from the looming-global-IoT-shitstorm dept.
TechDirt reports
In the wake of the Wannacry ransomware, University of Pennsylvania researcher Sandy Clark has proposed something along these lines: firmware expiration dates. Clark argues that we've already figured out how to standardize our relationships with automobiles, with mandated regular inspection, maintenance and repairs governed by manufacturer recalls, DOT highway maintenance, and annual owner-obligated inspections. As such, she suggests similar requirements be imposed on internet-connected devices:
A requirement that all IoT software be upgradeable throughout the expected lifetime of the product. Many IoT devices on the market right now contain software (firmware) that cannot be patched even against known vulnerabilities.
A minimum time limit by which manufacturers must issue patches or software upgrades to fix known vulnerabilities.
A minimum time limit for users to install patches or upgrades, perhaps this could be facilitated by insurance providers (perhaps discounts for automated patching, and different price points for different levels of risk)."
Of course, none of this would be easy, especially when you consider this is a global problem that needs coordinated, cross-government solutions in an era where agreement on much of anything is cumbersome. And like previous suggestions, there's no guarantee that whoever crafted these requirements would do a particularly good job; that overseas companies would be consistently willing to comply; or that these mandated software upgrades would actually improve device security. And imagine being responsible for determining all of this for the 50 billion looming internet connected devices worldwide?
That's why many networking engineers aren't looking so much at the devices as they are at the networks they run on. Network operators say they can design more intelligent networks that can quickly spot, de-prioritize, or quarantine infected devices before they contribute to the next Wannacry or historically-massive DDoS attack. But again, none of this is going to be easy, and it's going to require multi-pronged, multi-country, ultra-flexible solutions. And while we take the time to hash out whatever solution we ultimately adopt, keep in mind that the 50 million IoT device count projected by 2020--is expected to balloon to 82 billion by 2025.
(Score: 2) by jmorris on Friday June 02, @09:12PM
IoT crap comes in two flavors, Google / Amazon stuff to bind you to an ecosystem, generally produced by IT savvy companies. Regular updates for them are an option. The rest comes from fly by night Chinese companies selling you crap, and once it is sold any maintenance is an expense they won't bear one second beyond when a product does out of production and the shelves empy.
The only answer for that second sort is to standardize on a couple of basic platforms, ship the devices with OpenWRT or similar open tech and once the vendor ceases support release the means for the owner to point it at a standard repo for updates. Or better yet, just point it there from day one for the OS and the vendor for the webapp running atop it. But the requirement must be there from day one because even the minimal effort to get a Chinese vendor to publish a 'abandon it and throw it open' patch is too much to ask.
Reply to This
(Score: 2) by pendorbound on Friday June 02, @09:19PM
So because manufacturers can't manage to debug their garbage before they foist it on the world, I'm stuck with a device that turns into a brick if they go out of business or forget to deliver an update on time? No thanks.
Debug, then ship. Not the other way around. I wouldn't even consider buying a device with that kind of user-hostile "feature."
Reply to This
(Score: 0) by Anonymous Coward on Friday June 02, @09:24PM
It's called Windows.
Reply to This
(Score: 0) by Anonymous Coward on Friday June 02, @09:27PM
Betteridge says no...
Remember kids, in IoT, the S is for security and the P is for privacy...
And just for giggles: https://xkcd.com/1807/ [xkcd.com]
Reply to This