Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Security Botnet Intel Networking

Who's Responsible For IoT Security? (networkworld.com) 181

"It is much too easy to connect devices and industrial equipment to the internet," writes an anonymous Slashdot reader. But what's the solution -- and who's to blame for the abundance of insecure IoT devices? Network World examined the conclusions in a paper titled "The Internet of Hackable Things" [PDF]. The authors say the IoT security problem is not a technological one; it's cultural... "A security culture is nearly non-existent in our society... developers must be educated to adopt the best practices for securing their IoT devices within the particular application domain; the general public must be educated to take security seriously, too, which among other things will fix the problem of not changing default password."
The anonymous reader who submitted this story argued that "IoT product makers do not need a deeply skilled team because component makers have made it so easy to connect anything to the internet. Maybe the responsibility for strong security should rest with chip makers like Intel, Freescale and Qualcomm." Leave your own opinions in the comments. Who is ultimately responsible for IoT security?
This discussion has been archived. No new comments can be posted.

Who's Responsible For IoT Security?

Comments Filter:
  • argh (Score:2, Funny)

    by Anonymous Coward

    Who's Responsible For IoT Security?

    Shit... I think it was me. Sorry guys- the whole thing is my fault. I'll get on it ASAP.

    But seriously, if you have one IoT device selling for $59 and an equivalent one with better security selling for $65, I can tell you which people are going to buy.

  • Hard one... (Score:5, Insightful)

    by XSportSeeker ( 4641865 ) on Saturday August 26, 2017 @06:40PM (#55091059)

    Responsible? That would obviously be whoever is making the products, selling them, and turning a profit on it, period.
    But who should care about it is an entirely other matter... everyone from chip makers, to product developers, assembly lines, government, stores that are buying and selling the stuff as well as costumers/businesses that are getting the products should be looking into it.

    Unfortunately, there's no easy answer as to solve the entire conundrum. This might be one case were we'll eventually need government interference and regulation there to safeguard public privacy and security just as much as we have quality standards and aproval processes regarding radiation levels, what sorts of materials were used in electronics, and stuff like that.

    And I think soon we'll end up with independent businesses whose sole purpose is do independent testing for security and privacy... I mean, they are already there seem as security analysts and whatnot, but things will probably ramp up as businesses have more to lose.

    It's not a great route to go through, but I really can't think of anything else that would do the job. At some point, the overall Cyberwarfare will escalate to a point that electronics in general will need to go through extensive testing before entering the country.

    • Re:Hard one... (Score:5, Insightful)

      by Darinbob ( 1142669 ) on Saturday August 26, 2017 @09:53PM (#55091571)

      No, not just developers. I work on IoT, we do security and we try to do the best security. Customers don't think this is important. It raises the cost. We get a max cost of a product and adding security can blow past it. A big problem is with companies and customers alike wanting to jump on the band wagon with instant results.

      Also, security requires resources. More memory, better chips (ie, keep keys out of RAM), use PKI instead of preshared keys, etc. Every framework online that claims to IoT ready is severely lacking, not just in security but usability. When they have security it's very large (larger in code than many low power chips can handle) and since it's "portable" they make no use of hardware supplied security.

      Now try to combine that with a battery life measured in decades, fast network response, customer modifications, etc.

    • Responsible? That would obviously be whoever is making the products, selling them, and turning a profit on it, period.

      Negative. The only person responsible for security to your network is *you*. The problem is that these things are generally sold to a public that lacks the skills to responsibly manage their own network.

    • Funny. We do not have these problems with phones. TVs. Computers. Or refrigerators.

      Consumers plug them in and they just work. Why would the cool new camera to put in the office be any different?

      No, the reason is if the consumer received a financial penalty or looses his or her data then all hell breaks loose the company gets prosecuted and risks a huge financial liability.

      If the camera in the office gets botted and sends data galore to take down servers who cares? Not their problem. Everything works just fi

    • Responsible? That would obviously be whoever is making the products, selling them, and turning a profit on it, period.

      Manufacturers understand one thing that you've failed to recognize; know your audience.

      If you were to actually make an IoT product with security as the priority, and require consumers to configure and manage that security, it wouldn't sell. Manufacturers know this. That is why they have to make every product so stupidly simple it can be configured and controlled by a 3-year old child. Good security is often sacrificed because of this requirement.

