back to article Bruce Schneier: You want real IoT security? Have Uncle Sam start putting boots to asses

Any sort of lasting security standard in IoT devices may only happen if governments start doling out stiff penalties. So said author and computer security guru Bruce Schneier, who argued during a panel discussion at the Aspen Cyber Summit this week that without regulation, there is little hope the companies hooking their …

  1. Charlie Clark Silver badge

    America always waits for class action suits

    Until then companies can, and generally do, do what the hell they like. And the new Congress isn't likely to help: the House may propose something but the Senate and the Big Orange Baby will shoot it down. Won't really matter because none of them will really understand in it anyway and will write it whatever their richest lobbiest wants.*

    So, prepare to wait for, I don't know, a class action due to houses burning down because the IoT smart home stuff fucks up to work its way through the courts, impose swingeing fines and create legislation through precedent. As has been the case for the last 40-odd years.

    * I call it the Greenback Wave.

    1. Doctor Syntax Silver badge

      Re: America always waits for class action suits

      This is something that's always puzzled me. Why go with lawyer benefit jamborees class action suits where you don't control anything and aren't likely to see any significant damages when you win instead of tailoring the claim to what will just fit into the small claims process. Small claims negates the BigCo advantage and the death by a thousand cuts effect is likely to have a much quicker affect on the vendor than a long dragged out class action.

      1. GnuTzu
        Unhappy

        Re: America always waits for class action suits -- Damages

        "...and aren't likely to see any significant damages when you win..."

        Well, I think many would agree that increasing the degree of punishment is a much more significant issue than any political orientation (as this question of leaving it up to class-action suits seams to be about). Get something together that actually effects major positive change--and can't be blocked by monopolistic, plutocratic, big-corporation lobbyists (Monsanto), and I could give a flying f**k what political orientation it comes from--um, short of fascism, communism, or some other extremist perspective.

      2. jmch Silver badge

        Re: America always waits for class action suits

        I'm not familiar with US small claims procedure but you're likely right. If it's easier and quicker to go through small claims, why not do that? I suspect the main reason is that lawyers have very little to gain in small claims and a LOT to gain both financially and as reputation to go class-action.

        Therefore lawyers convince their clients to do class-action rather than small claims. Probably the clients are happy to go along with this since lawyers would do no-win no-fee for class action but would charge them a fee regardless for small claims

        1. JohnFen

          Re: America always waits for class action suits

          "If it's easier and quicker to go through small claims, why not do that?"

          It requires a lot more time and effort on the part of the claimant (and a lot of people have no idea how to go about it or that it's an option, sadly). The time thing is a big deal if you're a working stiff -- it means you have to take time off work to go stand in a courtroom all day.

          "I suspect the main reason is that lawyers have very little to gain in small claims"

          Lawyers are not allowed to represent you in small claims court, so very little to gain indeed! The most they can get is whatever fees they may be able to charge you for helping you to prepare for the case. But for most cases in small claims, there really isn't a lot of preparation needed. This is not a court where people bring complex cases. The entire purpose of small claims court is to provide a means of quickly resolving simple cases that don't involve a lot of money.

        2. Mark 85

          Re: America always waits for class action suits

          Probably the clients are happy to go along with this since lawyers would do no-win no-fee for class action but would charge them a fee regardless for small claims

          Usually, you don't need a lawyer for small claims court in most jurisdictions. And filing fees are most reasonable.

    2. h4rm0ny

      Re: America always waits for class action suits

      Do you really think IT security policies would be better under Hillary? I mean, ignoring them is kind of what she's famous for!

      1. Charlie Clark Silver badge

        Re: America always waits for class action suits

        Do you really think IT security policies would be better under Hillary?

        No, I'd just expect different groups to be lobbying and blocking each other. But she might at least be more actively involved in developing policy and less obsessed with doing stadium tours.

        1. Anonymous Coward
          Anonymous Coward

          Re: America always waits for class action suits

          "But she might at least be more actively involved in developing policy and less obsessed with doing stadium tours."

          The problem with abandoning the mainstream media is that you have to make a lot more effort to get the same amount of audience coverage. Worth noting for any other politicians looking to follow a similar path...

