UL Pushes Security Standards For The Internet Of Broken Things
from the internet-of-very-broken-things dept
If you hadn’t noticed yet, the internet of things is a security and privacy shit show. Millions of poorly-secured internet-connected devices are now being sold annually, introducing massive new attack vectors and vulnerabilities into home and business networks nationwide. Thanks to IOT companies and evangelists that prioritize gee-whizzery and profits over privacy and security, your refrigerator can now leak your gmail credentials, your kids’ Barbie doll can now be used as a surveillance tool, and your “smart” tea kettle can now open your wireless network to attack.
Security analysts like Bruce Schneier have been warning for a while that the check is about to come due for this mammoth dumpster fire, potentially resulting in human fatalities at scale — especially if these flaws are allowed to impact integral infrastructure systems. But Schneier has also done a good job noting how nobody in the production or consumer cycle has any incentive to take responsibility for what’s happening:
“The market can’t fix this because neither the buyer nor the seller cares. Think of all the CCTV cameras and DVRs used in the attack against Brian Krebs. The owners of those devices don’t care. Their devices were cheap to buy, they still work, and they don’t even know Brian. The sellers of those devices don’t care: they’re now selling newer and better models, and the original buyers only cared about price and features. There is no market solution because the insecurity is what economists call an externality: it’s an effect of the purchasing decision that affects other people. Think of it kind of like invisible pollution.”
Enter consumer groups and other independent operations, who are trying to finally step in with solutions. One is the open source standards system Consumer Reports has been pushing that would require that security and privacy issues be clearly highlighted in product reviews. Underwriters Laboratories (UL), the electronics safety organization, is also now joining the fray, proposing a five tier certification process to help consumers better avoid products and vendors who view privacy and security standards as an unnecessary afterthought:
“These days, when you look at products, they have been moving from an analog function to a digital function,” said Andrew Jamieson, UL’s director of security and technology. “From that context, the security of the software directly affects the safety of the product, so we have to really start thinking about that.”
There is no unified standard for connected gadgets, which means that the smart TV you buy could be a hacking concern waiting to get plugged in. Unless you researched all your connected gadgets yourself, there’d be no way of knowing without a standard.”
The UL’s white paper on the proposal is worth a read. Granted such a system isn’t going to get a lot of help from industry, which won’t want to a.) lose revenues because some informed consumer avoided their products, or b.) be forced to spend money to improve privacy and security standards on current and past products. Similarly, captured regulators and well-lobbied lawmakers aren’t likely to want to upset apathetic corporations. Which brings us back full circle, waiting for security scandals of unprecedented scale that will finally prompt action in this indisputably broken space.
Filed Under: devices, iot, privacy, security, standards, surveillance
Comments on “UL Pushes Security Standards For The Internet Of Broken Things”
Ah yes, because all that IoT crap is totally UL-compliant already…
If UL does enough marketing on the subject, UL approval might become relevant, eventually. Though I think their system should be binary, approved or not, rather than the 5 tier rating system they came up with. But until they make their approval relevant to the average consumer, it is nothing.
As you point out, UL compliance hasn’t meant much of anything to IoT manufacturers so far, which does not speak well for UL.
Yes, but it would become non-compliant if UL implements their proposal. AFAIK regulators can’t stop them because UL is a private company not a government agency. Also AFAIK a lot of stores won’t carry electronics if it isn’t UL-listed, which is also something regulators can’t do much about because of the same laws that make it almost impossible to control what companies do. That leaves IoT device makers with Hobson’s choice.
One of the biggest problems is the state actor attack cycle.
Practically everything is hacked by someone.
In your hypothetical scenario, who is this state actor, why would they be causing this biggest problem and what is this hack you refer to?
Re: Re: Re:
Mainly China, but also US, Russia, Iran, Ukraine, maybe India, and other states at times.
Re: Re: Re: Re:
Sounds like the next hollywood thriller, when will it hit the box office?
OK, call me naive...
But wouldn’t it just be much simpler if someone in government made it mandatory that the manufacture of IoT devices include a simple trigger in their initial setup program that REQUIRED consumers to make a unique password and user name all their own, instead of just including a generic set up where the password is "password" or "123" etc? It would be a simple if proven ultimately futile attempt to protect consumers – simply set up a block that consumers can’t get around requiring the changes necessary for consumers to protect their devices BEFORE the device will work.
Like I said, I know it’s naive, but it MIGHT help a little…
Re: OK, call me naive...
It’s a simple and naive idea, because any law has to be passed by those well lobbied public “servants” or written by a regulator who has one eye on the lobbyist position waiting for them in a few years.
Who’s going to grow some balls and throw away all those campaign contributions or that cushy next gig?
Re: Re: OK, call me naive...
I doubt this would have any affect on regulators’ ability to serve as lobbyists in the future, nor would it cost them campaign contributions, simply because the organizations making the process mandatory would only be strengthening their own positions as well as their customers – I think it’s a good political position to promote on both sides of the aisle. It’s not something that would have any adverse affect on companies or consumers. But then again, the political parties involved would probably choose to subvert it and make it a ridiculous partisan issue, as they idiotically have done with net neutrality…sometimes there’s no winning…
Re: OK, call me naive...
Don’t stop there, let’s mandate vehicle manufacturers stop drivers from doing really stupid things, let’s mandate weapon manufacturers stop murderers from killing people.
Sounds like you are cheer leading for third party liability.
Let the check come due. Nothing of any significance reshapes the thinking of the general public except a disaster that affects the general public. People generally don’t care about a problem until they are directly affected in a big way, not merely inconvenienced. Thinking is hard.
Security by default
All of the Internet of Things (IoT) devices need to become the Security Hardened Internet of Things (SHIoT).
I like the idea of UL getting involved. UL has probably prevented more house fires and deaths than any other organization. I’d like to see what they can do with IoT.
Remember, the "S" in "IoT" is for "security".
I STILL LOVE IT..
Think about the Privacy we have to contend with..
From banks to the DMV.
What happens when all this data gets released?
When Privacy Isnt private anymore. And what Scope of privacy is lost.
about 90% of privacy is us trying to Keep Contracts Private. Personal contracts between you, me, the State, the gov. and Every company we deal with.
The Biggest loser here is going to be the banks. They Were trying to have everyone Quit using Checks, because your info in on the bottom. Let them use Cards!!
Well that isnt working very well. So How to Prove, who did what to Who??
If all your data is Out there.. How to Prove who is using the card? Who is using your SS#. Who is doing what with your info..
Who is going to get hurt?
Social Sec. has been reusing numbers for years, and the odds are there are 2-3 people out there With your number, as well as Fake ID for illegals, working and inputting Credit into your SS Account.
The gov. loves to know who is who and where you are located..Really hate it when people move around, allot.
Corps dont like allot of it, because it causes paper work. They know more about you then the gov. does. Including your bank info.
Anyone know how easy it is to make a Credit card? Even with the Chip in it.. Not really to hard. And the Major Agencies that take and process Credit cards has been trying to make it 99.99% Hands off. so the persons behind the register dont touch your card.
Even a wireless Phone system to do the same thing. but How easy is it to READ wireless??
They are really pushing Facial ID and a few other things. but that should not be a Concern, but IT IS.. how far do you go to Prove who is who and where they are? And pushing this idea to the cops is a simple step, because THEN, you can have less police. Adding to this is the instant Plate scanners, that the cops can use, and monitor where your car runs around, and tracks everything.
Very soon it will be a Data collection age of Human kind. We might as well be in the most restricted nation in the world.. As we are becoming just as bad as the worst, and tech is helping it.