      Oversharing and devices riddled with data telemetry creati

  • by Opportunist ( 166417 ) on Saturday August 26, 2017 @06:41PM (#55091063)

    Only worse.

    Here [wikipedia.org] you find a pretty good summary of the phenomenon. In a nutshell, given the choice between "ohhh shiny!" and security, the vast majority will go for the former without even considering the latter. People don't know and I have the creeping suspicion that they don't want to know what security implications their actions have.

    • Maybe initially. When it begins to impact them they'll care. Someone hack the thermostat and ran your AC bill up to 1000 bucks for the month? Suddenly security becomes quite the consideration.

      Given the impact connected discrete peripherals can have on people, I fully expect this nonchalance towards security to be a phase. A very very short phase.

      • Not is we allow them to sue the manufacturers and everyone else they want rather than have any responsibility

      • This is a great example of an unrealistic FUD scenario. It's going to take:
        a) Something that would really happen, not just could happen, and the "could" here, at least for anyone actually at home at the time, is very weak.
        b) Something that happens to a large number of people, not just "the other guy", i.e. the guy who dies in a car accident because he was distracted by eating a burrito.
        c) Something expensive enough to be worth the trouble to defend against it.
        d) Something where the damages will not

        • You're forgetting the possibility that such problems might result in the IoT ending up being essentially a fad--with people opting to simply not have anything important hooked up to the IoT once the problems with securing it become sufficiently known and left unfixed. You might have a few things still connected, maybe a few exterior lights hooked up so you could switch them on remotely, but beyond that? Nope.

      • For this to really have any measurable impact, it would not only have to happen to a LOT of people, if not to everyone who ever bought an insecure IoT gadget. Why? Experience.

        For ages we have banking trojans, and still people click every bullshit. We've had encryption trojans for a while now too, and still people neither make backups nor do they up their security. Both things still work as planned. Because it doesn't happen to enough people. And as long as it's not just happening to someone who happens to b

    • Right, they don't want to know. They don't want security. What they want is a crime-free neighborhood. In the end, it comes down to economics. People make rational individual economic choices about security. Consider how people have long handled security for their homes. Most homes and even businesses are not physically secure in any way even close to what is being demanded by security zealots. Setting people who got sold a bill of goods by ADT and Dr. Robert Neville aside, for most the "price" of l

      • The problem is that you can live in the best possible neighborhood and still have the slums next door on the internet. There is no "better neighborhood" on the internet that you could move to, because everyone, literally everyone, is living next door.

        You can of course choose to live in a gated community. But again, as the internet is a thoroughly bidirectional system, this also means that you live in a prison.

        Choose freedom and responsibility or prison and a warden that decides who may visit you and where y

    • Yup. I've seen industrial customers delay and delay adding in the security. There's worry that it's too complicated, that they'll brick their systems, etc. But you can't get both convenience and security at the same time.

    • It has nothing to do with the dancing pigs problem. 97% of us in 2017 know better than to run dancing_pigs.exe. At work people do not give a shit as it is your problem in the I.T. department since they do not own the systems so it is an outliner. In 2002 when computers were new to non-nerds and business folks it was an issue as grandma or a 50 year old Mom who doesn't use a PC at work had no idea why that would be bad.

      For non IT geeks outside of slashdot they plug in a TV and it works! They turn on a phone

      • Sorry, but I'm in the dancing pig business (or rather, dealing with the fallout of people clicking on them). They do. Boy, they do.

        People don't learn. You can tell them all you want, they don't learn. And to throw insult after injury, you wouldn't believe how often you hear "how should I have known?", when they come in the second time with exactly the same fuckup after you told them specifically when it happened to them the first time.

        Another aspect is that people don't think that washing machines, fridges

    • People don't know and I have the creeping suspicion that they don't want to know what security implications their actions have.

      It's not that people don't want to know, it's that they are incapable of knowing the implications of their actions. People act like this the same when when they are presented with incredible low odds of something. The same is evident by people staring in their cellphones while behind the wheel of a car, or making dodgy investment decisions.