  2. Dave_uk

    IOT is only going to grow as an issue long term

    I have been to talks where the possibility of using IOT being used to potentially piggy-back connections/data and thus creating a local cloud (or "MIST" as I recall it termed).

    Security will not improve unless as Schneier suggests:

    "improved security without being told [to do so] by the government"

    and the MIST could end up another playground for extortionists/malware/viruses/trojans...

    1. Milton

      Re: IOT is only going to grow as an issue long term

      But is that "mist" in the German sense? A variation on the idea that transparently abusive corporations like Google and Facebook are a "gift" to us, even?

      1. Charlie Clark Silver badge

        Re: IOT is only going to grow as an issue long term

        For the non-German speakers: "Mist" == "Manure" & "Gift" == "Poison"

        1. Dave_uk

          Re: IOT is only going to grow as an issue long term

          found a reference to the MIST:

          https://developer.ibm.com/dwblog/2018/cloud-fog-mist-edge-computing-iot/

          Along with Clouds and FOG, just to make it a little more clear!

      2. Dave_uk
        Alien

        Re: IOT is only going to grow as an issue long term

        Mist is not German in this meaning but English, its not a cloud but a small network: MIST

    2. Anonymous Coward
      Anonymous Coward

      Re: IOT is only going to grow as an issue long term

      So, non-IOT security has improved because of government regulation? I'm certain that PCI would have something to say about that. That's about as market as you can get.

      1. Drs. Andor Demarteau (ShamrockInfoSec)

        Re: IOT is only going to grow as an issue long term

        PCI-DSS is no more then a baseline with a lot of requirements that, if you would do security the right way, you would already have implemented anyway.

        It's no more than the creditcard industry's risk management policy.

        Has it actually improved on all those creditcard details being leaked with major security breaches including recent ones with British Airways etc.?

        No it hasn't.

      2. Bob Dole (tm)

        Re: IOT is only going to grow as an issue long term

        > I'm certain that PCI would have something to say about that. That's about as market as you can get.

        Given the number of PCI compliant companies that have lost all their customers data it’s pretty obvious that “security” in that standard exists in name only.

    3. Drs. Andor Demarteau (ShamrockInfoSec)

      Re: IOT is only going to grow as an issue long term

      Entirely correct.

      precisely why, just a related topic, GDPR privacy controls are as strict as they are because without them we would see a similar effect.

      As such the security and privacy by design and default requirements from the data protection law may actually already help in the IOT security challenge. Although specifically for consumer equipment.

  3. Andraž 'ruskie' Levstik

    "The lifespan for consumer goods is much more than our phones and computers, this is a very different way of maintaining lifecycle," Schneier said.

    Other then a few companies - most consumer goods won't survive beyond 10 years - at best. There are a few manufacturers where you tell them you have their machine that is 20 years old they go - yeah that is expected lifetime for it. But most are like 5-7 years...

    1. h4rm0ny

      On the contrary, goods where large improvements have ceased, can and do have lifespans much more than ten years. My TV is a 1080p and ten years old. New technologies like HDR mean an upgrade would have some value, but it's not enough for me to have done so. My cooker is around twenty years old. My fridge is only six years old but there's nothing a new fridge would have that would make me want to replace it. What do all these things have that sets them apart from computers, tablets, et al? The technology has reached the point where you buy for reliability and long-term value rather than new features.

      Which is WHY I haven't bought a new TV. Because any new TV that would actually be an upgrade is now saddled with cameras, microphones, an OS (usually based on that famously secure platform Android) and my faith in it still working, being secure and compatible with everything else a decade from now is in the low %. Ditto for any fridge with WiFi or heating system that insists on running from an app on my phone. They may be secure today. They wont be five years from now (let alone ten),

      Bruce Schneier is quite correct (as he always seems to be). We have a time-bomb of crappy security waiting for us. I'm personally going to make my TV, Fridge, Cooker, Heating System last the next ten years as well. Hopefully by then I'll be able to buy a TV that doesn't flash "Create your account" messages every time I turn it on until I give Samsung permissions to access it.

      1. John Robson Silver badge

        The heating could be secure in ten years - if it was rationally designed now.

