Who's Responsible For IoT Security? (networkworld.com) 181
"It is much too easy to connect devices and industrial equipment to the internet," writes an anonymous Slashdot reader. But what's the solution -- and who's to blame for the abundance of insecure IoT devices? Network World examined the conclusions in a paper titled "The Internet of Hackable Things" [PDF].
The authors say the IoT security problem is not a technological one; it's cultural... "A security culture is nearly non-existent in our society... developers must be educated to adopt the best practices for securing their IoT devices within the particular application domain; the general public must be educated to take security seriously, too, which among other things will fix the problem of not changing default password."
The anonymous reader who submitted this story argued that "IoT product makers do not need a deeply skilled team because component makers have made it so easy to connect anything to the internet. Maybe the responsibility for strong security should rest with chip makers like Intel, Freescale and Qualcomm." Leave your own opinions in the comments. Who is ultimately responsible for IoT security?
The anonymous reader who submitted this story argued that "IoT product makers do not need a deeply skilled team because component makers have made it so easy to connect anything to the internet. Maybe the responsibility for strong security should rest with chip makers like Intel, Freescale and Qualcomm." Leave your own opinions in the comments. Who is ultimately responsible for IoT security?
argh (Score:2, Funny)
Who's Responsible For IoT Security?
Shit... I think it was me. Sorry guys- the whole thing is my fault. I'll get on it ASAP.
But seriously, if you have one IoT device selling for $59 and an equivalent one with better security selling for $65, I can tell you which people are going to buy.
Re: (Score:2)
The problem is security doesn't count as a feature and most sales people just do a trust me.
Hard one... (Score:5, Insightful)
Responsible? That would obviously be whoever is making the products, selling them, and turning a profit on it, period.
But who should care about it is an entirely other matter... everyone from chip makers, to product developers, assembly lines, government, stores that are buying and selling the stuff as well as costumers/businesses that are getting the products should be looking into it.
Unfortunately, there's no easy answer as to solve the entire conundrum. This might be one case were we'll eventually need government interference and regulation there to safeguard public privacy and security just as much as we have quality standards and aproval processes regarding radiation levels, what sorts of materials were used in electronics, and stuff like that.
And I think soon we'll end up with independent businesses whose sole purpose is do independent testing for security and privacy... I mean, they are already there seem as security analysts and whatnot, but things will probably ramp up as businesses have more to lose.
It's not a great route to go through, but I really can't think of anything else that would do the job. At some point, the overall Cyberwarfare will escalate to a point that electronics in general will need to go through extensive testing before entering the country.
Re:Hard one... (Score:5, Insightful)
No, not just developers. I work on IoT, we do security and we try to do the best security. Customers don't think this is important. It raises the cost. We get a max cost of a product and adding security can blow past it. A big problem is with companies and customers alike wanting to jump on the band wagon with instant results.
Also, security requires resources. More memory, better chips (ie, keep keys out of RAM), use PKI instead of preshared keys, etc. Every framework online that claims to IoT ready is severely lacking, not just in security but usability. When they have security it's very large (larger in code than many low power chips can handle) and since it's "portable" they make no use of hardware supplied security.
Now try to combine that with a battery life measured in decades, fast network response, customer modifications, etc.
Re:Hard one... (Score:5, Insightful)
It's going to take lawsuits and maybe legislation to fix this. People wouldn't pay for safe cars given the choice, but since the consequences of that can end up hurting other people they have to be forced to.
Re: (Score:2)
Responsible? That would obviously be whoever is making the products, selling them, and turning a profit on it, period.
Negative. The only person responsible for security to your network is *you*. The problem is that these things are generally sold to a public that lacks the skills to responsibly manage their own network.
Re: (Score:2)
Funny. We do not have these problems with phones. TVs. Computers. Or refrigerators.
Consumers plug them in and they just work. Why would the cool new camera to put in the office be any different?
No, the reason is if the consumer received a financial penalty or looses his or her data then all hell breaks loose the company gets prosecuted and risks a huge financial liability.
If the camera in the office gets botted and sends data galore to take down servers who cares? Not their problem. Everything works just fi
Re: (Score:2)
Responsible? That would obviously be whoever is making the products, selling them, and turning a profit on it, period.
Manufacturers understand one thing that you've failed to recognize; know your audience.