      Then there's the implications of the security breach itself. The resulting damage is hard to quantify. You tell someone that their IoT device may turn into a spam bot and

  • We read about TVs that ceased to function after firmware upgrades, IP cameras that build botnets, virus like stuxnet that were drafted for specific targets, massive DDOS attacks... The world out there surely does not look pretty. If you need me, I will be at the internet attack shelter.
  • Currently: nobody. (Score:5, Insightful)

    by Gravis Zero ( 934156 ) on Saturday August 26, 2017 @06:57PM (#55091115)

    Hacked devices are the result of a "tragedy of the commons" because the internet is shared. The only real resolution to these problem has been proven to be regulation. Now, some people find the "dreaded r-word" to be too offensive to consider but the reality is that the free market cannot solve this problem because it doesn't have a strong enough feedback loop that would compel companies to invest in strong security. So, if you follow this logic, it's ultimately the lack of regulation by lawmakers that is responsible. Then again, we could go even further and say it's the fault of the people who voted them into power. In conclusion, it's the fault of idiots, likely the same idiots buying this insecure shit.

    • Well, care to tell me where I can buy secure shit?

      Just recently we had someone ask for suggestions for a 4k TV that does NOT try its best to connect to the internet and send all kinds of information to its master while at the same time allowing streaming from a LAN connected media source.

      As far as I know, nobody could point to such a thing.

      • Well, care to tell me where I can buy secure shit?

        You cannot, which is the point! If you want secure shit, you're going to need some basic regulation. It's the fools that buy insecure shit and keep claiming any kind of regulation is bad.

        The question that remains is if you are going to claim that any kind of regulation is bad.

    • We do not need regulation. Just give ISPs the power to shut off connections doing bot attacks. Once customers start getting their internet turned off and paying hundreds for geeks to come in and tell them that new camera, not a PC is the cause then the free market will kick in just like phones and cable modems today have basic security for this reason.

      • by Gravis Zero ( 934156 ) on Sunday August 27, 2017 @04:27AM (#55092335)

        Just give ISPs the power to shut off connections doing bot attacks.

        They already have that power and have always had that power.

        Once customers start getting their internet turned off and paying hundreds for geeks to come in and tell them that new camera, not a PC is the cause then the free market will kick in...

        Clearly, you don't understand how the free market works. The more likely scenario is that the customer would get frustrated and after wasting lots of time on customer support they would simply switch to an ISP that doesn't give a fuck if you are part of a botnet because you're giving them money. Why do you think they don't already cut off customers?

        • Then explain why routers and phones don't have these problems?

          The externality of a poor quality is not passed to the consumer with IOT but to us. That is the problem. Not the market and explains why the other products mentioned do not have the problems. If they did the consumer would be harmed and they would not tolerate it.

          • Then explain why routers and phones don't have these problems?

            Back in the day, they did have these problems. However, after many iterations of the same product by the same companies competing to make a better version, they improved. The question is how many people are going to buy a new version of a wifi blender.

  • I have been predicting that at some point in the future, all switches, routers, etc will have a firewall per port so you can control access to well everything but especially this proliferation of IOT.

    Make them easily configurable so your tv and refrigerator can talk to each other but nothing else etc.

    No matter what its going to be another wild wild west of security problems going forward, so many things have zero support after being shipped, it just works without any regard to security.

    • NaT covers most of it. One of the benefits of the lack of available address space for IPv4 is that many sites are using NaT. This provides an excellent opportunity filter connections _into_ your local environment, as well as data _leaving_ your local environment.

      I'm seeing companies, partners, and clients entirely disable IPv6 entirely on their local network because the increased address space encourages every device to be routable and accessible from the Intenet at large. And I'm in full agreement, and it'

      • You're doing security wrong if you think NAT is a "solution" to properly securing IPv4 or IPv6 networks.

        My entire subnet of workstations has public IP, some still run DOS, OS9, WinXP etc. but you still can't access them from the Internet or even within the subnet.

        • It's a _start_, and an extremely useful one. There is a goal of some IPv6 and IoT advocates that every device in the world should be accessible via publishable IPv6 address. It was also one of the underlying constraints in setting the size of the IPv6 address space. Such exposure to externally routable or scannable addresses is completely unnecessary for most "IoT" devices, which can be run more safely in a "the device polls specific services on the Internet" rather than a "anything on the Internet can rea

    • >> Make them easily configurable so your tv and refrigerator can talk to each other but nothing else etc.
      That's not the purpose of IOT.
      IOT has two purposes :
      1) for manufacturers to reduce the cost of return by allowing cheap software upgrades instead.
      2) collect data to be selled.

      IOT devices were never meant to talk to each other.

    • You can do this today, just need managed switches downstream and a more powerful router. Everything sits on its own VLAN.

