US think-tank wants IoT device design regulated, because security

If the world wants a bonk-detecting WiFi mattresses, it must be a malware-free bonk-detecting WiFi mattress

28 Reg comments Got Tips?

Washington DC think tank the Institute for Critical Infrastructure Technology is calling for regulation on "negligence" in the design of internet-of-things (IoT) devices.

Researchers James Scott and Drew Spaniel point out in their report Rise of the Machines: The Dyn Attack Was Just a Practice Run [PDF] that IoT represents a threat that is only beginning to be understood.

The pair say the risk that regulation could stifle market-making IoT innovation (like the WiFi cheater-detection mattress) is outweighed by the need to stop feeding Shodan.

"National IoT regulation and economic incentives that mandate security-by-design are worthwhile as best practices, but regulation development faces the challenge of … security-by-design without stifling innovation, and remaining actionable, implementable and binding," Scott and Spaniel say.

"Regulation on IoT devices by the United States will influence global trends and economies in the IoT space, because every stakeholder operates in the United States, works directly with United States manufacturers, or relies on the United States economy.

"Nonetheless, IoT regulation will have a limited impact on reducing IoT DDoS attacks as the United States government only has limited direct influence on IoT manufacturers and because the United States is not even in the top 10 countries from which malicious IoT traffic originates."

State level regulation would be "disastrous" to markets and consumers alike.

The pair offer their report in the wake of the massive Dyn and Mirai distributed denial of service attacks in which internet of poorly-designed devices were enslaved into botnets to hammer critical internet infrastructure, telcos including TalkTalk, routers and other targets.

The authors also join the ranks of those pointing at China, warning that foreign-developed IoT devices are a risk to US infrastructure suggesting that in the "long-term" the Mirai malware could be used by Beijing-backed hackers.

"Nation-state activity may be the serious long-term threat of IoT malware because nearly every one of the predicted 50 billion IoT devices in active use by 2020 will have been developed and manufactured by enemy nation states," they say.

Scott and Spaniel go on to say developing software backdoors for law enforcement is a bad idea since the same mechanisms could be exploited by criminals, placing consumers at risk.

Internet-of-things vulnerabilities are unlikely to disappear anytime soon; even cashed-up enterprise vendors lack incentive to push out sufficiently secure products and are subject to an ongoing array of critical remote code execution vulnerabilities. Small cost-sensitive internet-of-things developer teams have little incentive to invest in rigorous security testing.

Some penetration testers have gone further satirically arguing that a vendor's state of software security is inverse to its use occurrences of the term 'enterprise'. ®


Keep Reading

Leave your admin interface's TLS cert and private key in your router firmware in 2020? Just Netgear things

Finding sparks debate over bug disclosure – and how to secure a local gateway's web control panel

Netgear was told in January its routers can be hacked and hijacked. This week, first patches released – after exploits, details made public

Two models get hot-fixes, er, looks like 77 more to go?

Must not be the season of the switch: Someone flipped the you-know-what in global ethernet switch and router supply chain

Customers pulling purse strings didn't help much either, say analysts

Hundreds of forgotten corners of mega-corp websites fall into the hands of spammers and malware slingers

Exclusive DNS entries left pointing to Azure-hosted server names snatched by miscreants for mischief

The Internet of Things is a security nightmare reveals latest real-world analysis: unencrypted traffic, network crossover, vulnerable OSes

And the best part of it? Hospitals are most at risk

Tens of millions of Internet-of-Things, network-connected gizmos at risk of remote hijacking? Computer, engage shocked mode

Collection of bugs, dubbed Ripple20, sink widely used TCP/IP stack

Advanced VPNFilter malware menacing routers worldwide

Cisco's Talos team says 500k already pwned and leaking data

Did you know Arm has an Internet-of-Things cloud? Yeah, not no more it ain't. Wants to offload it to Softbank

Microprocessor core designer says it just wants to focus on designing microprocessor cores

Biting the hand that feeds IT © 1998–2020