If you were to actually make an IoT product with security as the priority, and require consumers to configure and manage that security, it wouldn't sell. Manufacturers know this. That is why they have to make every product so stupidly simple it can be configured and controlled by a 3-year old child. Good security is often sacrificed because of this requirement.
Oversharing and devices riddled with data telemetry creati
Re: (Score:2)
I would say that if a user does not at least make a good faith effort to secure his things using the documentation available, and his stuff gets compromised, then the majority of the responsibility falls on his shoulders.
If the user does do his best to secure it, and it still gets compromised, then the blame falls on whatever entities were responsible for the development of whatever component was the weak link.
Re: (Score:3)
> I would say that if a user does not at least make a good faith effort to secure his things using the documentation available
I'm afraid that the documentation is _not_ available. Features are modified without notification, especially including how new "features" are designed and how the back end data is protect on the vendor's part. I'm afraid I recently attended a presentation on a new set of IoT devices, and had a quiet back room talk with several of the IT personnel about how they handle the data. I
Re: (Score:2)
Under the proposed rules, this would make it the fault of whomever ensured that no matter what the user did, their things would be insecure. A good way to encourage them to think about it is to have it be a liability risk--make the potential costs serious enough, and you'll have their legal department insisting.
I suggest starting with your legislator(s) to make it so security is not something they can get freed from liability for by having the EULA say it's your problem not theirs if they screw up. (Yes,
Re: (Score:2)
The user doesn't even know that an IOT is not secure. After all his phone is and so is the cable modem right?
Until ISPs start disconnected internet service and hit the consumers by the pocketbook this will continue. We know if phones could randomly be botted or cable modems with no security 0wned every PC in 2 mins that company would be prosecuted and sued a million times over for losses.
Re: (Score:2)
My bad, people. I still conflate Internet of Things with Things on the Internet (traditional things like routers and game consoles and whatnot).
Let me refine my statement to something more like:
If the IoT device in question has sufficient documentation for the user to configure securely, then they are the first line of blame if they do not do their due diligence in securing it. But they are also first to be responsible for their actions if the IoT device in question has reports easily available with a Web
Re: (Score:2)
It gets even harder than that though; a generally benign hole in two different products can lead to a much more serious compromise in both products. The interaction issues are very hard for most people to comprehend, much less act on.
Re: (Score:2)
This is not true everywhere. In quite a number of European countries, the manufacturer is responsible for what the customer could reasonably expect from the product.
It's the classical dancing pigs problem (Score:5, Informative)
Only worse.
Here [wikipedia.org] you find a pretty good summary of the phenomenon. In a nutshell, given the choice between "ohhh shiny!" and security, the vast majority will go for the former without even considering the latter. People don't know and I have the creeping suspicion that they don't want to know what security implications their actions have.
Re: (Score:3)
Maybe initially. When it begins to impact them they'll care. Someone hack the thermostat and ran your AC bill up to 1000 bucks for the month? Suddenly security becomes quite the consideration.
Given the impact connected discrete peripherals can have on people, I fully expect this nonchalance towards security to be a phase. A very very short phase.
Re: (Score:2)
Not is we allow them to sue the manufacturers and everyone else they want rather than have any responsibility
Re: (Score:2)
This is a great example of an unrealistic FUD scenario. It's going to take:
a) Something that would really happen, not just could happen, and the "could" here, at least for anyone actually at home at the time, is very weak.
b) Something that happens to a large number of people, not just "the other guy", i.e. the guy who dies in a car accident because he was distracted by eating a burrito.
c) Something expensive enough to be worth the trouble to defend against it.
d) Something where the damages will not
Re: (Score:2)
You're forgetting the possibility that such problems might result in the IoT ending up being essentially a fad--with people opting to simply not have anything important hooked up to the IoT once the problems with securing it become sufficiently known and left unfixed. You might have a few things still connected, maybe a few exterior lights hooked up so you could switch them on remotely, but beyond that? Nope.
Re: (Score:2)
For this to really have any measurable impact, it would not only have to happen to a LOT of people, if not to everyone who ever bought an insecure IoT gadget. Why? Experience.
