back to article US think-tank wants IoT device design regulated, because security

Washington DC think tank the Institute for Critical Infrastructure Technology is calling for regulation on "negligence" in the design of internet-of-things (IoT) devices. Researchers James Scott and Drew Spaniel point out in their report Rise of the Machines: The Dyn Attack Was Just a Practice Run [PDF] that IoT represents a …

  1. Number6

    Accredited Standards Body

    One way to do it is to put together a suitable standard against which manufacturers can test their products. At the moment I think half the problem is that startups don't understand the problem, whereas if they've got a real standard to test against then they might at least make an effort, if only to be able to claim compliance.

    Of course, trying to get a useful standard defined may take years.

    1. MacroRodent

      Re: Accredited Standards Body

      Seems the current state is so bad that just a few guidelines that would fit on a post-it note would be an improvement. Like (1) There shall be no default password that is identical on all devices, (2) any password must be nontrivial (at minimum 10 random ASCII characters) and supplied off-line, (3) the device must survive a "fuzzing" test with a state of the art fuzz tool (the tool or its version updated yearly).

      1. Anonymous Coward
        Anonymous Coward

        Re: Accredited Standards Body

        How do you enforce it, especially with a pro-business legislature in place? Businesses will likely see the Internet as something to work around, so they'll have backup plans. Leaving the rest of us in the lurch. Remember, companies like Google and Amazon have their own private networks outside the Internet.

        1. Doctor Syntax Silver badge

          Re: Accredited Standards Body

          "Remember, companies like Google and Amazon have their own private networks outside the Internet."

          They'll still want the internet around for customers to access them. Otherwise their internal components will be eking out a precarious living taking in each other's washing.

          1. Charles 9

            Re: Accredited Standards Body

            Or they can go back to the old days before the Internet and establish their own endpoints if needed. Facebook certainly seems aware of the idea, given their third-world ambitions where Internet presence is at its weakest.

    2. Brian Miller

      Re: Accredited Standards Body

      We have lots of standards. XKCD: Standards

      This is one of those things where if what the think tank thought was good, they would have already published an RFC. But no, there's nothing but a recommendation, for more red tape.

      Yes, you know it's a good think tank because they've only been in existence for two years:

      Domain Name: ICITECH.ORG

      Creation Date: 2014-11-06T22:24:44Z

  2. Ole Juul

    Regulation on IoT

    Such think, much tank.

    1. bombastic bob Silver badge
      Unhappy

      Re: Regulation on IoT

      <facepalm>

      gummint regulating IoT: yes they've done so WELL thus far, on regulating "teh intarwebs"

      </facepalm>

      It might be faster to solve this problem by providing ACTUAL open source solutions for popular platforms (ones that easily fit into small memory footprint firmware) rather than "just thinking about it" and then regulating the hell out of the IoT biz until "only the big boys can play".

      revising an old adage: Those who can't, are in a think tank.

      1. Doctor Syntax Silver badge

        Re: Regulation on IoT

        gummint regulating IoT: yes they've done so WELL thus far, on regulating "teh intarwebs"

        Yes, they have done well so far. The US govt. was instrumental in setting the whole thing up. Someone had to pay for all that work at DARPA. And don't forget that the net depends entirely on regulations. They're called protocols.

  3. AnoniMouse

    Wishful thinking

    "Small cost-sensitive internet-of-things developer teams have little incentive to invest in rigorous security testing."

    And since most of them will be developed, manufactured and (not) supported in jurisdictions outside the US, effective regulation will be very difficult to achieve.

    1. Voland's right hand Silver badge

      Re: Wishful thinking

      This is exactly the point they should not be allowed to use the Internet, period. They either talk to a local gateway or they stay in their jurisdiction wherever they are manufactured.

      I would prefer the gateway to MINE and this is the only way they will be allowed in my household. That is unrealistic for Joe Average consumer - there the gateway and the isolation will have to be provided by the SP. The latter can and should be regulated and legislated.

      By the way, most SPs can run isolation for IoT today already - the support for that is in the CPEs and the management systems for them.

      In either case it is a matter of restricting the SERVICE DESIGN, not the hardware interfacing to the service. Unfortunately, this is something neither the regulators, nor the SPs have groked at this point.

      1. Dave 126 Silver badge

        Re: Wishful thinking

        >"Small cost-sensitive internet-of-things developer teams have little incentive to invest in rigorous security testing."

