The big outcome of a one-day special IoT security session run by the US government? A new labeling system for your smart home devices.
It's not going to happen for a few years, and today's meeting in Austin, Texas, only agreed to set up a working group to look into the issue. However, after five hours of discussion with experts representing everyone from AT&T to Microsoft, there was unanimous agreement that a simple way of letting folks know about security issues was a good step forward.
One of the biggest issues: how long a manufacturer will support your device. That means that when you buy your smart thermostat, or lightbulb, or door lock, a manufacturer will commit to updating and patching it for N number of years, with the date stuck on the box on a label.
The group will look at other similar simple widgets that can provide people with valuable and easily understandable information before buying a new product. The idea is to find a way to encourage companies to invest more money and effort in security efforts by allowing users to see which products offer more.
Other outcomes from the meeting – during which everyone agreed that a complete lack of IoT security standards posed a serious problem – include: a group to look at the multitude of existing frameworks and guidelines dealing with IoT; a group to review issues around minimum requirements; another to look at ways to incentivize companies to adopt new labels; and another to dig into an open framework.
In an effort to prevent the working groups from trying to tackle everything under the huge cybersecurity banner, each group will have as a main focus the issue of "patchability".
The meeting itself brought together a board range of people, from officials within the US government to people working in manufacturers, network operators, consumer groups and standards organizations.
Everyone was in firm agreement that IoT security is a big deal, both from a financial position and for the broader internet. According to Pew Research, 47 per cent of consumers say that have not bought smart-home and IoT devices due to security concerns; according to Accenture, 18 per cent of consumers have stopped using an existing product because it stopped service.
Top of everyone's mind was also the risk that exists of poorly patched IoT devices being used to direct massive denial of service attacks. Intel's VP and general manager for IoT security solutions, Lorie Wigle, warned that the chip giant was already convinced that ransomware was going to be a much bigger problem before it got better.
There are already millions of devices with exploitable security holes online, warned experts, and no way to warn their owners about it, or to help them patch the holes.
There was also wide-ranging debate about whether consumers will pay for additional security, and the issue of how much security and what degree of patchability you can expect from $10 devices, as opposed to $150 devices.
There are also different markets: consumer devices are a very different animal to medical devices (one slide showed a new-born baby in an incubator reliant on no less than seven devices all potentially accessible through the internet), or cars.
"There is a real barrier here in terms of the super-diversity of devices," warned one attendee. As such there were repeated efforts to break down devices: by market, function, memory available, durability (is it a refrigerator that will last by 10 to 20 years, or a motion detector that whose battery will die in two to three years?)
The goal from the US government's perspective is to get the industry to make progress – and to do so openly and with sufficiently transparency, preferably with open standards.
It's going to be difficult thanks to the very broad range of views in the room, including one engineer who, like many El Reg readers, felt the best solution was to stop connecting everything to the internet in the first place and spend more time doing better systems engineering. ®