For ages we have banking trojans, and still people click every bullshit. We've had encryption trojans for a while now too, and still people neither make backups nor do they up their security. Both things still work as planned. Because it doesn't happen to enough people. And as long as it's not just happening to someone who happens to b
Re: (Score:2)
Right, they don't want to know. They don't want security. What they want is a crime-free neighborhood. In the end, it comes down to economics. People make rational individual economic choices about security. Consider how people have long handled security for their homes. Most homes and even businesses are not physically secure in any way even close to what is being demanded by security zealots. Setting people who got sold a bill of goods by ADT and Dr. Robert Neville aside, for most the "price" of l
Re: (Score:2)
The problem is that you can live in the best possible neighborhood and still have the slums next door on the internet. There is no "better neighborhood" on the internet that you could move to, because everyone, literally everyone, is living next door.
You can of course choose to live in a gated community. But again, as the internet is a thoroughly bidirectional system, this also means that you live in a prison.
Choose freedom and responsibility or prison and a warden that decides who may visit you and where y
Re: (Score:2)
Yup. I've seen industrial customers delay and delay adding in the security. There's worry that it's too complicated, that they'll brick their systems, etc. But you can't get both convenience and security at the same time.
Re: (Score:2)
It has nothing to do with the dancing pigs problem. 97% of us in 2017 know better than to run dancing_pigs.exe. At work people do not give a shit as it is your problem in the I.T. department since they do not own the systems so it is an outliner. In 2002 when computers were new to non-nerds and business folks it was an issue as grandma or a 50 year old Mom who doesn't use a PC at work had no idea why that would be bad.
For non IT geeks outside of slashdot they plug in a TV and it works! They turn on a phone
Re: (Score:2)
Sorry, but I'm in the dancing pig business (or rather, dealing with the fallout of people clicking on them). They do. Boy, they do.
People don't learn. You can tell them all you want, they don't learn. And to throw insult after injury, you wouldn't believe how often you hear "how should I have known?", when they come in the second time with exactly the same fuckup after you told them specifically when it happened to them the first time.
Another aspect is that people don't think that washing machines, fridges
Re: (Score:2)
People don't know and I have the creeping suspicion that they don't want to know what security implications their actions have.
It's not that people don't want to know, it's that they are incapable of knowing the implications of their actions. People act like this the same when when they are presented with incredible low odds of something. The same is evident by people staring in their cellphones while behind the wheel of a car, or making dodgy investment decisions.
Then there's the implications of the security breach itself. The resulting damage is hard to quantify. You tell someone that their IoT device may turn into a spam bot and
Just check the status as of today (Score:2)
Currently: nobody. (Score:5, Insightful)
Hacked devices are the result of a "tragedy of the commons" because the internet is shared. The only real resolution to these problem has been proven to be regulation. Now, some people find the "dreaded r-word" to be too offensive to consider but the reality is that the free market cannot solve this problem because it doesn't have a strong enough feedback loop that would compel companies to invest in strong security. So, if you follow this logic, it's ultimately the lack of regulation by lawmakers that is responsible. Then again, we could go even further and say it's the fault of the people who voted them into power. In conclusion, it's the fault of idiots, likely the same idiots buying this insecure shit.
Re: (Score:2)
Well, care to tell me where I can buy secure shit?
Just recently we had someone ask for suggestions for a 4k TV that does NOT try its best to connect to the internet and send all kinds of information to its master while at the same time allowing streaming from a LAN connected media source.
As far as I know, nobody could point to such a thing.
Re: (Score:2)
Well, care to tell me where I can buy secure shit?
You cannot, which is the point! If you want secure shit, you're going to need some basic regulation. It's the fools that buy insecure shit and keep claiming any kind of regulation is bad.
The question that remains is if you are going to claim that any kind of regulation is bad.
Re: (Score:2)
We do not need regulation. Just give ISPs the power to shut off connections doing bot attacks. Once customers start getting their internet turned off and paying hundreds for geeks to come in and tell them that new camera, not a PC is the cause then the free market will kick in just like phones and cable modems today have basic security for this reason.
Re:Currently: nobody. (Score:5, Insightful)
Just give ISPs the power to shut off connections doing bot attacks.
They already have that power and have always had that power.
Once customers start getting their internet turned off and paying hundreds for geeks to come in and tell them that new camera, not a PC is the cause then the free market will kick in...