      The problem is that it is immediately unmanageable. Too many devices (phone, tablet, laptop) need to access nearly everything and many devices use those "controllers" to proxy out data. Services change ports, IP Addresses, host names, etc, and you don't have a way to maintain the white list.

      For me, I have Untrusted, Trusted, and Private VLANs at home, But even that isn't enough. I shou

  • ... it's the manufacturer's responsibility.

    "Enter an administrative password and click Next to continue ..."

    I don't expect an award or stuff.

  • First, the vendor provides a default password.

    Second, the device need's it's password changed before it works.

    The other option is for the default password to be the serial number of the device, which will probably cause vendors $0.01 more but save on customer support calls.
    • > First, the vendor provides a default password.

      > Second, the device need's it's password changed before it works.

      _Thank you_. I'd not put it in such terms, but that is a viable approach which I'd gladly support.

      > The other option is for the default password to be the serial number of the device, which will probably cause vendors $0.01 more but save on customer support calls.

      There is a similar situation now for cable modems. They print the default network and password names on the devices, partly t

    • The password is just the lowest hanging fruit. There are many ways to compromise a system.

  • by BitterOak ( 537666 ) on Saturday August 26, 2017 @07:16PM (#55091167)

    "It is much too easy to connect devices and industrial equipment to the internet,"

    No, that misses the point entirely. It's not that it's too easy to connect devices to the Internet, but rather that, at least sometimes, it is very difficult, if not nearly impossible, to prevent devices from connecting to the Internet. Some Smart TV sets (it might have been Samsung, but I'm not sure) actively seek out open WiFi connections to connect to the Internet even if you tell it not to. It's not enough to block ports in your firewall as maybe your neighbor doesn't have those ports blocked. Or maybe the Starbucks down the street doesn't. And with integrated GPS in many devices (and probably more in the future) the fact that devices connect on someone else's IP address won't protect your privacy/anonymity, since they'll be able to locate the device down to the house or apartment that it's in. Expect to see more of this in the future.

    • > No, that misses the point entirely. It's not that it's too easy to connect devices to the Internet, but rather that, at least sometimes, it is very difficult, if not nearly impossible, to prevent devices from connecting to the Internet.

      I can attest to this from personal and painful experience with such devices as printers and certain medical appliance toolkits for "doctor's office" use.

  • by Nkwe ( 604125 ) on Saturday August 26, 2017 @07:16PM (#55091169)
    Ultimately the responsibility is the purchaser. I don't necessarily mean from a legal sense, but from a "why it is the way it is" sense. Security (when compared to convenience) is expensive, it always has been and likely always will be. The cost of security must be included in the product and paid for by the purchaser. People generally want to spend as little as possible for a product and will chose the less expensive option if everything else appears equal or near equal. Since people in general don't understand the complexities and costs of a secure product, they don't feel the need to pay for it. Producers of products ultimately aim to please their customers and if customers don't want to pay for security, baring external regulation, they won't put security features in their products. Some day customers may demand security and when that happens manufacturers will oblige. I mentioned regulation as in "the government forces it". While this may happen, if it happens it will happen only if consumers get tired of insecure products and ask their governmental representatives to make the regulations. Either way the purchasers ultimately have the responsibility for why we don't have security in our products.
    • > Producers of products ultimately aim to please their customers

      Please forgive me, but this is a common misconception that I've had to address for a number of younger Libertarian advocates recently. There are many, many counterexamples of people and businesses who are purely interested in profit. Pleasing the customer is one means to encourage sales. But theft, fraud, and neglect of damage to customers are often more effective ways to increase profit in the short term, and they _are_ common place.

      I appre

    • Producers of products ultimately aim to please their customers

      If you got more material like this you could have a standup routine going by next weekend.

      Producers of products ultimately aim to make a profit. Pleasing the customer is a necessary evil, at best. If that's not necessary because the customer is stupid enough to fall for "ohh shiny!", "ohh shiny!" is all he'll get. Because it's simply cheaper than security.

      • by Nkwe ( 604125 )

        Producers of products ultimately aim to please their customers

        If you got more material like this you could have a standup routine going by next weekend.

        Producers of products ultimately aim to make a profit. Pleasing the customer is a necessary evil, at best.

