Not a US citizen so I'm not sure if I can even choose a state so here it is.
IoT devices are almost always data collection devices: CCTVs, thermostat sensors, smart light switches. The IoT devices do not only exist in the comfort of American home, but also American industries, American office buildings, and unlike your computer browser that receives security updates every 2 weeks or so, IoT devices are probably 5+ years out of date and are succeptible to hacks discovered over the years. Hacks can be discovered by malicious individuals, and distributed everywhere over the course of hours, so called 0 days attack. Think ransomware, cryptominers, backdoors. What would've happened over the course of years?
and unlike computer devices where we have vulnerable softwares, IoT devices are typically low level, in which a security compromise in the network can definitely compromise the entire hardware, by exposing secret data locked only by software such as leaking privte keys, to allowing attackers to install custom software on cameras in your homes.
And worse, there's little incentive for manufacturers to continue supporting 5+ years in service, even though they are still in service. They may stop that line of products and sell new products instead, or even worse went out of business.
We have been putting to much trusts on the industry, but we need security to protect those who are vulnerable. Do you know when's the last time the camera in your dining room got its security update?
Manufacturers should be liable to ensure informational safety of its equipments. They need to specify on the device until when security updates are guaranteed, and beyond that, consumers are to be responsible for the device, either by using third party security updates at theie own risks, or by getting newer models with newer security guarantees.
So the call to actions would be:
1. Limited period mandatory security updates that is communicated on the devices.
2. Allowing any third parties to make changes on the device, especially after the security period is over.
One consideration is of course, opensourcing its software. The internet is really quick to spot security issues and even proposes the fix, and this would come at no financial cost to the manufacturers that don't have the incentive to test the security on their devices.
IoT devices are almost always data collection devices: CCTVs, thermostat sensors, smart light switches. The IoT devices do not only exist in the comfort of American home, but also American industries, American office buildings, and unlike your computer browser that receives security updates every 2 weeks or so, IoT devices are probably 5+ years out of date and are succeptible to hacks discovered over the years. Hacks can be discovered by malicious individuals, and distributed everywhere over the course of hours, so called 0 days attack. Think ransomware, cryptominers, backdoors. What would've happened over the course of years? and unlike computer devices where we have vulnerable softwares, IoT devices are typically low level, in which a security compromise in the network can definitely compromise the entire hardware, by exposing secret data locked only by software such as leaking privte keys, to allowing attackers to install custom software on cameras in your homes.
And worse, there's little incentive for manufacturers to continue supporting 5+ years in service, even though they are still in service. They may stop that line of products and sell new products instead, or even worse went out of business.
We have been putting to much trusts on the industry, but we need security to protect those who are vulnerable. Do you know when's the last time the camera in your dining room got its security update?
Manufacturers should be liable to ensure informational safety of its equipments. They need to specify on the device until when security updates are guaranteed, and beyond that, consumers are to be responsible for the device, either by using third party security updates at theie own risks, or by getting newer models with newer security guarantees.
So the call to actions would be:
1. Limited period mandatory security updates that is communicated on the devices. 2. Allowing any third parties to make changes on the device, especially after the security period is over.
One consideration is of course, opensourcing its software. The internet is really quick to spot security issues and even proposes the fix, and this would come at no financial cost to the manufacturers that don't have the incentive to test the security on their devices.