        It should have an RJ45 port, and acquire an address from DHCP. It should also grab an NTP server (or guess at the DHCP server, then pool.ntp.org if the DHCP server neither gave it one, nor acted as one).

        It can then present a web/API interface over that local connection - which also offers firmware upgrade functionality (with a physical button press also required).

        Anything that just has WiFi, and refuses to talk locally - only talking to some external server... Well, that's just dumb...

      2. Spazturtle Silver badge

        Saw and advert for an 8k Samsung TV the other day, not sure which of the 4 million HDR formats it supports though. Guess I'll wait a bit longer for it all to settle down.

      3. davemcwish

        6 years (and counting) for a fridge

        @h4rm0ny is lucky, my £600 one lasted 3 before getting a leak and discharging the coolant. I was quoted £300 for a re-gas with no guarantee it would even work. It's now in landfill.

        I wouldn't be surprised manufactures use built-in obsolescence along with new shiny shiny to keep the profits rolling in. As for IOT a similar would apply. Sorry but that standard is now obsolete you need to buy the new product as we're not going to let you do a s/w upgrade.

        1. Loyal Commenter Silver badge

          Re: 6 years (and counting) for a fridge

          £300 for a re-gas. Fucking hell what sort of freon are they using? Unobtainium?

          1. Mark 85

            Re: 6 years (and counting) for a fridge

            It's not the old Freon anymore. The stuff is supposedly environmentally safe.. and expensive. Horribly expensive.

            1. Loyal Commenter Silver badge

              Re: 6 years (and counting) for a fridge

              It's not the old Freon anymore. The stuff is supposedly environmentally safe.. and expensive. Horribly expensive.

              Unless your 'new' fridge was manufactured before the mid '90s, it won't have contained CFCs. My understanding is that the freon most commonly in use nowadays is 1,1,1,2-terachloroethane, which is prety cheap stuff, probably less than £10 to fill a fridge. I've also seen fridges with cyclopentane in them, which is also dirt-cheap, but flammable.

          2. Gene Cash Silver badge

            Re: 6 years (and counting) for a fridge

            > £300 for a re-gas. Fucking hell what sort of freon are they using? Unobtainium?

            That's the new expensive stuff they have to use, since the old cheap stuff is harmful to the ozone layer.

            The sticker shock for auto a/c is high for the same reason, and the old incompatible systems need to be completely replaced... where "old" is defined as over 6 years.

            This is the exact thing that Bush and Trump have held up as why the US no longer wants to participate in these environmental treaties.

            1. JohnFen

              Re: 6 years (and counting) for a fridge

              "This is the exact thing that Bush and Trump have held up as why the US no longer wants to participate in these environmental treaties."

              That's right, because the Earth can go fuck itself if the alternative is that I have to pay a bit more to stay comfortable in my car.

            2. vtcodger Silver badge

              Re: 6 years (and counting) for a fridge

              I was curious, so I did some research. The cost of coolant looks to be only a very small part of a rather complex procedure. Assuming R-134A, the Freon to regas a home fridge costs only a few US dollars. BUT you need a good vacuum pump, and soldering equipment, and a new drier unit, and probably a supply of dry Nitrogen gas. AND, you need tools and gauges and plumbing fittings. AND you need to know what you are doing. AND any moisture in the system is likely going to result in a fridge that doesn't cool. It's likely going to take a few hours even if you know what you are about. Many more hours if you don't.

              Bottom line. The gassing operation that probably costs the manufacturer less than $10 for parts, materials and labor when the fridge is built is probably going to cost you many hundreds of dollars to replicate if repair is needed. In theory, you can do it yourself for much less money. But it's going to take a lot of time and you're likely going to need some luck.

        2. h4rm0ny

          Re: 6 years (and counting) for a fridge

          "@h4rm0ny is lucky, my £600 one lasted 3 before getting a leak and discharging the coolant. I was quoted £300 for a re-gas with no guarantee it would even work. It's now in landfill."

          Name, shame and one-star review them, then. I'd like to know who to avoid next time I buy a fridge.