        And because pleasing the customer is a necessary evil, producers ultimately do it, otherwise they would not have customers. I never meant to imply that producers were altruistic. Producers don't aim to please customers because they want them to be happy, they do it so that customers are happy enough (or at least willing) to make a purchase and not return the product.

        • Producers don't care if you're happy with the product. Only that you buy it.

          By now they have learned that the average person has the long term memory of a goldfish. They buy junk, they find out it doesn't work, they curse the manufacturer, then go and buy the same junk from the same manufacturer because it's the cheapest one.

          People are stupid. Producers have caught on.

      • If you got more material like this you could have a standup routine going by next weekend.

        Producers of products ultimately aim to make a profit.

        Are you really unable to connect the former with the latter? Even MBAs know the causal relationship between the two. The only businesses who break these causal relationship have some kind of market capture.

    • Generally that's why I hate the consumer oriented IoT. It gives a terrible name to the whole product because of the complete lack of quality and worst in class security. But even for commercial/industrial customers there's a lack of knowledge about security, but at least they have an idea that they want some of it.

  • I was always taught that if it has sensitive data, it's got to be secured. If it connects to anything else, it must be protected. If you don't want people doing things they aren't supposed to with it, you have to guard it against all inappropriate access and input.

    Mind you, that was from pre-internet days, so who freaking dropped the ball and completely lost it when it comes to the basics with these kids?
    • I have a "smart" scale that logs my weight to an app. It also senses temperature, CO2 levels, and some other gimmicks. I just wanted the logging part when I bought it. The device connects to wifi so you can use the app.

      I don't consider my precise weight to be that personal of information, nor really the trends.

      Fast forward a few years, company gets acquired and the terms of service are "updated." How do I know my firewall rules now need to change?

  • No one.

    Next question?

    Seriously, manufacturers are in a hurry to get product to market, IoT security is an afterthought, that hopefully can be updated with firmware upgrades OTA.

  • Interviewer: Mr. Ghandi, what do you think about security for the Internet of Things?

    Mahatma Ghandi: I think it would be a good idea.

    • Gandhi
    • Wasn't he also the guy who had an old spinning wheel instead of a weaving machine because he said with the spinning wheel he is the master while with a machine that you might not even own, you cannot be sure just who is the master and who is the slave?

      Talk about a prophet!

  • by Anonymous Coward

    THE PEOPLE SELLING THIS INSECURE SHIT!!

    Full stop. End of story.

    You build a gadget that connects to the Internet, you fail to properly secure it, your boss puts it up for sale, YOU ARE CULPABLE! You are at fault, it is YOUR PROBLEM, that is the end of it! Do not try to fucking weasel out of it. Nuremburg settled that for our entire species, "following orders" is not an excuse. You did it, you are responsible. You built an insecure device and offered it up to your boss so he could sell it, you MUST be liable

    • Re: (Score:3, Interesting)

      by Anonymous Coward

      To put this into a bit more context, imagine this were not IoT gadgets, but food. If a restaurant is poisoning people with bad food, nobody walks around saying, "Those people should have read up on the food safety tests." They say the restaurant should be shut down until it stops poisoning people. If a company is literally dumping crap on the highway, nobody says, "Well, drive somewhere else then!" They yell for the local sheriff to haul those fuckers to jail. This is not a market failure, it is not an issu

    • > YOU ARE CULPABLE! You are at fault, it is YOUR PROBLEM, that is the end of it

      Establishing enough culpability, in a court of law, with the End User License Agreement for most such devices is not feasible. And by the time such a lawsuit makes it to a courtroom, the original vendor is usually gone. It's an extremely volatile field, these vendors are not thinking in the long term and so far only a few have lasted even 3 years.

  • by ron_ivi ( 607351 ) <sdotno@@@cheapcomplexdevices...com> on Saturday August 26, 2017 @09:48PM (#55091557)

    By default, it seems that your home firewall should restrict any packets from whatever stupid crap you put on your network.

    That way such devices can't spy on you or hack the rest of your home network, unless you explicitly allow them in your firewall.

    If you push the responsibility to dozens of different device vendors, you'll never be able to adequately vet them all.

    • How do you let the stupid device's cloud service work? Too many devices are engineered so the smarts are in the "cloud" rather than local.

      • by ron_ivi ( 607351 )

        I'd argue:

        * Ideally - you wouldn't, so manufacturers stop that stupidity. They're primarily doing it for spyware --- which is exactly what a home router should protect against.