Clearly, you don't understand how the free market works. The more likely scenario is that the customer would get frustrated and after wasting lots of time on customer support they would simply switch to an ISP that doesn't give a fuck if you are part of a botnet because you're giving them money. Why do you think they don't already cut off customers?
Re: (Score:2)
Then explain why routers and phones don't have these problems?
The externality of a poor quality is not passed to the consumer with IOT but to us. That is the problem. Not the market and explains why the other products mentioned do not have the problems. If they did the consumer would be harmed and they would not tolerate it.
Re: (Score:2)
Then explain why routers and phones don't have these problems?
Back in the day, they did have these problems. However, after many iterations of the same product by the same companies competing to make a better version, they improved. The question is how many people are going to buy a new version of a wifi blender.
Re: (Score:2)
> It's largely not the individuals purchasing the insecure IoT devices who are directly harmed by the security holes.
I agree that most of the harm is indirect. Botnets hosted on various IoT devices are an issue. Another issue is the regulatory difficulty of embedding robust security in such devices. To quote from the Wikipedia article on encryption export controls:
> As of 2009, non-military cryptography exports from the U.S. are controlled by the Department of Commerce's Bureau of Industry and Securit
Per port firewalls. (Score:2)
I have been predicting that at some point in the future, all switches, routers, etc will have a firewall per port so you can control access to well everything but especially this proliferation of IOT.
Make them easily configurable so your tv and refrigerator can talk to each other but nothing else etc.
No matter what its going to be another wild wild west of security problems going forward, so many things have zero support after being shipped, it just works without any regard to security.
Re: (Score:3)
NaT covers most of it. One of the benefits of the lack of available address space for IPv4 is that many sites are using NaT. This provides an excellent opportunity filter connections _into_ your local environment, as well as data _leaving_ your local environment.
I'm seeing companies, partners, and clients entirely disable IPv6 entirely on their local network because the increased address space encourages every device to be routable and accessible from the Intenet at large. And I'm in full agreement, and it'
Re: Per port firewalls. (Score:2)
You're doing security wrong if you think NAT is a "solution" to properly securing IPv4 or IPv6 networks.
My entire subnet of workstations has public IP, some still run DOS, OS9, WinXP etc. but you still can't access them from the Internet or even within the subnet.
Re: (Score:2)
It's a _start_, and an extremely useful one. There is a goal of some IPv6 and IoT advocates that every device in the world should be accessible via publishable IPv6 address. It was also one of the underlying constraints in setting the size of the IPv6 address space. Such exposure to externally routable or scannable addresses is completely unnecessary for most "IoT" devices, which can be run more safely in a "the device polls specific services on the Internet" rather than a "anything on the Internet can rea
Re: (Score:3)
ISP control of your internal address range is an b (Score:2)
ISP control of your internal address range is an bad idea but that seems to be IPv6 pushes.
Now What if I need servers on the inside network with fixed ip's and I don't want them to have direct Internet links?
Re: (Score:2)
Not really; a stateful firewall is a much better start as what it does is much clearer. The problem is that when a device itself can't be trusted it is already piercing the firewall.
That's not the point (Score:2)
>> Make them easily configurable so your tv and refrigerator can talk to each other but nothing else etc.
That's not the purpose of IOT.
IOT has two purposes :
1) for manufacturers to reduce the cost of return by allowing cheap software upgrades instead.
2) collect data to be selled.
IOT devices were never meant to talk to each other.
Re: (Score:2)
You can do this today, just need managed switches downstream and a more powerful router. Everything sits on its own VLAN.
The problem is that it is immediately unmanageable. Too many devices (phone, tablet, laptop) need to access nearly everything and many devices use those "controllers" to proxy out data. Services change ports, IP Addresses, host names, etc, and you don't have a way to maintain the white list.
For me, I have Untrusted, Trusted, and Private VLANs at home, But even that isn't enough. I shou
This is easy ... (Score:2)
... it's the manufacturer's responsibility.
"Enter an administrative password and click Next to continue ..."
I don't expect an award or stuff.
It's 2 part (Score:2)
Second, the device need's it's password changed before it works.
The other option is for the default password to be the serial number of the device, which will probably cause vendors $0.01 more but save on customer support calls.
Re: (Score:2)
> First, the vendor provides a default password.
> Second, the device need's it's password changed before it works.