      4. JohnFen

        " is now saddled with cameras, microphones, an OS (usually based on that famously secure platform Android) and my faith in it still working, being secure and compatible with everything else a decade from now is in the low %"

        The easy way to avoid the problems with new TVs is to simply never connect them to your network. Then issues like security are nonfactors. Or, even better, don't buy a TV at all -- buy a large monitor instead and connect it to a media system.

        1. h4rm0ny

          The easy way to avoid the problems with new TVs is to simply never connect them to your network. Then issues like security are nonfactors.

          I considered that, but as alluded to in my post, that doesn't always work so well. I tried a Samsung 4K TV and every time I powered it on it would go through this registration rigmarole. You can say later, but not "no". I actually returned the TV because of all the "smart" functionality. I just didn't want the hassle and I didn't trust it.

          Or, even better, don't buy a TV at all -- buy a large monitor instead and connect it to a media system.

          That's not a bad idea, but a monitor of equivalent size is absurdly expensive and they tend not to have good viewing angles because they're designed for one person. I've considered a projector, though.

          1. This post has been deleted by its author

          2. Jamie Jones Silver badge

            "That's not a bad idea, but a monitor of equivalent size is absurdly expensive and they tend not to have good viewing angles because they're designed for one person. I've considered a projector, though."

            I have a projector. Best decision I made.

            For £400, I have a 100 inch (it can go bigger) 1080p screen which works great for video, and also great for accessing El Reg from my sofa (as I am now!)

            I have the ACER H6510BD... Weirdly it was £400 new when I bought it about 2 years ago, but now appears to be at least £600...

    2. Anonymous Coward
      Anonymous Coward

      "most consumer goods won't survive beyond 10 years"

      What consumer goods are you talking about? Many "goods" like heating/cooling systems last decades,

      You don't expect to change electrical plugs and switches every five years. Some kitchen appliances may have a long life as well. Sometimes there are more chances you replace them because of a renovation, and sometimes to buy more safe ones - than because they stop working, or became truly unsafe.

      No way a household will replace all appliances, especially expensive ones, every five years, or even ten, just because it's internet connected and its firmware no longer secure.

    3. BinkyTheMagicPaperclip Silver badge

      5-7 years - well as mentioned elsewhere it's actually a lot longer. My secondary computer is ten years old, the primary uses six year old technology. I'm not dropping upwards of four grand on a new dual CPU system when second hand CPUs are a fraction of the price and do a decent job (things such as the motherboard I bought new).

      Not to mention : mobile phones. Supported for up to three years. Capable of working for far beyond that.

    4. Voland's right hand Silver badge

      Other then a few companies - most consumer goods won't survive beyond 10 years - at best.

      Tell it to my boiler and its control unit. They are now 21 years old and I am not changing it. I did the math for investing into a new condensing unit and the efficiency increase did not recoup the significantly shorter lifespan. There are still spare parts for it and there is no issue to maintain it for now (and hopefully for 10 more years).

    5. Jamie Jones Silver badge

      The lifespan for consumer goods is much more than our phones and computers, this is a very different way of maintaining lifecycle," Schneier said.

      Other then a few companies - most consumer goods won't survive beyond 10 years - at best.

      Re-read the bit you quoted. He's saying that newer white goods (even newer models) will not have an IT refresh so often - in 20 years time, yowu'll buy a new fridge (or hover-board/jetpack/flying car/clothes made of aluminium...!) and it will have the same IoT hardware/software as the one you bought 10 years earlier.

      1. JohnFen

        "He's saying that newer white goods (even newer models) will not have an IT refresh so often"

        That's an entirely different thing than saying they "won't survive".

        1. Jamie Jones Silver badge

          That's an entirely different thing than saying they "won't survive".

          ..which was exactly my point. It was the poster who I was replying to who said that they won't survive. (sorry, the requoting wasn't too clear)

    6. JohnFen

      "most consumer goods won't survive beyond 10 years - at best"

      I hear this a lot, but am I the only one who hasn't personally noticed it? Consumer goods that I buy routinely last more than a decade, and I expect them to.

      But then, while I don't often buy high-end, I am equally unlikely to buy the cheapest ones as well. Also, when things break, I tend to fix them rather than replace them (90% of the time, whatever broke is easily fixed, even with consumer electronics and even if they're labelled "no user serviceable parts inside"). Perhaps that explains the difference?

