from the internet-of-very-broken-things dept
If you hadn’t noticed yet, the internet of things is a security and privacy shit show. Millions of poorly-secured internet-connected devices are now being sold annually, introducing massive new attack vectors and vulnerabilities into home and business networks nationwide. Thanks to IOT companies and evangelists that prioritize gee-whizzery and profits over privacy and security, your refrigerator can now leak your gmail credentials, your kids’ Barbie doll can now be used as a surveillance tool, and your “smart” tea kettle can now open your wireless network to attack.
Security analysts like Bruce Schneier have been warning for a while that the check is about to come due for this mammoth dumpster fire, potentially resulting in human fatalities at scale — especially if these flaws are allowed to impact integral infrastructure systems. But Schneier has also done a good job noting how nobody in the production or consumer cycle has any incentive to take responsibility for what’s happening:
“The market can’t fix this because neither the buyer nor the seller cares. Think of all the CCTV cameras and DVRs used in the attack against Brian Krebs. The owners of those devices don’t care. Their devices were cheap to buy, they still work, and they don’t even know Brian. The sellers of those devices don’t care: they’re now selling newer and better models, and the original buyers only cared about price and features. There is no market solution because the insecurity is what economists call an externality: it’s an effect of the purchasing decision that affects other people. Think of it kind of like invisible pollution.”
Enter consumer groups and other independent operations, who are trying to finally step in with solutions. One is the open source standards system Consumer Reports has been pushing that would require that security and privacy issues be clearly highlighted in product reviews. Underwriters Laboratories (UL), the electronics safety organization, is also now joining the fray, proposing a five tier certification process to help consumers better avoid products and vendors who view privacy and security standards as an unnecessary afterthought:
“These days, when you look at products, they have been moving from an analog function to a digital function,” said Andrew Jamieson, UL’s director of security and technology. “From that context, the security of the software directly affects the safety of the product, so we have to really start thinking about that.”
There is no unified standard for connected gadgets, which means that the smart TV you buy could be a hacking concern waiting to get plugged in. Unless you researched all your connected gadgets yourself, there’d be no way of knowing without a standard.”
The UL’s white paper on the proposal is worth a read. Granted such a system isn’t going to get a lot of help from industry, which won’t want to a.) lose revenues because some informed consumer avoided their products, or b.) be forced to spend money to improve privacy and security standards on current and past products. Similarly, captured regulators and well-lobbied lawmakers aren’t likely to want to upset apathetic corporations. Which brings us back full circle, waiting for security scandals of unprecedented scale that will finally prompt action in this indisputably broken space.