Stories
Slash Boxes
Comments

SoylentNews is people

Regulation of the Internet of Things

posted by martyb on Saturday November 12 2016, @03:11AM   Printer-friendly
from the world-wide-web-pollution dept.

Phoenix666 writes:

Late last month, popular websites like Twitter, Pinterest, Reddit and PayPal went down for most of a day. The distributed denial-of-service attack that caused the outages, and the vulnerabilities that made the attack possible, was as much a failure of market and policy as it was of technology. If we want to secure our increasingly computerized and connected world, we need more government involvement in the security of the "Internet of Things" and increased regulation of what are now critical and life-threatening technologies. It's no longer a question of if, it's a question of when.

First, the facts. Those websites went down because their domain name provider — a company named Dyn —­ was forced offline. We don't know who perpetrated that attack, but it could have easily been a lone hacker. Whoever it was launched a distributed denial-of-service attack against Dyn by exploiting a vulnerability in large numbers ­— possibly millions — of Internet-of-Things devices like webcams and digital video recorders, then recruiting them all into a single botnet. The botnet bombarded Dyn with traffic, so much that it went down. And when it went down, so did dozens of websites.

Your security on the Internet depends on the security of millions of Internet-enabled devices, designed and sold by companies you've never heard of to consumers who don't care about your security.

The technical reason these devices are insecure is complicated, but there is a market failure at work. The Internet of Things is bringing computerization and connectivity to many tens of millions of devices worldwide. These devices will affect every aspect of our lives, because they're things like cars, home appliances, thermostats, lightbulbs, fitness trackers, medical devices, smart streetlights and sidewalk squares. Many of these devices are low-cost, designed and built offshore, then rebranded and resold. The teams building these devices don't have the security expertise we've come to expect from the major computer and smartphone manufacturers, simply because the market won't stand for the additional costs that would require. These devices don't get security updates like our more expensive computers, and many don't even have a way to be patched. And, unlike our computers and phones, they stay around for years and decades.

Is government regulation the only way to get manufacturers of Internet of Things (IoT) devices to care about security?

Original Submission

 
This discussion has been archived. No new comments can be posted.
Regulation of the Internet of Things | Log In/Create an Account | Top | 50 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 0) by Anonymous Coward on Saturday November 12 2016, @12:03PM

    by Anonymous Coward on Saturday November 12 2016, @12:03PM (#426019)

    Regulation is not the only way to fix this. There are certainly technical solutions that can mitigate DDoS attacks. Let's work on those instead of whining. If users and vendors don't care about security, they can learn a lesson from being hacked.

  • (Score: 0) by Anonymous Coward on Saturday November 12 2016, @03:04PM

    by Anonymous Coward on Saturday November 12 2016, @03:04PM (#426052)
    Technical solutions huh. Sounds a lot like the infamous old checklist that showed up on the old site every time someone proposed a solution for spam. What technical solutions do you propose, pray tell, to mitigate DDoS attacks? There don't seem to be any really good ones, or else we'd already be using them.

  • (Score: 0) by Anonymous Coward on Wednesday November 16 2016, @04:27PM

    by Anonymous Coward on Wednesday November 16 2016, @04:27PM (#427582)
    Trouble is, the penalties for getting hacked aren't severe enough. Most people who are pwn3d don't realise it, even if their device is participating in a DDoS. Especially if it's an appliance like an Internet-connected camera that should Just Work™. Most companies that sell hackable systems are blissfully ignorant of the vulnerabilities they have precisely because they cut corners on security testing. Thus they won't care. The only way to make them care is to make laws that will force them to care. No one cared enough about pollution and was big enough to be able to do something about it until the creation of the EPA.