I've been saying this for as long as anyone cared to listen: the IoT industry doesn't give a flying fuck about security. They care about shipping their product ASAP and preferably for under the price of their competitor.
The average consumer also does not give a flying fuck about the security of these devices unless they find out their baby camera is connected to the internet and strangers are watching their kids sleep. (E.g. no consumer is going to care that their smart lightbulb participated in a DDoS)
It was always going to be external factors that lead manufacturers to start giving a damn about security. Whether this is litigation (more likely in the US) or regulation (more likely in Europe) is yet to be seen.
I doubt manufacturers in China will care at all, unless the Chinese government starts caring because it's causing them issues on their domestic internet.
I'm not saying the solution here is to have lawyers suing every manufacturer for an RCE, that's not sustainable. I also don't think that requiring all IoT devices to be UL Security Certified™ (I just made this up) is a great idea either.
Something which is secure when tested in 2017, might not be secure in 2018.
I think the real solution will be when consumers realize most of this IoT stuff is a gimmick for manufacturers to be able to sell you something that requires a paid subscription to function, when the old model, while admittedly not "smart" worked just fine.
If you buy an IoT device and there's no subscription, then the only way the manufacturer stays in business is by selling more devices. For a device that requires updates to stay secure, this is a recipe for a bad time.
IoT isn't for the average consumer, it's for companies to be able to sell more chips and services.
Look no further than smart meters if you want a prime example of how utilities have utterly wasted the benefits of having nearly real-time data on their customer's consumption. Meanwhile the meter and IoT chip manufacturers have been able to sell them X million units. Billions of dollars invested and they are still no closer to the "smart grid" than when they started.
They also don't give a flying fuck about reliability (hey, your internet is down so you can't unlock your front door? too bad) and continuity of service
> the real solution will be when consumers realize most of this IoT stuff is a gimmick for manufacturers to be able to sell you something...
For the sake us us all, I hope it's not the _only_ solution. This does not seem like the type of thing that the consumer marketplace ever "realizes". "Gimmick" or "bling" or "coolness." Praise or disparage such labels, huge portions of the consumer market wants what it wants at the moment; then it moves on mostly when the old one breaks or something else looks shinier.
Now _that_ IMHO is a problem in real need of a solution.
> They might care if it used up their GB allowance offered by their ISP
A quick question: are data caps on land-lines still used? The last time I saw the "X GB monthly" was around 2005 I think. There are still some data caps when using cell phone to connect to the Internet, and I don't know how it looks outside of major cities, but personally I last had a connection with data cap more than a decade ago.
> A quick question: are data caps on land-lines still used?
Yes, at least in Germany. Most DSL connections have a 300GB monthly limit. If you exceed this for 3 consecutive months the ISP gets pissed and throttles you (I think, haven't exceeded 300GB per month and can't remember the exact fine print).
An agency like the FTC could also evaluate various products and demand a recall from the market. If they set the tone right, I think that will change manufacturers' minds pretty quickly.
But we need an FTC that is actually hell-bent on stopping bad behavior, and not the one that exists now that gives slaps on the wrists to Internet providers for collecting and selling everyone's personal data.
FTC is more a tax from manufacturers than anything else really.
Like, I've seen many monitors from various brand all stamped FTC emitting enough interference to generate audible noise on FTC stamped speakers. Isn't that the only thing they have a strong mandate and certification process for?
Also, the FCC doesn't care about if your speakers make noise when they get hit with RF, they only really care that the speakers aren't emitting RF to interfere with the things that are supposed to be.
>…device makers build in pattern learning so devices can recognize when they're been compromised. A coffee maker that suddenly starts sending out email, for instance, would be suspicious and should set off alarms.
Or, you know, don't install an e-mail server in your coffeepot to begin with.
(You'd think that would be a lot easier, too, but I guess the other way they can charge more for "machine learning".)
How is it that IoT devices are compromised? I'd figure that most would be sitting in an environment where there are no incoming connections allowed without some amount of user action. Which means either the network is already compromised, or something more complex is going on?
Hahaha, oh, buddy. No. These manufacturers are much stupider. These things hook straight up to the Internet, wide open telnet ports with hard-coded default passwords.
The average consumer also does not give a flying fuck about the security of these devices unless they find out their baby camera is connected to the internet and strangers are watching their kids sleep. (E.g. no consumer is going to care that their smart lightbulb participated in a DDoS)
It was always going to be external factors that lead manufacturers to start giving a damn about security. Whether this is litigation (more likely in the US) or regulation (more likely in Europe) is yet to be seen.
I doubt manufacturers in China will care at all, unless the Chinese government starts caring because it's causing them issues on their domestic internet.
I'm not saying the solution here is to have lawyers suing every manufacturer for an RCE, that's not sustainable. I also don't think that requiring all IoT devices to be UL Security Certified™ (I just made this up) is a great idea either.
Something which is secure when tested in 2017, might not be secure in 2018.
I think the real solution will be when consumers realize most of this IoT stuff is a gimmick for manufacturers to be able to sell you something that requires a paid subscription to function, when the old model, while admittedly not "smart" worked just fine.
If you buy an IoT device and there's no subscription, then the only way the manufacturer stays in business is by selling more devices. For a device that requires updates to stay secure, this is a recipe for a bad time.
IoT isn't for the average consumer, it's for companies to be able to sell more chips and services.
Look no further than smart meters if you want a prime example of how utilities have utterly wasted the benefits of having nearly real-time data on their customer's consumption. Meanwhile the meter and IoT chip manufacturers have been able to sell them X million units. Billions of dollars invested and they are still no closer to the "smart grid" than when they started.