Who's Responsible For IoT Security? (networkworld.com) 36
"It is much too easy to connect devices and industrial equipment to the internet," writes an anonymous Slashdot reader. But what's the solution -- and who's to blame for the abundance of insecure IoT devices? Network World examined the conclusions in a paper titled "The Internet of Hackable Things" [PDF]. The authors say the IoT security problem is not a technological one; it's cultural... "A security culture is nearly non-existent in our society... developers must be educated to adopt the best practices for securing their IoT devices within the particular application domain; the general public must be educated to take security seriously, too, which among other things will fix the problem of not changing default password."
The anonymous reader who submitted this story argued that "IoT product makers do not need a deeply skilled team because component makers have made it so easy to connect anything to the internet. Maybe the responsibility for strong security should rest with chip makers like Intel, Freescale and Qualcomm." Leave your own opinions in the comments. Who is ultimately responsible for IoT security?
Janit0r is responsible because he bricks your insecure devices.
;)
Responsible? That would obviously be whoever is making the products, selling them, and turning a profit on it, period.
But who should care about it is an entirely other matter... everyone from chip makers, to product developers, assembly lines, government, stores that are buying and selling the stuff as well as costumers/businesses that are getting the products should be looking into it.
Unfortunately, there's no easy answer as to solve the entire conundrum. This might be one case were we'll eventually need g
I would say that if a user does not at least make a good faith effort to secure his things using the documentation available, and his stuff gets compromised, then the majority of the responsibility falls on his shoulders.
If the user does do his best to secure it, and it still gets compromised, then the blame falls on whatever entities were responsible for the development of whatever component was the weak link.
> I would say that if a user does not at least make a good faith effort to secure his things using the documentation available
I'm afraid that the documentation is _not_ available. Features are modified without notification, especially including how new "features" are designed and how the back end data is protect on the vendor's part. I'm afraid I recently attended a presentation on a new set of IoT devices, and had a quiet back room talk with several of the IT personnel about how they handle the data. I
It's the classical dancing pigs problem (Score:4, Informative)
Only worse.
Here [wikipedia.org] you find a pretty good summary of the phenomenon. In a nutshell, given the choice between "ohhh shiny!" and security, the vast majority will go for the former without even considering the latter. People don't know and I have the creeping suspicion that they don't want to know what security implications their actions have.
Maybe initially. When it begins to impact them they'll care. Someone hack the thermostat and ran your AC bill up to 1000 bucks for the month? Suddenly security becomes quite the consideration.
Given the impact connected discrete peripherals can have on people, I fully expect this nonchalance towards security to be a phase. A very very short phase.
Right, they don't want to know. They don't want security. What they want is a crime-free neighborhood. In the end, it comes down to economics. People make rational individual economic choices about security. Consider how people have long handled security for their homes. Most homes and even businesses are not physically secure in any way even close to what is being demanded by security zealots. Setting people who got sold a bill of goods by ADT and Dr. Robert Neville aside, for most the "price" of l
In the United States IoT (Internet of Things) has no legal definition.
Microwave ovens on the other hand are legally defined and have several federal regulations concerning them. USC Title 21, Chapter 9, Subchapter V as well as Subchapter J, parts 1000 through 1005., 1010 and 1030.10.
Manufacturers and individuals get "a pass" unless there is a specific law regulating their behavior.
Please excuse my lack of understanding, but what is the relevance of whether the "IoT" is the local hardware or the network over which the data is shared, or the services on which the data is stored and services provided by the vendor?
Just check the status as of today (Score:2)
Currently: nobody. (Score:2)
Hacked devices are the result of a "tragedy of the commons" because the internet is shared. The only real resolution to these problem has been proven to be regulation. Now, some people find the "dreaded r-word" to be too offensive to consider but the reality is that the free market cannot solve this problem because it doesn't have a strong enough feedback loop that would compel companies to invest in strong security. So, if you follow this logic, it's ultimately the lack of regulation by lawmakers that i
Per port firewalls. (Score:2)
I have been predicting that at some point in the future, all switches, routers, etc will have a firewall per port so you can control access to well everything but especially this proliferation of IOT.
Make them easily configurable so your tv and refrigerator can talk to each other but nothing else etc.
No matter what its going to be another wild wild west of security problems going forward, so many things have zero support after being shipped, it just works without any regard to security.
NaT covers most of it. One of the benefits of the lack of available address space for IPv4 is that many sites are using NaT. This provides an excellent opportunity filter connections _into_ your local environment, as well as data _leaving_ your local environment.
I'm seeing companies, partners, and clients entirely disable IPv6 entirely on their local network because the increased address space encourages every device to be routable and accessible from the Intenet at large. And I'm in full agreement, and it'
This is easy ... (Score:2)
... it's the manufacturer's responsibility.
"Enter an administrative password and click Next to continue
..."
I don't expect an award or stuff.
It's 2 part (Score:2)
Second, the device need's it's password changed before it works.
The other option is for the default password to be the serial number of the device, which will probably cause vendors $0.01 more but save on customer support calls.
> First, the vendor provides a default password.
> Second, the device need's it's password changed before it works.
_Thank you_. I'd not put it in such terms, but that is a viable approach which I'd gladly support.
> The other option is for the default password to be the serial number of the device, which will probably cause vendors $0.01 more but save on customer support calls.
There is a similar situation now for cable modems. They print the default network and password names on the devices, partly t
Summary misses most serious problem... (Score:2)
"It is much too easy to connect devices and industrial equipment to the internet,"
No, that misses the point entirely. It's not that it's too easy to connect devices to the Internet, but rather that, at least sometimes, it is very difficult, if not nearly impossible, to prevent devices from connecting to the Internet. Some Smart TV sets (it might have been Samsung, but I'm not sure) actively seek out open WiFi connections to connect to the Internet even if you tell it not to. It's not enough to block ports in your firewall as maybe your neighbor doesn't have those ports blocked. Or ma
People who buy them (Score:3)
> Producers of products ultimately aim to please their customers
Please forgive me, but this is a common misconception that I've had to address for a number of younger Libertarian advocates recently. There are many, many counterexamples of people and businesses who are purely interested in profit. Pleasing the customer is one means to encourage sales. But theft, fraud, and neglect of damage to customers are often more effective ways to increase profit in the short term, and they _are_ common place.
I appre
Just freaking wow! (Score:2)
Mind you, that was from pre-internet days, so who freaking dropped the ball and completely lost it when it comes to the basics with these kids?
The answer is... (Score:2)
No one.
Next question?
Seriously, manufacturers are in a hurry to get product to market, IoT security is an afterthought, that hopefully can be updated with firmware upgrades OTA.