There’s no cyber security regulation as such that applies to IOT stakeholders as such,”
But their f**king well ought to be.
“Defence is only as strong as the weakest link,” said Tim Phipps of Solarflare at today’s Cambridge Wireless event on security within the Internet of Things. Today's Cambridge Wireless event was part of its Special Interest Group focusing on security and defence. In particular, on securing and defending the Internet of Things …
These are consumer appliances. That industry is well used to having to conform to electrical and similar safety standards: "If you sell a kettle that is not certified, and it kills the user/burns his house down, you are in deep trouble". I was once fired because a factory had changed mains lead insulation colours without telling us, and no-one noticed till too late.
So there must be national (EU level at the moment for the UK) standards bodies that enforce correct design on IoT vendors. It's a harder thing to test than insulation safety, but can be automated to a great degree.
All these standards get introduced after the event, but pressure on governments (the press is good for this!) helps move things along.
The makers of the iKettle probably thought they were incorporating security - it has a password - they just weren't as clever or as imaginative as the hackers.
"It might get hacked, someone might boil some water!"
"Give it a password and a sensor to switch it off if it's boiling dry. Sorted."
They didn't think that it might be the gateway to your WiFi network...
And while academics quibble about who "owns" data, hackers get on with massive DDoS attacks using webcams and DVRs.
>Boil 50 million kettles at once, and you bring the nation's powergrid to its knees, and not just for three minutes.
Ah, the old 'Coronation Street' effect... you don't need connected kettles to bring that about! In fact, connected devices could be used to mitigate such spikes in demand. Even if it just implemented with in a single home.
>And while academics quibble about who "owns" data, hackers get on with massive DDoS attacks using webcams and DVRs.
Did you even read the whole article? Far from quibbling, they were looking at reasons IoT security has been so poor, and what can be done - in terms of corporate and legal organisations as well as technical - to make it better. Example:
"There’s an argument that says you start from the boardroom. The pressure to be first to market doesn’t feature security. The pressure to reduce costs? If you ignore security, you do so at your peril; it's going to cost you more in the long run. Educate boardroom and senior management to build security in from the start. Appoint a Chief Information Security Officer. What I’m touting is bottom up and top down. The end message is to build security in."
Oh, and the issue of 'who owns the data' has legal consequences, so is a potential stick to beat some better practice into the IoT industry. Other sticks include market forces and and company reputation.
"the issue of 'who owns the data' has legal consequences"
Indeed. So let's employ a lawyer to nail down the ToU (that consumers rarely read) and grab rights to all their data - and if they don't like it then they lose the convenience of iPhone/iTunes/Fitbit/Nest/etc. You know, the thing they really want and just paid a load of cash for...
And if you want something for free? Chances are you are paying for it with your data. If you want to keep hold of your data then don't sign it away.
Meanwhile...
Hackers are merrily using internet connected devices to propagate DDoS attacks, potentially costing millions. The academic question of who owns the data is irrelevant.
If I buy an iFridge, iKettle or other IoT device, the data is mine. If the maker of the device or some other 3rd party wants access or instance to improve my health, they can licence that data from me. The terms of that licence should be negotiable - do I accept that they can share that data with their partners, do I want to receive publicity in place of paying for added value, etc?
If they add data beneficial to me they may put a price on they added value and I may or may not choose to pay that price.
Makes sense, until you realise you have agreed to T&Cs that state by plugging in your lamp, you give the company who operated the IoT gateway for the lamp to access your network to turn it on and off, the company the you designed/built it the right to access your network to monitor it's condition and provide patches.
Oh wait, you wanted a smart light that turns on when you enter the room? They need data on the room.
Cool feature, turns your light on/off like other lamps in the area when you are on holiday. They need data on your holidays and your lamps location data so they can work out where the other lamps in the area are. Is the lamp location determined by built in GPS (FEATURE!!!) or your registration data.
Then we move on from you over to their own systems. Data on people using their site to login and admin the devices attached, well this is data about their servers so would probably belong to them... but it's your data on if the light is being turned on/off so it's yours, but they need to the data to supply a robust system and it is their software after all, but you..... Complicated.
A bug that costs 5K to fix in dev and 30K in the wild is actually a bug with an upfront cost of 5k and a later cost of "we won't fix it. Buy another Thing", which isn't zero but is in fact added profit. Or just zero (for products that tanked and so aren't very many Things anyway).
I suggest IOT Bug Tax. Mandate product liability insurance far anything that includes any code. Make insurers liable to pay out LARGE bug bountys. Say 100K for a 30k fix.
Watch in amazement as those dev budgets suddenly expand to catch more 5K bugs.
> Referring to the recent DDoS of Brian Krebs, which was powered by an IoT botnet – “cameras, lightbulbs and thermostats” all generating 990Gbps of traffic, “which would take most government websites down”
Not saying much there. You'd only need half a dozen to take down the ABS census site.