_Thank you_. I'd not put it in such terms, but that is a viable approach which I'd gladly support.
> The other option is for the default password to be the serial number of the device, which will probably cause vendors $0.01 more but save on customer support calls.
There is a similar situation now for cable modems. They print the default network and password names on the devices, partly t
Re: It's 2 part (Score:2)
Until you can query the serial number using a variety of ways e.g. SNMP or whatever else the devs leave laying around.
Re: (Score:2)
Where I live, they change the password from the default one during the setup process on the cable modems. Annoyingly, changing the network name isn't as automatic and so you've got a lot of networks with the same name, different password in my area.
and concast cable has there own WIFI network runin (Score:2)
and concast cable has there own WIFI network running on the system at your home.
Re: (Score:2)
The password is just the lowest hanging fruit. There are many ways to compromise a system.
Summary misses most serious problem... (Score:5, Interesting)
"It is much too easy to connect devices and industrial equipment to the internet,"
No, that misses the point entirely. It's not that it's too easy to connect devices to the Internet, but rather that, at least sometimes, it is very difficult, if not nearly impossible, to prevent devices from connecting to the Internet. Some Smart TV sets (it might have been Samsung, but I'm not sure) actively seek out open WiFi connections to connect to the Internet even if you tell it not to. It's not enough to block ports in your firewall as maybe your neighbor doesn't have those ports blocked. Or maybe the Starbucks down the street doesn't. And with integrated GPS in many devices (and probably more in the future) the fact that devices connect on someone else's IP address won't protect your privacy/anonymity, since they'll be able to locate the device down to the house or apartment that it's in. Expect to see more of this in the future.
Re: (Score:2)
> No, that misses the point entirely. It's not that it's too easy to connect devices to the Internet, but rather that, at least sometimes, it is very difficult, if not nearly impossible, to prevent devices from connecting to the Internet.
I can attest to this from personal and painful experience with such devices as printers and certain medical appliance toolkits for "doctor's office" use.
People who buy them (Score:3)
Re: (Score:2)
> Producers of products ultimately aim to please their customers
Please forgive me, but this is a common misconception that I've had to address for a number of younger Libertarian advocates recently. There are many, many counterexamples of people and businesses who are purely interested in profit. Pleasing the customer is one means to encourage sales. But theft, fraud, and neglect of damage to customers are often more effective ways to increase profit in the short term, and they _are_ common place.
I appre
Re: (Score:2)
Producers of products ultimately aim to please their customers
If you got more material like this you could have a standup routine going by next weekend.
Producers of products ultimately aim to make a profit. Pleasing the customer is a necessary evil, at best. If that's not necessary because the customer is stupid enough to fall for "ohh shiny!", "ohh shiny!" is all he'll get. Because it's simply cheaper than security.
Re: (Score:2)
Producers of products ultimately aim to please their customers
If you got more material like this you could have a standup routine going by next weekend.
Producers of products ultimately aim to make a profit. Pleasing the customer is a necessary evil, at best.
And because pleasing the customer is a necessary evil, producers ultimately do it, otherwise they would not have customers. I never meant to imply that producers were altruistic. Producers don't aim to please customers because they want them to be happy, they do it so that customers are happy enough (or at least willing) to make a purchase and not return the product.
Re: (Score:2)
Producers don't care if you're happy with the product. Only that you buy it.
By now they have learned that the average person has the long term memory of a goldfish. They buy junk, they find out it doesn't work, they curse the manufacturer, then go and buy the same junk from the same manufacturer because it's the cheapest one.
People are stupid. Producers have caught on.
Re: (Score:2)
If you got more material like this you could have a standup routine going by next weekend.
Producers of products ultimately aim to make a profit.
Are you really unable to connect the former with the latter? Even MBAs know the causal relationship between the two. The only businesses who break these causal relationship have some kind of market capture.
Re: (Score:2)
Generally that's why I hate the consumer oriented IoT. It gives a terrible name to the whole product because of the complete lack of quality and worst in class security. But even for commercial/industrial customers there's a lack of knowledge about security, but at least they have an idea that they want some of it.
Re: (Score:2)
Just freaking wow! (Score:2)
Mind you, that was from pre-internet days, so who freaking dropped the ball and completely lost it when it comes to the basics with these kids?
