
Poorly Secured IoT Devices a Risk to Life and Property, Experts Warn Congress - etiam
https://www.technologyreview.com/s/603015/security-experts-warn-congress-that-the-internet-of-things-could-kill-people/
======
michaelt
I think Schneier is right when he says part of the problem is market failure.

Shipping every device with a different default password costs more than not
doing it - you have to take care to put the right password label with the
right device, for example - and it's the consumers with the /least/ security
knowledge who /most/ need this feature.

Somebody who knows to check whether the device has default passwords before
buying knows to change them after buying - while the consumer who doesn't know
the dangers of fixed default passwords doesn't know to shop for a device
without fixed default passwords.

There are other problems too, of course. Even if you legislate security
standards, cheap products drop-shipped from China by ebay sellers can ignore
the standards with impunity.

~~~
throwaway2016a
Well for electronics there is UL in the US and there is no rule that your
product has to be UL listed but if you want your house insured (many insurance
companies require plugged-in electronics be UL listed) and as a vendor you
want your product sold in retail stores, you need the listing.

It's a great example of the market solving the problem. You can make your
product not pass UL testing but Home Depot won't sell it.

Now if there was a similar standard for security it could work. Just the
industry is young.

As an aside, I think UL listing is prohibitively expensive. I wish there was
competition.

------
sek
Actually there are standards for electrical devices too, so it doesn't
accidentally burn your house down. IoT needs robust security and update
mechanisms.

I just fear that some IoT device also has to burn a house down until something
happens. Right now it's just webcams, soon it's ovens which can be exploited
easily. This needs to be pushed right now, the stuff is already on the market.

~~~
throwaway2016a
It's noteworthy that in the US at least this problem was solved by the market
without legislation. UL listing was voluntarily adopted by retailers and
insurance companies. I see no reason why there couldn't be a similar option
for IoT.

------
mixedCase
So does this involve banning the sale of foreign (or particularly, chinese)
computers/IoT/whatever where the creator did not seek or did not obtain a sort
of certification?

Because best realistic case scenario, after spending a shitload of money,
you're only going to get development to improve within the US but you aren't
gonna touch the crapware doing the bulk of the damage.

~~~
milcron
I don't think it matters where the device was built, as long as the US
distributor can be sued for damages.

------
upofadown
The article bashes together two different topics related to devices on the
internet in a way that doesn't really help. All the articles I have seen so
far have done this.

The first is about devices connected to the net used to cause problems on the
net such as DOS. Devices have a tiny attack surface as they are usually
protected by a password for access. The fix there is easy, just stop shipping
devices with default passwords.

The second is about attacks against devices that could create a "Risk to Life
and Property". The fix there is harder in that it involves knowledge of
whatever process is being controlled. Ideally systems would be safe in the
face of _any_ software failure, no matter what the cause.

~~~
jaclaz
Yep, and the NHS references the Ukraine power grid episode, which was caused
through phishing via e-mail. Having SCADA's connected to the Internet is not a
good idea anyway, but has nothing to do with having an el-cheapo - say - IP
camera with admin/admin.

------
thinkMOAR
Neat how a term as 'IoT' can get all previous, historical security discussions
and articles repeated as if its a new finding or a new risk we should think
of. I am _almost tempted_ to call all these articles clickbait.

Secure everything, not only your puters your car, chainsaw, and internet
connected nas, don't use same logins at for all your internet accounts, and
YES also secure your tiny computers that are connected to the internet.

------
godmodus
_insert Fight Club recall-calculation scene here_

------
guptaneil
Why do we need to wait for the government to get their act together? Why isn't
there an independent organization yet that can provide this guidance, like
Consumer Reports but specifically for IoT?

~~~
jlgaddis
There is.

The problem is that the manufacturers aren't listening and don't care.

~~~
guptaneil
Which organization? As a consumer, I don't even know where to go to look for
security ratings, and that's why manufacturers don't have to care about it.

------
sickbeard
Buying an internet enabled device for your home is like giving your house keys
to the internet.

