Slashdot Mirror

← Back to Stories (view on slashdot.org)

US Think Tank Wants To Regulate The Design of IoT Devices For Security Purposes (theregister.co.uk)

Posted by BeauHD on from the trial-and-error dept.

New submitter mikehusky quotes a report from The Register: Washington D.C. think tank the Institute for Critical Infrastructure Technology is calling for regulation on "negligence" in the design of internet-of-things (IoT) devices. If the world wants a bonk-detecting Wi-Fi mattress, it must be a malware-free bonk-detecting Wi-Fi mattress. The report adds: "Researchers James Scott and Drew Spaniel point out in their report Rise of the Machines: The Dyn Attack Was Just a Practice Run [PDF] that IoT represents a threat that is only beginning to be understood. The pair say the risk that regulation could stifle market-making IoT innovation (like the Wi-Fi cheater-detection mattress) is outweighed by the need to stop feeding Shodan. 'Regulation on IoT devices by the United States will influence global trends and economies in the IoT space, because every stakeholder operates in the United States, works directly with United States manufacturers, or relies on the United States economy. Nonetheless, IoT regulation will have a limited impact on reducing IoT DDoS attacks as the United States government only has limited direct influence on IoT manufacturers and because the United States is not even in the top 10 countries from which malicious IoT traffic originates.' State level regulation would be 'disastrous' to markets and consumers alike. The pair offer their report in the wake of the massive Dyn and Mirai distributed denial of service attacks in which internet of poorly-designed devices were enslaved into botnets to hammer critical internet infrastructure, telcos including TalkTalk, routers and other targets."

5 of 87 comments (clear)

  1. No mention of the internet architecture of course by Pinky's+Brain · · Score: 4, Interesting

    This is the danger our resident experts create by going along with the IoT scare ...

    The disease is the unpunished insecure practices by ISPs and the complete lack of cooperation in cutting off DDOS's at the source. The IoT mess is a symptom, a symptom laws won't help ... the programmers will still be using C after all (another root cause which must not be named).

  2. I think this whole idea stinks by Alcemenes · · Score: 2, Interesting

    So let me get this straight:

    1. The risk that it will stifle innovation is outweighed by the need to regulate
    2. Every stakeholder operates within the US
    3. The US is not in the top 10 countries of origin for IoT-based attacks

    Based on those three points it sounds more like a "business plan" to start collecting regulatory fees to provide yet another false flag of security. That's just what we need here in the US, another group of unelected bureaucrats sitting in a room thinking about ways to protect us from a threat they know nothing about. Sure, "experts" will be involved but I would be willing to bet following the money leads back to donors and/or lobbyists. Do vendors and end users need to get smarter about security? Yes. Do I think this will do anything to prevent DDoS attacks? No. This won't fix anything. It will only add to the cost of IoT devices to consumers and put billions into the government's coffers to waste.

    1. Re: I think this whole idea stinks by EmeraldBot · · Score: 3, Interesting

      The best approach for the general consumer is to have a set of standards that, if met, reduce security risks to an acceptable level from a hardware/software perspective. Products can choose to prove compliance with those standards. Educated consumers can require that compliance in their product choice. Regulation could come in regarding how product can claim compliance. Many or all of those standards may already exist, but they likely need some motherhood standards to tie them together. All easier said than done because there is not simple answer to 'the right way to do it', and a huge and varied scope of things under the umbrella.

      I agree with this mostly, but I do think there need to be some minimum standards for regulation. Some IOT stuff - automated stoves or heating / cooling or whatever - isn't just obnoxious if hacked, it can be downright dangerous if somebody makes the oven set itself on fire while you're asleep. Using a hardcoded check of PASSWORD, for example, is something I think we can all agree is unacceptable, and that shouldn't be tolerated.

      If we do make those standards too, they shouldn't be compromises, they should be seriously tough, and come in shades or grades instead of compromise. You can always let people pass lower, but no company is ever going to do better than the minimum required of them, so "A" had better mean pretty solid protection from hacking...

      --
      "Set a man a fire, he'll be warm for the rest of the night. Set a man afire, he'll be warm for the rest of his life."
  3. Be careful by 110010001000 · · Score: 1, Interesting

    Be careful of what you wish for. The ISPs could institute a policy that only "approved" devices are allowed on the Internet. Don't think that can happen? That is where this is leading.

  4. Re:No mention of the internet architecture of cour by swb · · Score: 3, Interesting

    AFAIK the only thing that ISPs could reasonably do is not filter outbound traffic that couldn't have originated within their network, ie, bogus addresses.

    The challenge with DDOS though is that it seems to work best and be hardest to mitigate when the number of sources is high and the requests are legitimate.

    What's the ISP to filter then?