Re: (Score:2)
I have a "smart" scale that logs my weight to an app. It also senses temperature, CO2 levels, and some other gimmicks. I just wanted the logging part when I bought it. The device connects to wifi so you can use the app.
I don't consider my precise weight to be that personal of information, nor really the trends.
Fast forward a few years, company gets acquired and the terms of service are "updated." How do I know my firewall rules now need to change?
The answer is... (Score:2)
No one.
Next question?
Seriously, manufacturers are in a hurry to get product to market, IoT security is an afterthought, that hopefully can be updated with firmware upgrades OTA.
Channelling Mahatma Ghandi (Score:2)
Interviewer: Mr. Ghandi, what do you think about security for the Internet of Things?
Mahatma Ghandi: I think it would be a good idea.
Re: (Score:2)
Re: (Score:2)
Wasn't he also the guy who had an old spinning wheel instead of a weaving machine because he said with the spinning wheel he is the master while with a machine that you might not even own, you cannot be sure just who is the master and who is the slave?
Talk about a prophet!
Are you fucking kidding? (Score:2, Interesting)
THE PEOPLE SELLING THIS INSECURE SHIT!!
Full stop. End of story.
You build a gadget that connects to the Internet, you fail to properly secure it, your boss puts it up for sale, YOU ARE CULPABLE! You are at fault, it is YOUR PROBLEM, that is the end of it! Do not try to fucking weasel out of it. Nuremburg settled that for our entire species, "following orders" is not an excuse. You did it, you are responsible. You built an insecure device and offered it up to your boss so he could sell it, you MUST be liable
Re: (Score:3, Interesting)
To put this into a bit more context, imagine this were not IoT gadgets, but food. If a restaurant is poisoning people with bad food, nobody walks around saying, "Those people should have read up on the food safety tests." They say the restaurant should be shut down until it stops poisoning people. If a company is literally dumping crap on the highway, nobody says, "Well, drive somewhere else then!" They yell for the local sheriff to haul those fuckers to jail. This is not a market failure, it is not an issu
Re: (Score:3)
> YOU ARE CULPABLE! You are at fault, it is YOUR PROBLEM, that is the end of it
Establishing enough culpability, in a court of law, with the End User License Agreement for most such devices is not feasible. And by the time such a lawsuit makes it to a courtroom, the original vendor is usually gone. It's an extremely volatile field, these vendors are not thinking in the long term and so far only a few have lasted even 3 years.
Your Home Router should. (Score:3)
By default, it seems that your home firewall should restrict any packets from whatever stupid crap you put on your network.
That way such devices can't spy on you or hack the rest of your home network, unless you explicitly allow them in your firewall.
If you push the responsibility to dozens of different device vendors, you'll never be able to adequately vet them all.
Re: (Score:2)
How do you let the stupid device's cloud service work? Too many devices are engineered so the smarts are in the "cloud" rather than local.
Re: (Score:2)
I'd argue:
* Ideally - you wouldn't, so manufacturers stop that stupidity. They're primarily doing it for spyware --- which is exactly what a home router should protect against.
* If for some reason a user really wants to be spied on in that way, they can provide instructions how to open whatever is necessary in a firewall.
* If it has to communicate with a cloud --- especially if it can update itself from the cloud -- that device should ***NOT*** be able to communicate with the rest of your network.
They CAN'T make secure devices (Score:3)
With the currently available crop of consumer oriented operating systems, it is simply NOT POSSIBLE to make a secure device. None of them offer capability based security.... the operating system equivalent to modern electrical standards... imagine trying to hook up every appliance everywhere, with no circuit breakers, no standard outlets, no grounding, no conduit, all supported by post and spool insulators.
Once a program is run, it gets trusted with all authority of the user running it. There are no effective measures to limit the side effects (and thus risk/damage) that a given chunk of code can do.
Another equivalent is like building a Fort out of stacks of C4 explosives.
Until we get HURD, Genode, or a modern replacement for KeyKOS, we can't make secure devices. Stop blaming the developers, or users, or chip makers... it's not their fault. It's the fault of every Linux, MacOS, or Windows fanboy in the world.
The user. (Score:3)
Re: (Score:2)
I say make the user responsible. After a few get locked up for attacks perpetrated by their light bulbs, they'll wise up and stop buying insecure shit products.
