Slashdot Mirror

← Back to Stories (view on slashdot.org)

Who's Responsible For IoT Security? (networkworld.com)

Posted by EditorDavid on from the internet-of-hackable-things dept.

"It is much too easy to connect devices and industrial equipment to the internet," writes an anonymous Slashdot reader. But what's the solution -- and who's to blame for the abundance of insecure IoT devices? Network World examined the conclusions in a paper titled "The Internet of Hackable Things" [PDF]. The authors say the IoT security problem is not a technological one; it's cultural... "A security culture is nearly non-existent in our society... developers must be educated to adopt the best practices for securing their IoT devices within the particular application domain; the general public must be educated to take security seriously, too, which among other things will fix the problem of not changing default password."
The anonymous reader who submitted this story argued that "IoT product makers do not need a deeply skilled team because component makers have made it so easy to connect anything to the internet. Maybe the responsibility for strong security should rest with chip makers like Intel, Freescale and Qualcomm." Leave your own opinions in the comments. Who is ultimately responsible for IoT security?

6 of 181 comments (clear)

  1. Hard one... by XSportSeeker · · Score: 4, Insightful

    Responsible? That would obviously be whoever is making the products, selling them, and turning a profit on it, period.
    But who should care about it is an entirely other matter... everyone from chip makers, to product developers, assembly lines, government, stores that are buying and selling the stuff as well as costumers/businesses that are getting the products should be looking into it.

    Unfortunately, there's no easy answer as to solve the entire conundrum. This might be one case were we'll eventually need government interference and regulation there to safeguard public privacy and security just as much as we have quality standards and aproval processes regarding radiation levels, what sorts of materials were used in electronics, and stuff like that.

    And I think soon we'll end up with independent businesses whose sole purpose is do independent testing for security and privacy... I mean, they are already there seem as security analysts and whatnot, but things will probably ramp up as businesses have more to lose.

    It's not a great route to go through, but I really can't think of anything else that would do the job. At some point, the overall Cyberwarfare will escalate to a point that electronics in general will need to go through extensive testing before entering the country.

    1. Re:Hard one... by Darinbob · · Score: 4, Insightful

      No, not just developers. I work on IoT, we do security and we try to do the best security. Customers don't think this is important. It raises the cost. We get a max cost of a product and adding security can blow past it. A big problem is with companies and customers alike wanting to jump on the band wagon with instant results.

      Also, security requires resources. More memory, better chips (ie, keep keys out of RAM), use PKI instead of preshared keys, etc. Every framework online that claims to IoT ready is severely lacking, not just in security but usability. When they have security it's very large (larger in code than many low power chips can handle) and since it's "portable" they make no use of hardware supplied security.

      Now try to combine that with a battery life measured in decades, fast network response, customer modifications, etc.

    2. Re:Hard one... by AmiMoJo · · Score: 4, Insightful

      It's going to take lawsuits and maybe legislation to fix this. People wouldn't pay for safe cars given the choice, but since the consequences of that can end up hurting other people they have to be forced to.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  2. Currently: nobody. by Gravis+Zero · · Score: 4, Insightful

    Hacked devices are the result of a "tragedy of the commons" because the internet is shared. The only real resolution to these problem has been proven to be regulation. Now, some people find the "dreaded r-word" to be too offensive to consider but the reality is that the free market cannot solve this problem because it doesn't have a strong enough feedback loop that would compel companies to invest in strong security. So, if you follow this logic, it's ultimately the lack of regulation by lawmakers that is responsible. Then again, we could go even further and say it's the fault of the people who voted them into power. In conclusion, it's the fault of idiots, likely the same idiots buying this insecure shit.

    --
    Anons need not reply. Questions end with a question mark.
    1. Re:Currently: nobody. by Gravis+Zero · · Score: 4, Insightful

      Just give ISPs the power to shut off connections doing bot attacks.

      They already have that power and have always had that power.

      Once customers start getting their internet turned off and paying hundreds for geeks to come in and tell them that new camera, not a PC is the cause then the free market will kick in...

      Clearly, you don't understand how the free market works. The more likely scenario is that the customer would get frustrated and after wasting lots of time on customer support they would simply switch to an ISP that doesn't give a fuck if you are part of a botnet because you're giving them money. Why do you think they don't already cut off customers?

      --
      Anons need not reply. Questions end with a question mark.
  3. Re:Full stack security is needed. Use OpenBSD. by arth1 · · Score: 5, Insightful

    Security is everybody's responsibility.

    Indeed. With the prevalent binary thinking of today, people seem to fall into the trap of thinking that if the manufacturer is responsible, the user is not.
    But responsibility and guilt are not finite resources. Adding it to one party does not reduce it elsewhere; not an iota.