My toaster has to be certified that it meets certain minimum safety standards. It really seems that IoT and safety critical software/firmware should be required to pass a similar (bare minimum) certification.
Toaster is required to pass safety standards because of the there is strong economic incentive (UL requirements) to do it. Without UL, it can't get on the shelf on any stores in US.
There are no such thing and UL security requirements for IOT device.
Time for such regulation?
But "internet + regulation" normally raise a lot of objections internally from the IT industry.
If someone (MSFT) proposes secure boot are required for all IOT devices, the first one to oppose it likely be EFF. :-)
UL isn't a regulatory body. UL testing is voluntary. You may know this, but perhaps many others don't.
I think a UL for internet connected devices is a fantastic idea. Just need to figure out how to get companies to volunteer for such testing. The way it works for UL is that they provide some insulation from litigation. Perhaps if users could litigate IOT manufacturers for inadequate security testing, something similar would materialize for that industry as well?
Retailers (Walmart) require UL for insurance propose.
UL is created for by Insurance companies to gauge the safety of the products.
At the end, the real cause is "The force of Lawyers" is strong for product safety in US. :-)
"The force of the lawyers for IOT" is still weak. :-)
The force of the Jedi (IT, hackers, SW Dev, EFF, OSF) still strong, for now....
The Empire will win when and if enough Jedi (SW Dev) turn to the dark side - team up with the lawyers start suing IOT startup, devices, creators.
No more IOT, raspberryPI, OpenWRT.... only Intel/Qualcomm/MSFT licensed UEFI controlled SecureBoot (Windows CE) devices, Lock down Chromebooks from Google will be allowed.
> No more IOT, raspberryPI, OpenWRT.... only Intel/Qualcomm/MSFT licensed UEFI controlled SecureBoot (Windows CE) devices, Lock down Chromebooks from Google will be allowed.
idk, seeing a comparison with UL gives me hope that consumer device security doesn't actually have to mean totalitarian dystopia.
Nothing is stopping anyone from building their own non-UL electronic devices, and even distributing them to tinkerers and early adopters. This is much preferable to some steep liability/mandatory insurance regime like automobiles where you've got to Soviet-style register your car and even yourself!
Sensationalists push a panicked narrative about insecure devices, but any disruption of third parties is entirely due to scale. Simply making it so the enormous group of low-effort consumers won't end up with negligently insecure devices would basically erase the problem.
Yeah, I picked that up from reading the press release[1] that OP had originally included in the comment. What I was surprised to discover was the 404 error page when I clicked the individual links for the different standards. My expectation is that I would have been directed to a site to purchase them.
But most of those safety standards are meant to protect the device and its user during a normal use, not against malicious attempts to destroy it or pervert its usage.