        * If for some reason a user really wants to be spied on in that way, they can provide instructions how to open whatever is necessary in a firewall.

        * If it has to communicate with a cloud --- especially if it can update itself from the cloud -- that device should ***NOT*** be able to communicate with the rest of your network.

  • by ka9dgx ( 72702 ) on Saturday August 26, 2017 @11:51PM (#55091805) Homepage Journal

    With the currently available crop of consumer oriented operating systems, it is simply NOT POSSIBLE to make a secure device. None of them offer capability based security.... the operating system equivalent to modern electrical standards... imagine trying to hook up every appliance everywhere, with no circuit breakers, no standard outlets, no grounding, no conduit, all supported by post and spool insulators.

    Once a program is run, it gets trusted with all authority of the user running it. There are no effective measures to limit the side effects (and thus risk/damage) that a given chunk of code can do.

    Another equivalent is like building a Fort out of stacks of C4 explosives.

    Until we get HURD, Genode, or a modern replacement for KeyKOS, we can't make secure devices. Stop blaming the developers, or users, or chip makers... it's not their fault. It's the fault of every Linux, MacOS, or Windows fanboy in the world.

  • by BronsCon ( 927697 ) <social@bronstrup.com> on Sunday August 27, 2017 @12:13AM (#55091861) Journal
    I say make the user responsible. After a few get locked up for attacks perpetrated by their light bulbs, they'll wise up and stop buying insecure shit products.
    • I say make the user responsible. After a few get locked up for attacks perpetrated by their light bulbs, they'll wise up and stop buying insecure shit products.

      For decades, I hoped that the average consumer would get smarter about computers and electronics to drive good secure design.

      What we have instead is touch-screen app-driven systems that can be operated by a 3-year old who swipes right to login.

      As manufacturers have to make more devices idiot-capable, you expect users to "wise up"?

      That's a fucking laugh.

      • The real laugh is that you think manufacturers have to make devices idiot-capable. If they stopped spending R&D money on that and, instead, spent that money on security, users would have to wise up and we'd get more secure devices. It'd be a win-win.
        • The real laugh is that you think manufacturers have to make devices idiot-capable. If they stopped spending R&D money on that and, instead, spent that money on security, users would have to wise up and we'd get more secure devices. It'd be a win-win.

          Your delusional if you think the masses actually care to learn about computer security, or implement good security. Never have. Never will.

          And at the end of the day consumers will always build a bigger idiot, so manufacturers will continue to be forced to make hardware idiot-proof. Otherwise sales fall. Plain and simple.

          The future of consumer computing is a device with a single button that enables a voice assistant that will understand anyone with a 6th-grade education.

          Oh, wait. Nevermind. The future

          • I think you've missed my point. Users are currently buying devices that ship insecure by default because they can not be secured. Read what I've written a few more times, put that 6th grade education to work, and realize that I am suggesting that manufacturers ultimately secure their shit, but that users be held responsible for their own poor decisions in the interim.
            • I think you've missed my point. Users are currently buying devices that ship insecure by default because they can not be secured. Read what I've written a few more times, put that 6th grade education to work, and realize that I am suggesting that manufacturers ultimately secure their shit, but that users be held responsible for their own poor decisions in the interim.

              Perhaps you've also missed my point, which tends to clarify why we have insecure products. You want manufacturers to "secure their shit"? Well that would require an end user to know what they fuck they're doing, which they don't. There's another way of describing "insecure by default"; it's called idiot-proof. IoT breeds insecurity today because the majority of consumers are not as smart as the app-controlled light bulb they bought, which is also why manufacturers cannot afford to secure their shit and

              • As far as users being responsible for their own actions (or inactions), ignorance and stupidity are a recognized defense in the legal system we have today, which no longer recognizes common sense.

                So you're suggesting we shouldn't push to fix that? Because I'm arguing that we should.

  • by gordguide ( 307383 ) on Sunday August 27, 2017 @01:58AM (#55092041)

    This one's pretty easy to figure out. It's the manufacturer ... or in the modern world, the company that creates the product, sent out for manufacturing ... who is responsible for IoT security.

    But there is a problem. There is the rush to get the product to market, which means bad code is "good enough", and the lack of any repercussions if security is an afterthought, or worse.

    Consumers have a responsibility to insist companies make an effort with security. They simply don't, as they aren't generally sophisticated enough to see a problem exists.

