The government could impose minimum security standards on Io T manufacturers, forcing them to make their devices secure even though their customers don't care.
They could impose liabilities on manufacturers, allowing companies like Dyn to sue them if their devices are used in DDo S attacks.
Tags: denial of service, DNS, economics of security, Internet of things, laws, software liability Posted on November 10, 2016 at AM • 63 Comments • November 10, 2016 AM How to have regulation / liability without giving vendors a excuse to lock out owners from modifying their devices under the pretence of "security"?
(Open WRT, Cyanogen Mod, GNU/Linux, etc) • November 10, 2016 AM @Conan There are probably less than 5% owners who modify their devices, 95% of them just use them as intended.
If we want to secure our increasingly computerized and connected world, we need more government involvement in the security of the "Internet of Things" and increased regulation of what are now critical and life-threatening technologies.
That was okay when software didn't matter — it was okay that your spreadsheet crashed once in a while.Many of these devices are low-cost, designed and built offshore, then rebranded and resold.The teams building these devices don't have the security expertise we've come to expect from the major computer and smartphone manufacturers, simply because the market won't stand for the additional costs that would require.Late last month, popular websites like Twitter, Pinterest, Reddit and Pay Pal went down for most of a day.The distributed denial-of-service attack that caused the outages, and the vulnerabilities that made the attack possible, was as much a failure of market and policy as it was of technology.But a software bug that literally crashes your car is another thing altogether.The security vulnerabilities in the Internet of Things are deep and pervasive, and they won't get fixed if the market is left to sort it out for itself.The botnet bombarded Dyn with traffic, so much that it went down. Your security on the Internet depends on the security of millions of Internet-enabled devices, designed and sold by companies you've never heard of to consumers who don't care about your security.The technical reason these devices are insecure is complicated, but there is a market failure at work.We don't know who perpetrated that attack, but it could have easily been a lone hacker.Whoever it was launched a distributed denial-of-service attack against Dyn by exploiting a vulnerability in large numbers — possibly millions — of Internet-of-Things devices like webcams and digital video recorders, then recruiting them all into a single botnet.