Major internet corporations weigh in on guidelines for Internet of Things security
The Broadband Internet Technical Advisory Group (BITAG) released a report titled “Internet of Things (IoT) Security and Privacy Recommendations” about a week ago that outlines their observations about the IoT and their recommended solutions. The IoT press have hailed this as a great event, either referencing the report or “coincidentally” publishing their own thinkpieces parroting its conclusions.
The executive summary of the report is here, along with a link to the full report. The summary is very accessible and clear and I recommend you look at it.
But it’s also a bit naive.
My executive summary of the executive summary is “Don’t be lazy and ignorant, and spend more money on customer support”.
BITAG and I are on the same page here, their recommendations are largely the same as mine, but that’s the point. Everyone should already know this.
“Don’t be lazy and ignorant” is great advice, but until someone actually invents a vaccination against laziness it’s not a solution, it’s just wishful thinking.
So, what’s to like about this report?
First, it’s a good checklist for consumer reviews. We have essentially a tick-list of IoT Good Neighbourliness that can result in a safety rating for devices. I can see retailers like Amazon adopting a safety review system, the trick will be keeping it fair and honest, unlike current product reviews.
Second, it’s a starting point for future IoT product safety legislation. If you sell an alarm clock you have to have it tested to prove its electromagnetic emissions don’t interfere with broadcast TV or Air Traffic Control radio, or whatever. Since the Internet as a whole is now in essence a life critical system, it makes sense to me that Internet appliances should pass a similar kind of “Internet emissions test” as they must for electromagnetic radiation. The hard part will be enacting safety rules without raising too much of a barrier to innovation.
Third it’s a class-action lawsuit handbook. I think it will take a lawsuit against some particularly lazy and ignorant manufacturer to make it inarguable to manufacturers that being lazy is not good business. Sooner or later some celebrity’s baby pictures or naked shower run video will leak via an insecure device. The Mirai Botnet was a general wake-up call, but it has no easily sue-able single negligent party. If we get an information leak on the scale of the Paris Hilton video leak, originating from someone’s insecure IoT device, then look for this to become a turning point in consumer safety.
By agreeing on what “good neighbourliness” means, and what the best practices are, we’re setting the bar for manufacturers and developers. It was already indefensible for IoT manufacturers to repeat the mistakes of the past, by making these recommendations, BITAG plants the flag for ethical product design. If you are building or buying IoT devices I encourage you to ask your suppliers and developers if they already comply, and if not, why not.
(This article originally appeared on Medium.)