  4. alain williams Silver badge

    ThIrd party support by law

    at the moment if my washing machine breaks & the manufacturer won't repair then I can call in an independent outfit to replace the broken bits, made by some third party supplier.

    If IoT software breaks (or a vulnerability becomes known) then I can only go to the manufacturer. Unfortunately they loose interest very quickly and announce 'end of product lifetime'. Once they do that then the software must become open source. There is a potential business in patching such software.

    Unfortunately the general public will be reluctant to pay even £2/year as software support contract for the washing machine - they will want to know why & then bitch if they get hit.

    It'll be interesting t see how this goes.

    1. JohnFen

      Re: ThIrd party support by law

      "If IoT software breaks (or a vulnerability becomes known) then I can only go to the manufacturer"

      Which is one big reason why, although my home is heavily automated, I have never, and will never, use a commercial IoT "solution". The biggest reason, though, is that commercial "solutions" invariably require talking to a cloud server somewhere. The next big reason is that there is no way commercial solutions can be considered anything close to secure.

  5. Anonymous Coward
    Anonymous Coward

    ""I challenge you to find an industry in the last 100 years that has improved security without being told [to do so] by the government.""

    As usual, Schneier is spot on.

    Security is/will be utter garbage until regulation kicks in. This is because security costs money and every IoT business will spare every penny.

    It's economics stuff, really.

  6. Sil

    40 years is over the top.

    How about guaranteeing software maintenance for 5 or 10 years.

  7. Milton

    More seriously

    More seriously, one should listen to Schneier not simply because he is one of the world's foremost security experts but because, notwithstanding his command of the jargon, he usually talks unvarnished, refreshing common sense.

    Watching him debate or act as an expert witness before politicians, as he has done a few times, is an eye-opener. It's like observing a patient teacher dealing with six-year-olds. Stupefying ignorance isn't enough: the politicians' floundering lack of fact-based rationality and logic always ends up painfully exposed to view. "I want π to be 3! I want it, I want it, I want it!" cuts absolutely no ice, no matter which faeces-hurling congresscritter is hooting.

    We can dare to hope that Mr Schneier and the evidence-based community will eventually get through to these cretins (or vote for less cretinous cretins), but as others have observed, US politics is now so corrupt that it's not gonna happen soon. Indeed, you could argue that US politics is basically doomed to unrepresentative, dysfunctional chaos unless and until there is a root and branch reform of campaign finance. "Lobbyist" is as dirty a word as "politician" these days.

    1. Version 1.0 Silver badge
      Meh

      Re: More seriously

      Sure, I agree Milton - but has Bruce Schneier brought any electronics on Amazon recently? If you sell electronics in the USA then you are supposed to have passed FCC tests and display a logo - but if your kit was made in China and is being sold at cheap prices then the chances of seeing any testing certifications are very low to non-existent.

      You can regulate the IoT all you like but actually enforcing the regulations is impossible in the current environment - that's what need to change.

      1. LoPath
        Facepalm

        Re: More seriously

        The last measuring gadget I bought from China has an FCC logo on it. They have a misspelling on the sticker, though. "Laser radiation - Aovid direct exposure to beam" I highly doubt it's actually registered with the FCC, but putting the logo on the sticker is easy!

        1. Gene Cash Silver badge

          Re: More seriously

          > putting the logo on the sticker is easy

          The CE mark is now so widely counterfeited that it's called the "Chinesium Export" logo now.

      2. Drs. Andor Demarteau (ShamrockInfoSec)

        Re: More seriously

        Will FCC also check the software security of the device?

        Btw, this holds similarly for the European CE mark.

        Security is not tested.

        Even worse, on electrical stuff correct filtering components are removed during actual production to save costs.

        is your dimming unit for your lights buzzing? But does it have a CE mark? Good chance this is the reason why.

        What does this have to do with security? Just that just regulations will not work, enforcement and regular re-testing will.

        But since we are not doing that with electrical equipment, there isn't much hope it will all of a sudden be done in the security space.

  8. Anonymous Coward
    Anonymous Coward

    penalties = tax/bribes

    "if governments start doling out stiff penalties."

