Spitballing IoT Security

Thu Oct 27 03:54:17 UTC 2016

i think this would be the most effective route proposed so far.

May the force be with you :)

On Wed, Oct 26, 2016 at 12:19 PM, Leo Bicknell <bicknell at ufp.org> wrote:
> In a message written on Wed, Oct 26, 2016 at 08:06:34AM -0400, Rich Kulawiec wrote:
>> The makers of IoT devices are falling all over themselves to rush products
>> to market as quickly as possible in order to maximize their profits.  They
>> have no time for security.  They don't concern themselves with privacy
>> implications.  They don't run networks so they don't care about the impact
>> their devices may have on them.  They don't care about liability: many of
>> them are effectively immune because suing them would mean trans-national
>> litigation, which is tedious and expensive.  (And even if they lost:
>> they'd dissolve and reconstitute as another company the next day.)
>> They don't even care about each other -- I'm pretty sure we're rapidly
>> approaching the point where toasters will be used to attack garage door
>> openers and washing machines.
>
> You are correct.
>
> I believe the answer is to have some sort of test scheme (UL
> Labratories?) for basic security and updateability.  Then federal
> legislation is passed requiring any product being imported into the
> country to be certified, or it is refused.
>
> Now when they rush to market and don't get certified they get $0
> and go out of business.  Products are stopped at the boader, every
> shipment is reviewed by authorities, and there is no cross boarder
> suing issue.
>
> Really it's product safety 101.  UL, the CPSC, NHTSA, DOT and a
> host of others have regulations that if you want to import a product
> for sale it must be safe.  It's not a new or novel concept, pretty
> much every country has some scheme like it.
>
> --
> Leo Bicknell - bicknell at ufp.org
> PGP keys at http://www.ufp.org/~bicknell/