        Is it not yet possible for dev teams to just buy an off-the-shelf 'known good' secure IoT module? I thought ARM (and probably others) were working on an IoT platform (hardware and OS) that smaller developers can then build their application onto.

        Ah, found it. ARM mbed. The Wiki article doesn't give much clue as whether it's been widely adopted though.

        https://en.wikipedia.org/wiki/Mbed

        1. Charles 9

          Re: Wishful thinking

          Probably too expensive. Unless you can make it cost-competitive (like in at most a penny or two more than existing stock, which is unlikely given the glut of pre-secure stuff), anyone who tries will get undercut. Remember, the average person doesn't care. All you're hearing are squeaky wheels.

          1. Doctor Syntax Silver badge

            Re: Wishful thinking

            "Remember, the average person doesn't care."

            The average person will care a great deal is their ISP cuts them off if they don't remove their rubbish. And their ISP will care a great deal if their traffic doesn't get routed. Sometimes Draconian is best.

            1. Anonymous Coward
              Anonymous Coward

              Re: Wishful thinking

              You forget one key thing about this stuff. It only aggregates at the target. The total traffic at each individual ISP is likely to fall under the radar: under the peering threshold. In fact, given most consumer ISP traffic is receive-heavy, this may give a perverse reverse incentive: additional send traffic could reduce their rates because of increased load balance.

        2. Dexter

          Re: Wishful thinking

          The mBed is much too heavyweight and power hungry for really small devices like sensors, and probably too expensive for many cheap IOT devices.

  4. allthecoolshortnamesweretaken

    "The Institute for Critical Infrastructure Technology (ICIT) is a next-generation cybersecurity think tank cultivating a cybersecurity renaissance for our Nation's critical infrastructure community."

    No, really.

    Too bad I missed their November gala & benefit at the St. Regis; they were giving some sort of award to Keith Alexander.

    1. Steve the Cynic

      "at the St. Regis"

      Nice work if you can get it! (I used to work at a NY-based firm that would put up visiting staff from overseas offices in the St. Regis. Nice place.)

  5. 27escape

    essentially regulate almost all computers

    and computer type equipment

    good luck with that!

    1. Voland's right hand Silver badge

      Re: essentially regulate almost all computers

      Not quite.

      By the way, 95% of the cheap Chinese IoT tat is in clear violation of data protection regs as it ships data including your surveillance video to Chinese servers. However, the lame toothless dogs known as the DPA and Trading Standards are not bothered to enforce this one. At all.

    2. Charles 9

      Re: essentially regulate almost all computers

      Basically, the Stateful Internet, aka Big Brother. It's either that or a descent into Internet Anarchy.

      1. bombastic bob Silver badge
        Devil

        Re: essentially regulate almost all computers

        I'll take 'Internet Anarchy', please. With extra freedom and privacy on the side.

        1. Anonymous Coward
          Anonymous Coward

          Re: essentially regulate almost all computers

          You won't get privacy with Internet Anarchy: just a metric crap-ton of barbarians at the gate. You think Mirai is something? Wait 'til it becomes a snowflake before the avalanche.

  6. Mike 16

    "Enterprise" shoddiness.

    Just another instance of a phenomenon I have noted for a while. "Simple" correlates with "mind-boggling interface", "Timeless" with "Soon to be in the remainders bin", and the fact that "The People's Democratic Workers Paradise" is very unlikely to be a great place to live, or even visit if not at the invitation of "The Benevolent Leader"

  7. Herby

    Enterprise...

    "Some penetration testers have gone further satirically arguing that a vendor's state of software security is inverse to its use occurrences of the term 'enterprise'. "

    Now this is something that seems to ring true in many cases. Usually because some higher up wanted to look "important" (see this weeks edition of On Call for a GREAT example).

  8. joed

    I could care less for regulation of IOT as long as the use of these is not regulated onto me. The more expensive the crap, the less will end up in landfill.

    1. Anonymous Coward
      Anonymous Coward

      And if they turn out to be part and parcel, meaning the only effective way to regulate the IoT is to regulate the people?

  9. Pompous Git Silver badge
    Paris Hilton

    Some penetration testers...

    Now there's an interesting way to make a living! Penetration testing the wifies of blokes silly enough to buy those wifi-mattresses :-)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like