    Penalties that are monetary fines are how governments approve criminal behavior while getting a cut of it.

    The only penalty that will change behavior is jail time, but without bribes (fines) how would they get rich?

    1. Mark 85

      Re: penalties = tax/bribes

      The only penalty that will change behavior is jail time, but without bribes (fines) how would they get rich?

      "Why can't we have both, Coleman?" Ok.. seriously... why not both? Double deterrent as the company gets fined (hits the investors) and the board gets jail time. I'd prefer the board gets keelhauling but jail time would work.

  9. Speltier

    It's Hopeless I Tell You!

    When quantum computers capable of breaking asymmetric algorithms come over the hill, that is it for the security of current IoT devices.

    So kick the can down the road, and mandate security after the quantpocalypse. Before that, don't bother since current IoT devices are trash at the quantum inflection point anyway. (expect the quantpocalypse for ordinary folks not subject to nation state attack in maybe 10 years. If the son of Mao is after you, well, that's sooner. Much sooner. But probably not yesterday. I can't tell if that particular cat is dead or alive without decohering the innermost matryoshka.).

    1. JohnFen

      Re: It's Hopeless I Tell You!

      "When quantum computers capable of breaking asymmetric algorithms come over the hill, that is it for the security of current IoT devices."

      Those same quantum computers will also be used to produce crypto that can't be easily cracked with quantum computers. If/when this technology becomes small and cheap enough to actually be deployed against targets who aren't of exceptional interest, it will be small and cheap enough that it will be available on the consumer market for crypto (and other) purposes.

      In essence, on this count, quantum computing changes nothing. Codemaking and codebreaking have always been a give-and-take thing, with one side on top for a while, then the other, and so forth. It's how it has been for as far back in mankind's history as we can see, and there's no reason to think it will be any different moving into the future.

      1. stiine Silver badge
        Unhappy

        Re: It's Hopeless I Tell You!

        I hear that quantum entaglement will insure that all quantum-derived crypto is broken as its created.

  10. HellDeskJockey

    He's right security will only be added to IOT products when companies are forced to. But we also have to realize the this stuff does last a long time. I have a 15 year old laser printer. It works why bother replacing. Washer and dryer and fridge are even older. Mom has a 50 year old washer.

    For non US readers the only thing class actions suits do is to enrich lawyers and allow companies to get off cheaply. Most class action offers I receive are tossed in the trash. If you are not offering me at least $20 USD cash it's not worth my time.

  11. spellucci
    Coat

    Really Lousy Idea

    A big IoT issue is the number of devices that do not auto update, and as a result fall prey to being commandeered into botnets. My Really Lousy Idea (TM) is that if a consumer owns a device that gets taken over and used in, say, a DDOS attack, that consumer is held accountable for damages. Imagine the damper that would put on buying IoT devices that are not really damn secure, or at least auto update.

    1. Drs. Andor Demarteau (ShamrockInfoSec)

      Re: Really Lousy Idea

      Effectively this, although not by law, is what already happens.

      It will make the problem worse than better as well.

      Make the companies creating this junk accountable.

      No, not with fines but with a full market ban on their products.

  12. Lucky2BHere

    Bruce is spot-on, but we gotta start somewhere

    Really appreciate Bruce's campaign. His book "Click Here to Kill Everybody" is a wakeup call to businesses and the cybersecurity industry itself - which has been more than complicit in peddling critically underperforming security products.

    We've already started making a difference in login security: zoomlogin.com, an AI solution with a nearly 100% certainty of user liveness. For any attacks that start with broken passwords, fingerprint, 2D face, Face ID, etc., a very effective approach is to verify the correct user is actually alive at the time of login (not BS blinking, nodding, smiling - easily recreated artifacts. We're just the first in NIST-certified, ISO-guided, AI-driven cross-platform software solutions. Much more to be done, but gotta start somewhere.

    1. JohnFen

      Re: Bruce is spot-on, but we gotta start somewhere

      "an AI solution with a nearly 100% certainty of user liveness"

      This will be mooted the exact same way that captchas have been mooted: by barely paying large numbers of live people in poor countries to get past that check.