For decades, I hoped that the average consumer would get smarter about computers and electronics to drive good secure design.
What we have instead is touch-screen app-driven systems that can be operated by a 3-year old who swipes right to login.
As manufacturers have to make more devices idiot-capable, you expect users to "wise up"?
That's a fucking laugh.
Re: (Score:2)
Re: (Score:2)
The real laugh is that you think manufacturers have to make devices idiot-capable. If they stopped spending R&D money on that and, instead, spent that money on security, users would have to wise up and we'd get more secure devices. It'd be a win-win.
Your delusional if you think the masses actually care to learn about computer security, or implement good security. Never have. Never will.
And at the end of the day consumers will always build a bigger idiot, so manufacturers will continue to be forced to make hardware idiot-proof. Otherwise sales fall. Plain and simple.
The future of consumer computing is a device with a single button that enables a voice assistant that will understand anyone with a 6th-grade education.
Oh, wait. Nevermind. The future
Re: The user. (Score:2)
Re: (Score:2)
I think you've missed my point. Users are currently buying devices that ship insecure by default because they can not be secured. Read what I've written a few more times, put that 6th grade education to work, and realize that I am suggesting that manufacturers ultimately secure their shit, but that users be held responsible for their own poor decisions in the interim.
Perhaps you've also missed my point, which tends to clarify why we have insecure products. You want manufacturers to "secure their shit"? Well that would require an end user to know what they fuck they're doing, which they don't. There's another way of describing "insecure by default"; it's called idiot-proof. IoT breeds insecurity today because the majority of consumers are not as smart as the app-controlled light bulb they bought, which is also why manufacturers cannot afford to secure their shit and
Re: (Score:2)
As far as users being responsible for their own actions (or inactions), ignorance and stupidity are a recognized defense in the legal system we have today, which no longer recognizes common sense.
So you're suggesting we shouldn't push to fix that? Because I'm arguing that we should.
This one's pretty easy ... (Score:3)
This one's pretty easy to figure out. It's the manufacturer ... or in the modern world, the company that creates the product, sent out for manufacturing ... who is responsible for IoT security.
But there is a problem. There is the rush to get the product to market, which means bad code is "good enough", and the lack of any repercussions if security is an afterthought, or worse.
Consumers have a responsibility to insist companies make an effort with security. They simply don't, as they aren't generally sophisticated enough to see a problem exists.
That leaves Government ... yeah, I know ... to protect consumers with legislation. That's how consumer protection works, and it's the only way we know to make it work.
Which brings up another issue ... Government is not very good at technology, and in the current fast-paced digital landscape, they are inclined to let the market sort itself out.
You can see the problem here ... it's a circular situation. No-one is willing, and you can make a good argument that no-one is able (that is, amongst either Consumer watchdogs or the buying public), to identify security as a priority. /. readers might be aware of the problem, but we are not the majority. Tech writers, whom are generally not very good at anything beyond cheerleading for the latest gadget, need to step up and make consumers aware that security should be a buying criteria.
They should be shaming manufacturers (putting aside that the term has changed in meaning) into hiring competent code developers and creating secure products. And maybe then at least the problem could be minimized.
All actors have some responsability (Score:3)
End-users whose hardware is used to run a botnet should be liable say some. The manufacturers of the IoT device should secure their devices aver others. ISP's should not be allowed to just provide dumb pipes chime in some. It's a cultural issue says the paper referred to in the article.
To make things interesting, for each candidate scape-goat there are apologists. End-users are too clueless, you can't expect them to take responsibility say some. The market precludes manufacturers from putting money in (security) features nobody wants say some. ISP's shouldn't be press-ganged to play network cop say others,
All of them are both right and wrong I think. There are areas of responsibility for everyone. Just like with driving a car. Car manufacturer are responsible for providing a car with certain minimum quality and safety features.They're liable if the brakes don't work or if the turn indicators are shoddy. Dealerships that do shoddy or incompetent maintenance may face liability claims too. Road owners (municipal, county state, and federal) can all be held liable for unsafe situations if they're careless. And nothing protects individuals drivers from making mistakes or driving under influence.
So it's not a contradiction to say that every actor is liable for a subset of the risks.
