‘Well intentioned lawmakers could stifle IoT innovation’, warns bug bounty pioneer • The Register
IoT security regulations could stifle innovation without addressing the security problems at hand, a well-respected security researcher controversially argues.
Compromised IoT devices were press ganged into the Mirai botnet and infamously used in a DDoS attack that left many of the world’s most famous sites unreachable back in October 2016. The attack is exhibit one in the case for regulation against IoT device manufacturers who ship insecure kit.
Moussouris singled out US proposals that would mean governments would be prohibited from buying IoT kit with known vulnerabilities as ill conceived.
Trying to stop the government from purchasing is misconceived particularly in the absence of agreement on what constitutes a serious bug, she said. Bugs are continually been found in all manner of devices – it’s a question of looking hard enough – so does that make everything insecure?
“Should the best practice in IoT be the same as that for general computing,” Moussouris said, citing the example of medical IoT devices that might be implanted in patients to make her point that the issue of patching, updates and default controls is more complicated than some might suggest.
Other participants in a panel on IoT security at CYBERUK 2018 in Manchester on Wednesday were more amenable to the concept of regulation, such as establishing a kite mark for IoT security in much the same way as there is already certification for electrical compatibility.
James Martin, of the British Retail Consortium, said that incentives and harm in the case of the damage caused by the Mirai botnet and other IoT threats don’t line up. Consumers with insecure devices might lose a little bandwidth on their home connections, but it is the big sites that are hit by denial of service attacks that are really affected.
This line provoked a retort from noted IoT device hacker Ken Munro, a pioneer in hacking everything from smart kettles, kids toys, and smart cars. “Security can enable IoT if done right,” Munro said. “Unfortunately, most IoT vendors don’t.” ®
The Internet of Things Cybersecurity Improvement Act Moussouris references would set baseline security criteria for federal procurements of connected devices. These would include absence of hard-coded passwords and absence from known security vulnerabilities.