Friday, 28 October 2016

Just who should be responsible for the minefield that the Internet of Things has become?


“IoT Growing Faster Than the Ability to Defend It”
The IoT is a vast and growing virtual universe that includes automobiles, medical devices, industrial systems and a growing number of consumer electronics devices. These include video game consoles, smart speakers such as the Amazon Echo and connected thermostats like the Nest, not to mention the smart home hubs and network routers that connect those devices to the internet and one another.
[Scientific American, 26 October 2016]

I believe the world of IoT offers incredible opportunities for human advancement. It also has a dark shadow side. We can do amazing things with connected devices that will change the world, but connecting all these devices also lays us open to a myriad of potential dangers. We must take these dangers seriously, and even more so, we must take our responsibility to ensure IoT security seriously.
[Forbes, 26 October 2016]

Because IoT is a new field, it's dominated by companies that don't have the same mindset as the manufacturers of mission-critical servers—and that can spell trouble. "Very often, the creators of smart gadgets are small startups," says KeepSolid CTO Vasyl Diakonov, "and they don’t have resources or knowledge to build out sophisticated security."
Ben Desjardins, director of security solutions at Radware, specifically calls out the software end of the equation. "The most challenging aspect of this," he says, "is that many of the IoT devices are being manufactured by organizations that are new to software development, and are likely to have more vulnerable code and immature patch management processes."
[CSOonline, 12 October 2016], 

Hot on the heels of Internet users learning that for years the tech world has been quietly releasing onto the market an unknown number of devices of various kinds that contain serious security vulnerabilities and/or malware so that the Internet of Things (IoT) is now a minefield for the average person, we find that some in the IT world would like us to believe it is now our fault entirely if we unknowingly purchase and use one of these critically flawed products.

Dark Reading, 26 October 2016:

Imagine an Internet with multiple levels of security that users need to earn.
Someone has to clean the house, shovel the walk, and mow the lawn. As we grow to adulthood, we realize that this person is us. We either do it ourselves, or we have to earn enough to pay someone else to do it. The Internet has reached a point where we need to take responsibility for our own actions to clean it up.
Many aspects of life present this onus of individual responsibility; there are benefits when we do our part, and consequences when we don’t. Drive responsibly and you can get a discount on your car insurance. Don’t mow your lawn, and in many communities you will get billed when the municipality does it for you.
The Internet if full of opportunities for us to affect others by our actions. Unsecured computers can be used as bots for spam and denial-of-service attacks. Downloaded malware can infect other systems nearby because we are inside a trusted environment. We have tried to educate people on the importance of protecting devices, not clicking on shiny but suspicious links, and other responsible behaviors, with limited effect. What if we took a different approach?
Imagine an Internet with multiple levels of security that users need to earn. Level zero means a person does nothing, and so has limited access to services because their computer is probably infected. Many corporations work this way on their internal networks, restricting access of devices that are unknown or do not have a minimum set of security defenses. Restrictions could be based on inexperience -- akin to what many countries do with driver’s licenses -- or personal habits, which often affect life insurance premiums.

I’m sorry, but with even the government-subsidised hearing aids supplied to pensioners in Australia having a digital component which can transmit and receive, this still inchoate push to make eighty year-olds as morally or legally responsible for hacking and denial of service attacks as the manufacturers of everything from digital doorbells and cameras through to wheelchairs and mobile phones is one that should be vigorously resisted.

"Let the buyer beware" should not be used as an excuse for the technology community to continue its sometimes sloppy research, design and manufacturing processes or fail to alert the public to/correct known product security flaws.

All manufacturers and vendors need to be totally honest with consumers, draw attention to the fact that the product has a digital component, make the limitations of their devices known at point of sale and supply clear information on security/software update requirements.

This is clearly not happening across the board with the Internet of Things right now and a higher level of consumer protection is needed.

No comments: