Slashdot Mirror
Who's Responsible For IoT Security? (networkworld.com)
"It is much too easy to connect devices and industrial equipment to the internet," writes an anonymous Slashdot reader. But what's the solution -- and who's to blame for the abundance of insecure IoT devices? Network World examined the conclusions in a paper titled "The Internet of Hackable Things" [PDF].
The authors say the IoT security problem is not a technological one; it's cultural... "A security culture is nearly non-existent in our society... developers must be educated to adopt the best practices for securing their IoT devices within the particular application domain; the general public must be educated to take security seriously, too, which among other things will fix the problem of not changing default password."
The anonymous reader who submitted this story argued that "IoT product makers do not need a deeply skilled team because component makers have made it so easy to connect anything to the internet. Maybe the responsibility for strong security should rest with chip makers like Intel, Freescale and Qualcomm." Leave your own opinions in the comments. Who is ultimately responsible for IoT security?
The anonymous reader who submitted this story argued that "IoT product makers do not need a deeply skilled team because component makers have made it so easy to connect anything to the internet. Maybe the responsibility for strong security should rest with chip makers like Intel, Freescale and Qualcomm." Leave your own opinions in the comments. Who is ultimately responsible for IoT security?
"It is much too easy to connect devices and industrial equipment to the internet,"
No, that misses the point entirely. It's not that it's too easy to connect devices to the Internet, but rather that, at least sometimes, it is very difficult, if not nearly impossible, to prevent devices from connecting to the Internet. Some Smart TV sets (it might have been Samsung, but I'm not sure) actively seek out open WiFi connections to connect to the Internet even if you tell it not to. It's not enough to block ports in your firewall as maybe your neighbor doesn't have those ports blocked. Or maybe the Starbucks down the street doesn't. And with integrated GPS in many devices (and probably more in the future) the fact that devices connect on someone else's IP address won't protect your privacy/anonymity, since they'll be able to locate the device down to the house or apartment that it's in. Expect to see more of this in the future.
If I can be modded down for being a troll, can I be modded up for being an orc, or a balrog?
THE PEOPLE SELLING THIS INSECURE SHIT!!
Full stop. End of story.
You build a gadget that connects to the Internet, you fail to properly secure it, your boss puts it up for sale, YOU ARE CULPABLE! You are at fault, it is YOUR PROBLEM, that is the end of it! Do not try to fucking weasel out of it. Nuremburg settled that for our entire species, "following orders" is not an excuse. You did it, you are responsible. You built an insecure device and offered it up to your boss so he could sell it, you MUST be liable for the breaches you caused.
This is not a "buyer beware" excuse situation, this is not a "clickthrough license shields me from responsibility", this is flat-out assholes offering known faulty goods for sale. They are responsible, nobody else. The only way to FIX this is to force the people building these shitty devices to take LEGAL responsibility. Nothing else will do. Period.