Stanford Starts the 'Secure Internet of Things Project'

An anonymous reader writes: The internet-of-things is here to stay. Lots of people now have smart lights, smart thermostats, smart appliances, smart fire detectors, and other internet-connect gadgets installed in their houses. The security of those devices has been an obvious and predictable problem since day one. Manufacturers can't be bothered to provide updates to $500 smartphones more than a couple years after they're released; how long do you think they'll be worried about security updates for a $50 thermostat? Security researchers have been vocal about this, and they've found lots of vulnerabilities and exploits before hackers have had a chance to. But the manufacturers have responded in the wrong way.

Instead of developing a more robust approach to device security, they've simply thrown encryption at everything. This makes it temporarily harder for malicious hackers to have their way with the devices, but also shuts out consumers and white-hat researchers from knowing what the devices are doing. Stanford, Berkeley, and the University of Michigan have now started the Secure Internet of Things Project, which aims to promote security and transparency for IoT devices. They hope to unite regulators, researchers, and manufacturers to ensure nascent internet-connected tech is developed in a way that respects customer privacy and choice.

Think business, not technology

[captaindomon]

Companies that make these devices are driven by business interests, not technology concerns. Which is what their shareholders expect and require. So the question isn't "Can someone hack this?" the question is "Given 0.001% of these get hacked, and our recourse is to return the $50 in a refund which is our highest liability exposure due to terms & conditions, that equates to five cents cost per unit. So if we are selling 10 million of these per year, we should not spend more than $500,000 on security engineering. That pays the full run rate for two full-time engineers. Hire them and see what they can do". We sometimes forget the economics side of things in technology arguments...

Re:Think business, not technology

[neminem]

Then somebody hacks into a thermostat, uses it to burn somebody's house down for luls. The couple whose house was burned down tries to sue, loses due to the contract that says their only recourse is a refund of the 50$ even though WTF, it makes all the news everywhere, and the device is forever known as "that device that burned some guy's house down and they gave him a whopping 50 bucks". They're now out 50 bucks in direct cost, and a jillion dollars in lost sales.

We sometimes forget the economics side of things, but companies *often* forget the social side of things (i.e. if you treat people like crap, they'll tell their friends, who will tell their friends, and eventually you'll be "that company that treats people like crap". Unless, of course, you're a monopoly, or if all your competition is equally terrible, in which case do what you like.)