The government can do a lot by adopting a law that all and any IoT devices must be capable of being secured among others against unauthorised access. No more no less. No specifics, no technicalities: the market will figure that one out. That gets the manufacturers in a position where they can afford to put minimum levels of security in because nobody is going to undercut them on that. ISP's shouldn't be saddled with police duty, but they might be obligated to detect and report port scans and widespread probes for open ports. And finally, consumers could be held liable if they install hardware that's not "approved".
It will take awhile to get that far, but it looks like a stable and sensible equilibrium. As long as people agree it's not an "either or" but an "and and" proposition.
Besides, there could well be money in it too.
What if we can come up with a legal framework for a realistic apportionment of responsibility, strike a sensible balance between cost and security, introduce an "FTC-approved IoT device" stamp and market that entire framework as a solution. I think it will find takers in the EU, Japan, Korea, Taiwan at least.
Then we could start putting diplomatic pressure on "irresponsible" countries that don't have this framework in place. Ought to generate a market for "FTC-approved" gear, consultancy, and perhaps even assistance in adopting equivalent legal frameworks, no?
Of course China would rush to copy it, but they'd be copying us again (not the other way round) and lots of countries (especially those with purchasing power) might have reservations about installing a PRC-approved communications infrastructure as opposed to an FTC-approved one.
Re: (Score:2)
TFM (The Friendly Manufacturer) (Score:2)
Good luck changing culture (Score:2)
The problem indeed, is half cultural; as I wrote in my book High Assurance Design,
At this point, I think th
An unpopular answer: the end user (Score:2)
The things are (Score:2)
While humans are responsible for the IoH, it's clear who is responsible in the IoT.
Wtf? (Score:2)
Re: (Score:2)
And software is also the only product where you get away with something like this.
Re: (Score:2)
In the United States IoT (Internet of Things) has no legal definition.
Microwave ovens on the other hand are legally defined and have several federal regulations concerning them. USC Title 21, Chapter 9, Subchapter V as well as Subchapter J, parts 1000 through 1005., 1010 and 1030.10.
Manufacturers and individuals get "a pass" unless there is a specific law regulating their behavior.
Re: (Score:2)
Please excuse my lack of understanding, but what is the relevance of whether the "IoT" is the local hardware or the network over which the data is shared, or the services on which the data is stored and services provided by the vendor?
IoT security dosn't exist (Score:2)
"IoT security"
These words are incompatible.
Re: (Score:2)
We all should be conserned about everyone security.
If you see something insecure and you let it be without saying something then you are at fault.
Black hats are often worse because beyond seeing the volnerability and not reporting it they exploit it.
So your internet enabled tea kettle has a flaw and you know about it and you didn't do anything about it, such as putting it on a different network with strict firewall rules and you know how to do this then you are at fault.
If the store that sold it to you and
Re:Full stack security is needed. Use OpenBSD. (Score:5, Insightful)
Security is everybody's responsibility.
Indeed. With the prevalent binary thinking of today, people seem to fall into the trap of thinking that if the manufacturer is responsible, the user is not.
But responsibility and guilt are not finite resources. Adding it to one party does not reduce it elsewhere; not an iota.
Re: (Score:3)
Many IoT devices are locked so that only the manufacturer can update them - if even they can. Some have firmware on OTP proms and the only way to increase security is to replace the device. But they can still be abused.
Ultimately if an IoT device is insecure it shall be the manufacturer of the device that shall be responsible for correcting the problem.
Also realize that your devices on the net at home may need to be segmented. One segment for devices you can't configure like TV, dishwasher and other mundane
Re: Full stack security is needed. Use OpenBSD. (Score:2)
Possibly, people have installed it in stranger places.
Alternatively, you could have it connect to your *BSD box and manage it from there, without needing to allow it to connect to the Internet at large.
Re: (Score:2)
the end user does not care or understand what IoT even is.
That is a problem and needs to change. If someone assists in running a botnet through negligence, they need to be taken to court for that. That the devices should be more secure does not reduce their responsibility to do their part.
Much like a landlord who turns a blind eye to what goes on on their property, they are willfully negligent and should be found guilty of aiding and abetting.
Once a few ordinary people get convicted, then perhaps the rest will start being careful.
Re: Seems obvious. (Score:2)
No. Not the ISP. The ISP should be just a dumb pipe.