Sleeping With the Enemy

I found this piece from Reuters on the potential security vulnerabilities of the “Internet of Things” (IoT) grimly amusing:

BOSTON (AP) — Researchers at a cybersecurity firm say they have identified vulnerabilities in software widely used by millions of connected devices — flaws that could be exploited by hackers to penetrate business and home computer networks and disrupt them.

There is no evidence of any intrusions that made use of these vulnerabilities. But their existence in data-communications software central to internet-connected devices prompted the U.S. Cybersecurity and Infrastructure Security Agency to flag the issue in an advisory.

Potentially affected devices from an estimated 150 manufacturers range from networked thermometers to “smart” plugs and printers to office routers and healthcare appliances to components of industrial control systems, the cybersecurity firm Forescout Technologies said in a report released Tuesday. Most affected are consumer devices including remote-controlled temperature sensors and cameras, it said.

I’ve been warning of these security threats off and on for the last 15 years. I would be more convinced of the prudence of the IoT if

1. The consumer benefits were clearer. AFAICT most of the benefits are to the vendors rather than to consumers.
2. I had greater confidence that the manufacturers and vendors of connected devices were more conscientious about security risks.

I’ll suggest what I’ve proposed before: strict liability. And the burden of proof should be on suppliers rather than on consumers, i.e. suppliers should be required to prove that their devices are secure rather than consumers being required to prove that they were hacked.

The IoT always reminds me of the late John Glenn’s old wisecrack: “I felt exactly how you would feel if you were getting ready to launch and knew you were sitting on top of two million parts — all built by the lowest bidder on a government contract” except that it’s in our homes.