writes: Fixing the security of the Internet of Things: Now we have had several distributed denial of service attacks — generating eye-popping amounts of network traffic to bury a web site or gamer — arguably traced to botnets-for-sale of "hacked" common devices with Internet connectivity. It's time to look at the problem bad product design can cause. Not being "computers", many of those devices — cameras, televisions, light bulbs, to name a few — don't have tough-enough security moxie baked in. And it's not enough to solve today's attacks, they have to survive new attacks down the road.
Some of these household items didn't conform to today's Best Practices, taught in Security 101, with the rules learned (painfully) over the last 30 years. And then there is the question of installing security fixes: "Hey, Joe, you have to install an update to your thermostat and washing machine." Right.
This is nothing new. What is new is the tsunami of Internet-capable devices hitting the market and the Internet...and doing it badly. By sheer numbers, the situation rises to a whole new level of risk to the nation's communications infrastructre. The magnitude of the problem? Think how many light bulbs are in the typical house or apartment, and you get the idea.
This note comes a little late to the game, but I thought that one way to stem the flood of carb from compromised household stuff is to treat vulnerabilities as design defects, defects as serious as the exploding batteries in the Samsung Galaxy Note 7. So, looking at the procedures already in place for dealing with merchandise that can cause harm, this suggestion.
- any Internet-connected device,
- "powned" by cybercriminals,
- that cause significant harm,
- the manufacturer receiving notice of the defect, and
- did not, or can not, provide a timely, zero-cost update
THEREFORE the Consumer Product Safety Commission shall require that the manufacturer provide a security update to the device within 30 day of first notice; or failing that, to issue a complete recall of the defective devices.
I don't care if it's a television, camera, refrigerator, light bulb, thermostat, washing machine, wireless access router, smart phone, desktop computer, server, you-name-it...if it's broke, and can't (or won't) be fixed, it gets recalled.
That's the only way manufacturers will take Internet security seriously. If they have to upgrade the stuff they sell, without exception, the manufacturers will find a method that will keep their expense for upgrades down. Upgrades should not be charged to the customer — the manufacturer screwed up, they should fix the problem, at their expense.
I further suggest that security testing should be specifically permitted under law, not be considered part of "reverse engineering", or other shrink-wrap or copyright restriction.
The CSPC should develop guidelines for product with embedded computers that connect to the Internet at large, either directly or indirectly.
There are a number of things to consider, when building such a regulation, that come into play that complicated things
- orphaned devices,
- devices made by companies that have gone out of business,
- imported stuff,
- methods of notification, and
This is an off-the-top-of-my-head idea. I think it's worth considering over other "solutions" I've seen proposed.