves.
Equally obviously, what I've proposed is not perfect from a usability standpoint. The user would have to interact with the app using the device at least once before the device would work ''" I don't know of any way to make the device work OOTB without making it insecure. If someone gave me a pile of money to figure it out I'm reasonably sure I could manage it.
In the meantime, IoT vendors are getting a pile of money to NOT figure it out. That needs to be addressed.

Posted October 20, 2016 at 10:38 PM | Permalink | Reply

Douglas Lancaster

Your second sentence pretty well defines the issue ''" you recognized that you had a potentially dangerous device and read the manual many times. Plus, you went even further and obtained information from secondary resources. Most people who have worked with power tools would give the manual a quick