GCHQ has translated the code into different languages
and some more text because it now blocks comments that only contain links
GCHQ has managed to convince HP Inc and Centrica Hive to take its side in a relatively rare public intervention on the state of consumer IoT security. A voluntary code of practice, to which the two companies have signed up, urges them to implement published standards and recommendations on how to bake security into IoT devices …
and some more text because it now blocks comments that only contain links
"GCHQ hopes that by getting large industry players on side, consumers will have less to worry about in future"
I wish them luck but the bulk of IOT gear I've had the misfortune pleasure of encountering has come from brands so no-name that I struggled to locate a website for them leave out a patch for their products.
Given that heavyweights like BMW can't even get the basics right a voluntary code of practice is a nonstarter.
And even if you get something with what seems to be a legitimate setup behind it, most of the time it's a rebadged piece of crap from some fly-by-night outfit. You can count yourself lucky if it doesn't shock you or burn your house down - nevermind any security concerns.
What GCHQ could do is remotely shut down/disable all IoT devices with these vulnerabilities (after an official warning to the manufacturers of course). The resulting sh*tstorm and general howls of anguish from Jo Public would perhaps "encourage" the Supply Chain to stop selling crap in the first place.
This is one area where I wish the government will give GCHQ some strong powers to compel vendors to do as it says: make these things secure (but without any nice five eyes back-doors). The article contains phrases like ''GCHQ hopes'', which we all know means that vendors will do as little as possible, preferably nothing.
The onus needs to be on UK manufacturers AND those who import foreign (== mainly Chinese) kit into this country.
There also needs to be an onus to support these things for their *use* lifetime, not a lifetime defined as until-the-next-model-is-released. The entire code-base needs to be held in escrow and released Open Source once manufacturer updates cease to come. For some thing I can see a 'use lifetime' of 30 years or more (eg IoT light switches).
This needs the backing of strong laws (that are actively enforced == big fines) otherwise it just will not happen. The cost of not doing this will be millions of tiny breaches.
"...make these things secure (but without any nice five eyes back-doors)"
Your naivety is touching.
Not sure you'll be quite as vocal with the severe punishment when the government decides to compel backdoors, but heh, they by then, they won't be taking much notice of pesky things like democracy.
@LeahroyNake
Are you blocking part of site content (e.g. images) and so either images blocked or possibly some .js code needed for icon add is blocked (CBA to check if any .js involved! )?
To save bandwidth my mobile browser has image blocking on by default & so I cannot see reg icons on my mobe.
IIRC icons disabled if posting as AC
The use of open, peer-reviewed internet standards is strongly encouraged. Primarily applies to: Device Manufacturers, IoT Service Providers, Mobile Application Developers
Good luck with that one guys. "Peer Review" with that lot usually means "Oops, I just Peed all over your standards. Soz about that"
Devices and services should be configured such that personal data can easily be removed from them when there is a transfer of ownership, when the consumer wishes to delete it and/or when the consumer wishes to dispose of the device. Consumers should be given clear instructions on how to delete their personal data.
Tried that one with JLR (Jaguar Landrover Rangerover) recently, have you? Thought not.
"One might think these were stating the bleedin’ obvious"
No one might not. The bleedin' obvious is "If it costs us money and we can get away without doing it we won't do it". The way to fix IoT security is to make it impossible to get junk into the market place. Make it illegal to sell insecure devices and illegal to connect them to the internet with an obligation on ISPs to enforce the latter. If Joe Punter discovers that the £1 cheaper grey market device bricks his internet connection until he removes it he'll be a bit more careful where he spends his money in future.
Trying to get others (like the ISPs) involved will not end well.
Simpler it to make the manufacturer and/or importer liable for GDPR-like fines for insecurity for the expected life of the product, which should be something like at least 5 years after last sold. With no exceptions.
Security costs and marketer-driven additions are all more liabilities to the end user, make sure those implementing IoT are held responsible for that.
Once we renationalise the post office and put it in charge of internet and telephones again it will be able to enforce the rules that only GPO approved 300baud modems can be connected. And with internet calls priced per minute you won't want your lightbulb calling up to the server very often
One must presume that any mandatory standards promulgated by GCHQ (or other five-eyes "security" agencies) will contain NOBUS (Nobody But Us) provisions. Secure from everybody but GCHQ and friends, where some friends are such bastions of freedom and decency as [redacted per security spec]
Why? Jusy why does an effing [insert device of your choice] need to contact the makers server?
And if you block the phoning home at your firewall, the sodding thing stops working.
IoT is a huge pile of stinking dog pooh mixed with rotten sick and the run off from 1,000,000 rotting corpses.
As you get older you might find some of the IoT things begin to make more sense.
If you have limited mobility being able to set the light levels in the room from a remote control or tablet will make your life easier.
Same with being able to control the temperature of the room your are in, or the room you will be going to next.
The devices shouldn't need an internet connection to be able to do this, but having one can make life easier too. For an example of having the internet connection as an extra look at the Z-Wave controllers, most of them work locally but give the option of connecting through the controller manufacturers website to work externally.
Presumably, when the time comes, you won't have a choice about a connected car. Security upgrades will be mandatory or you become an outlaw.
That your car can be hacked as a result of linking to the internet will probably be seen as collateral damage.
They can't even make PCs secure -what hope do they have of succeeding with cars?
eg: https://thehackernews.com/2018/05/bmw-smart-car-hacking.html
I think spy agencies give lip service to this - mostly because of government or government contractors using insecure devices so they want them to be able to become secure. In reality they'd be happy if everyone has an Alexa or Google Home they can hack into and easily listen in on what people are talking about, that businesses all have vulnerable Chinese CCTV cameras they can hack into and watch what's going on.
I think the spy agencies all watch modern movies and TV shows that give the impression that government departments all have an uber hacker at their disposal who can track suspects by hacking into pretty much any electronic device in 30 seconds while Jack Bauer or M stands over their shoulders impatiently waiting for the results so they know their next move. They're jealous!
"Industry 4.0, in which the vision is that traditionally profitable manufacturing industries will give their profits to a tech sector desperately scrabbling to find the Next Big Thing and hoping that industrial sensors might be the jackpot."
Possibly the author is not fully enthused by this?