Slash Boxes

SoylentNews is people

posted by on Friday June 02 2017, @08:58PM   Printer-friendly
from the looming-global-IoT-shitstorm dept.

TechDirt reports

In the wake of the Wannacry ransomware, University of Pennsylvania researcher Sandy Clark has proposed something along these lines: firmware expiration dates. Clark argues that we've already figured out how to standardize our relationships with automobiles, with mandated regular inspection, maintenance and repairs governed by manufacturer recalls, DOT highway maintenance, and annual owner-obligated inspections. As such, she suggests similar requirements be imposed on internet-connected devices:

A requirement that all IoT software be upgradeable throughout the expected lifetime of the product. Many IoT devices on the market right now contain software (firmware) that cannot be patched even against known vulnerabilities.

A minimum time limit by which manufacturers must issue patches or software upgrades to fix known vulnerabilities.

A minimum time limit for users to install patches or upgrades, perhaps this could be facilitated by insurance providers (perhaps discounts for automated patching, and different price points for different levels of risk)."

Of course, none of this would be easy, especially when you consider this is a global problem that needs coordinated, cross-government solutions in an era where agreement on much of anything is cumbersome. And like previous suggestions, there's no guarantee that whoever crafted these requirements would do a particularly good job; that overseas companies would be consistently willing to comply; or that these mandated software upgrades would actually improve device security. And imagine being responsible for determining all of this for the 50 billion looming internet connected devices worldwide?

That's why many networking engineers aren't looking so much at the devices as they are at the networks they run on. Network operators say they can design more intelligent networks that can quickly spot, de-prioritize, or quarantine infected devices before they contribute to the next Wannacry or historically-massive DDoS attack. But again, none of this is going to be easy, and it's going to require multi-pronged, multi-country, ultra-flexible solutions. And while we take the time to hash out whatever solution we ultimately adopt, keep in mind that the 50 million IoT device count projected by 2020--is expected to balloon to 82 billion by 2025.

Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by c0lo on Saturday June 03 2017, @12:21AM

    by c0lo (156) Subscriber Badge on Saturday June 03 2017, @12:21AM (#519650) Journal

    Continuing to use an OS or browser without updating for the security patches is a quick way to get worse than bricked. That is the point, you MUST update or quickly become so dangerous that the only safe move is to disconnect from the Internet,

    There's more ways to skin this cat.
    - I should be able to replace the OS/browser with something of my choice - certainly I should not be bound to a monopoly as a provider of security.
    - I can install extra external protection (firewalls) and restrict myself to where I go while browsing the internet
    - I can even use the combination not connected to the Internet (but to a local network) and still derive some restricted benefits I need - i.e. IE4.0 is still safe to use in a local intranet never connected to Internet.
    Granted, if the needs require me to go in promiscuous places, I will need to make sure I have the best protection of the moment or suffer the consequences.

    And the Penguin is for we the few, normies can't generally install ANY OS on bare metal.

    And should the rights on us, non-normies, be sacrificed because the majority of the others aren't capable to defend themselves?
    Where's the advantage in that? 'cause I see the immediate disadvantage - it is the non-normies that create something new and have the incentive to explore non-normal solutions.
    Stop us and you'll get into the same situation we had before the personal computers broke the monopoly on... well.. computing to those who could afford buying a mainframe.

    When the OS updates stop you get a brick or a forced payment to upgrade.

    I still have alternatives to this situation - and I vote with my wallet and not buy a device that is bricked when unsupported by the manufacturer or seller - and I don't like the idea of someone telling me I need to stop thinking that alternatives exists.
    If you like this idea, whatever floats your boat... but what right that researcher or you have to tell me I should desist?

    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2