IoT security regulations could stifle innovation without addressing the security problems at hand, a well-respected security researcher controversially argues.
Compromised IoT devices were press ganged into the Mirai botnet and infamously used in a DDoS attack that left many of the world’s most famous sites unreachable back in October 2016. The attack is exhibit one in the case for regulation against IoT device manufacturers who ship insecure kit.
Infosec luminaries such as Bruce Schneier have been pressing the case for regulation since then, but not all security researchers agree.
Katie Moussouris, founder and chief exec of Luta Security and the veteran infosec researcher who created Microsoft's bug bounty programme, argued that there was a danger that well intentioned lawmakers could stifle innovation.
Moussouris singled out US proposals - that would mean governments would be prohibited from buying IoT kit with known vulnerabilities - for criticism.
Trying to stop the government from purchasing is misconceived particularly in the absence of agreement on what constitutes a serious bug, she said. Bugs are continually been found in all manner of devices - it's a question of looking hard enough - so does that make everything insecure?
"Should the best practice in IoT be the same as that for general computing," Moussouris said, citing the example of medical IoT devices that might be implanted in patients to make her point that the issue of patching, updates and default controls is more complicated than some might suggest.
Not all regulation is bad
Other participants in a panel on IoT security at CYBERUK 2018 in Manchester on Wednesday were more amenable to the concept of regulation, such as establishing a kite mark for IoT security in much the same way as there is already certification for electrical compatibility.
James Martin, of the British Retail Consortium, said that incentives and harm in the case of the damage caused by the Mirai botnet and other IoT threats don't line up. Consumers with insecure devices might lose a little bandwidth on their home connections, but it is the big sites that are hit by denial of service attacks that are really affected.
We are in a weird scenario where thousands of insecure smart kettles can be dangerous at a national security level because they might be used to attack components of the national infrastructure, according to Martin.
Pushing against default passwords on routers may be appropriate and the government could act to create a commercial imperative for manufacturers, Martin said, before conceding that regulations were an "imprecise lever".
Moussouris pointed out that regulating IOT devices that often can't be patched - but don't pose a particular risk - creates problems in itself because it is liable to add to the landfill problem.
The debate took place during a time when the Department for Culture, Media and Sport (DCMS) is inviting submissions to its Security by Design review into IoT security. The consultation is due to finish on 25 April and experts such as Ken Munro have already expressed skepticism about whether it will result in effective sanctions, as previously reported.
DCMS representative Emma Green echoed Moussouris' thinking in saying that the UK government "doesn't want to hinder innovation" adding that it regarded regulation as a "backstop".
This line provoked a retort from noted IoT device hacker Ken Munro, a pioneer in hacking everything from smart kettles, kids toys, and smart cars. "Security can enable IoT if done right," Munro said. "Unfortunately, most IoT vendors don’t." ®
The Internet of Things Cybersecurity Improvement Act Moussouris references would set baseline security criteria for federal procurements of connected devices. These would include absence of hard-coded passwords and absence from known security vulnerabilities.