    That leaves Government ... yeah, I know ... to protect consumers with legislation. That's how consumer protection works, and it's the only way we know to make it work.

    Which brings up another issue ... Government is not very good at technology, and in the current fast-paced digital landscape, they are inclined to let the market sort itself out.

    You can see the problem here ... it's a circular situation. No-one is willing, and you can make a good argument that no-one is able (that is, amongst either Consumer watchdogs or the buying public), to identify security as a priority. /. readers might be aware of the problem, but we are not the majority. Tech writers, whom are generally not very good at anything beyond cheerleading for the latest gadget, need to step up and make consumers aware that security should be a buying criteria.

    They should be shaming manufacturers (putting aside that the term has changed in meaning) into hiring competent code developers and creating secure products. And maybe then at least the problem could be minimized.

  • by golodh ( 893453 ) on Sunday August 27, 2017 @02:03AM (#55092047)
    It's interesting to read the comments above because most of them identify one, and only one, actor and attempt to put the entire burden of security on that actor.

    End-users whose hardware is used to run a botnet should be liable say some. The manufacturers of the IoT device should secure their devices aver others. ISP's should not be allowed to just provide dumb pipes chime in some. It's a cultural issue says the paper referred to in the article.

    To make things interesting, for each candidate scape-goat there are apologists. End-users are too clueless, you can't expect them to take responsibility say some. The market precludes manufacturers from putting money in (security) features nobody wants say some. ISP's shouldn't be press-ganged to play network cop say others,

    All of them are both right and wrong I think. There are areas of responsibility for everyone. Just like with driving a car. Car manufacturer are responsible for providing a car with certain minimum quality and safety features.They're liable if the brakes don't work or if the turn indicators are shoddy. Dealerships that do shoddy or incompetent maintenance may face liability claims too. Road owners (municipal, county state, and federal) can all be held liable for unsafe situations if they're careless. And nothing protects individuals drivers from making mistakes or driving under influence.

    So it's not a contradiction to say that every actor is liable for a subset of the risks.

    The government can do a lot by adopting a law that all and any IoT devices must be capable of being secured among others against unauthorised access. No more no less. No specifics, no technicalities: the market will figure that one out. That gets the manufacturers in a position where they can afford to put minimum levels of security in because nobody is going to undercut them on that. ISP's shouldn't be saddled with police duty, but they might be obligated to detect and report port scans and widespread probes for open ports. And finally, consumers could be held liable if they install hardware that's not "approved".

    It will take awhile to get that far, but it looks like a stable and sensible equilibrium. As long as people agree it's not an "either or" but an "and and" proposition.

    Besides, there could well be money in it too.

    What if we can come up with a legal framework for a realistic apportionment of responsibility, strike a sensible balance between cost and security, introduce an "FTC-approved IoT device" stamp and market that entire framework as a solution. I think it will find takers in the EU, Japan, Korea, Taiwan at least.

    Then we could start putting diplomatic pressure on "irresponsible" countries that don't have this framework in place. Ought to generate a market for "FTC-approved" gear, consultancy, and perhaps even assistance in adopting equivalent legal frameworks, no?

    Of course China would rush to copy it, but they'd be copying us again (not the other way round) and lots of countries (especially those with purchasing power) might have reservations about installing a PRC-approved communications infrastructure as opposed to an FTC-approved one.

  • The manufacturer of the IoT device? Don't want to be responsible for security? Don't include it in your product!
  • The problem indeed, is half cultural; as I wrote in my book High Assurance Design,

    1. The average programmer is woefully untrained in basic principles related to reliability and security.
    2. The tools available to programmers are woefully inadequate to expect that the average programmer can produce reliable and secure applications.
    3. Organizations that procure applications are woefully unaware of this state of affairs, and take far too much for granted with regard to security and reliability.

    At this point, I think th

  • While I realize most and users neither know nor care about security enough to actually be entirely responsible for security, I believe that the end-user assuming such responsibility is the only answer that makes any real sense when looking at the big picture. Caveat: the manufacturer should make facilities available, and publish sufficient information about managing their device so that it is at least possible for the end-user to assume such responsibility. As a first prerequisite, this would mean that a
  • While humans are responsible for the IoH, it's clear who is responsible in the IoT.

  • It's like asking who is responsible for your web app security?

A physicist is an atom's way of knowing about atoms. -- George Wald

Working...