Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Monday December 12 2016, @02:58AM   Printer-friendly
from the all-your-boink-detecting-mattresses-are-belong-to-us dept.

Arthur T Knackerbracket has found an interesting story over at The Register about regulating the security of IoT devices:

Washington DC think tank the Institute for Critical Infrastructure Technology is calling for regulation on "negligence" in the design of internet-of-things (IoT) devices.

Researchers James Scott and Drew Spaniel point out in their report Rise of the Machines: The Dyn Attack Was Just a Practice Run [PDF] that IoT represents a threat that is only beginning to be understood.

The pair say the risk that regulation could stifle market-making IoT innovation (like the WiFi cheater-detection mattress) is outweighed by the need to stop feeding Shodan.

"National IoT regulation and economic incentives that mandate security-by-design are worthwhile as best practices, but regulation development faces the challenge of ... security-by-design without stifling innovation, and remaining actionable, implementable and binding," Scott and Spaniel say.

[...] State level regulation would be "disastrous" to markets and consumers alike.

Does the ability of a company to make money now outweigh the security of our digital homes and devices?


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2, Interesting) by Anonymous Coward on Monday December 12 2016, @06:19AM

    by Anonymous Coward on Monday December 12 2016, @06:19AM (#440236)

    Mandatory source code release?

    Pretty much all of these devices are running embedded Linux and bog standard CCDs, ethernet interfaces, etc to begin with. Start requiring the release of the full build source code and toolchain to sell the devices in the US, including encryption keys if necessary to reflash the devices. (Really the key should be user installable and write-many for replacement, at initial boot/jumper enable only.) Those two rules would help eliminate 99 percent of IoT security failures by allowing third party developers to update the device firmware, if there is demand, and the user controlled signing key (or just a damn write enable jumper for rewriting the flash!) would help ensure that mass device compromise was limited to default installations using default keys and outdated firmware. Still a major problem in the world of IoT but much more manageable than devices that were designed once, updated never, and more expensive to reverse engineer firmware patches for than to replace.

    Starting Score:    0  points
    Moderation   +2  
       Insightful=1, Interesting=1, Total=2
    Extra 'Interesting' Modifier   0  

    Total Score:   2  
  • (Score: 0) by Anonymous Coward on Monday December 12 2016, @12:51PM

    by Anonymous Coward on Monday December 12 2016, @12:51PM (#440336)

    Sounds good for geeks. Not so good for the average user. Because the average user just isn't going to make the effort to sysadmin their devices. You can complain about stupid lusers or whatever, but any solution that goes against human nature rather than taking advantage of human nature is no solution at all.

    • (Score: 1) by Francis on Monday December 12 2016, @03:48PM

      by Francis (5544) on Monday December 12 2016, @03:48PM (#440398)

      Even for the rest of us, how much time do we have to audit code? Making a half-hearted attempt at it is pretty much a waste of time. Just trying to keep up with the myriad bug fixes by other people can be a full time job, especially if you've got more than on IoT thingy. It was bad enough when it was pretty much just Windows and a couple other significant programs that you had to keep track of.

  • (Score: 0) by Anonymous Coward on Monday December 12 2016, @07:55PM

    by Anonymous Coward on Monday December 12 2016, @07:55PM (#440521)

    That only works on release. Long term it fails.

    Company will move onto next product and abandon it. Leaving it in 'software maintenance only' which is code for 'we do not fuck with it ever again'.

    Or company goes out of business. Your IoT device is now a brick but you left it plugged in because you forgot about it.

    Basically you have one part of the puzzle. But where IoT is really failing in security is long term.