      1. Drs. Andor Demarteau (ShamrockInfoSec)

        Re: Bruce is spot-on, but we gotta start somewhere

        And since AI is nothing more than a rules based system, at least for the foreseeable future......

    2. Drs. Andor Demarteau (ShamrockInfoSec)

      Re: Bruce is spot-on, but we gotta start somewhere

      There has been a solution for this available for at least 11 years.

      Unfortunately nobody has been willing to embrace and implement it yet.

      The solution verifies the physical presence of the user during the entire transaction and/or session, not only at the start of it.

      1. JohnFen

        Re: Bruce is spot-on, but we gotta start somewhere

        "The solution verifies the physical presence of the user during the entire transaction and/or session, not only at the start of it."

        That's a solution that, as a user, I would be 100% unwilling to put up with.

  13. Herby

    Lots of things are "long lived".

    Most notably houses. They (here in the USA) have 30 year mortgages, which indicate that somebody thinks that they will last that long (the house I'm in is older than that!). The items that are installed in it (wiring, walls, etc.) have lasted that long, and I expect them to last longer.

    Maybe the law should be: If you don't support it then you can't claim it is proprietary and its design is public domain for all to tinker with, including software! That might be a worthwhile ting to do.

    Oh, if you DO support it, it must have security updates, or you aren't really supporting it!

    Then again I live in a dream world.

  14. FelixReg

    A 30 year old device with no manufacturer

    Remember, before you flame your solution to the problem, IoT manufacturers have a life span, too.

    The correct solution is regulation to the extent that nothing new is manufactured. Or, since the effect of regulations is to limit competition, regulate manufacturers down to 1. That way, nothing could possibly go wrong.

  15. Aodhhan

    Put away emotion and rethink

    In the USA, you can't just force an individual or an organization to do something unless national security or public safety is at risk. American's have every right to be as ignorant as they want to be.

    To say security will not get better without government interaction is ignorant in itself. Security has gotten much better without government interaction. Corporations have also moved to be a lot more secure--again, without government interaction. Most companies want to become more secure faster, but the costs outweigh the risk in many cases. Don't forget the risk management aspect.

    So if this is the case, why is IoT so insecure? Well, consider where many of these products are made, then ask yourself if these countries have an interest in secure IoT; as well as if they have something to gain if there are a great deal of IoT devices in western countries.

    Another aspect is how new IoT is. Companies kick out IoT devices fast to make money and ignorant consumers rapidly purchase them so they can boss around Alexa and brag about it. Security is an after thought, and will be until consumers begin to demand it. A company has to compete with many others, adding security costs money--they can't sell a product which costs $20 more than competitor products.

    The answer isn't government involvement. In fact, the last thing you should want is the government sticking their hands into my or anyone's business. Taxes are high enough.

    The answer is educating consumers so secure products are what begin to sell, and becomes in demand. You know... this whole free enterprise thing.

    It drives me crazy anytime people start expecting the government to step in and make changes. If you're intelligent enough... get up and make a difference yourself--else your taxes will increase and minimum wage will stay low. When is the last time you've asked a company for a more secure IoT device? Do you educate friends, family coworkers about the dangers and risk of IoT--in a manner they can understand? How does insecure IoT negatively affect their family?

    Start educating people on the risks associated with IoT, and how it can negatively affect their family. Do this and you'll see people forcing change. Without additional taxes and/or politicians finding a way to corrupt it.

  16. onebignerd

    IoT should be cremated, it's ashes entombed in concrete and buried in a deep hole. WannaCry is still causing problems because people and businesses will not apply a simple patch or upgrade their systems. We certainly don't need fridges, thermostats, toys, toasters, lights...etc connected to the Internet unpatched.

  17. AnoniMouse

    The genie is out of the bottle

    The cost of a chip that enables a "Thing" to connect to a wireless network continues to plummet. "Thngs" are becoming so small and so cheap that measures used by the US (or any other government) to control IT such as mobiles, laptops or even larger (and more expensive) devices will just not scale.

    As such "Things" are incorporated into buildings, transport, homes, there is a need to ensure that the desirable characteristics identified by Schneier are fulfilled by the "Things" AND sustainable for the full lifetime of the eaxh "Thing" - which could be decades.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like