Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Improved IoT Security Starts with Liability for Companies, Not Just Legislation

With the holiday season upon us, take a moment to think on the security of the plethora of IoT devices that will be purchased, gifted and implemented into the daily lives of countless people.

With the holiday season upon us, take a moment to think on the security of the plethora of IoT devices that will be purchased, gifted and implemented into the daily lives of countless people. Despite troubling reports like the IoT teddy bear that leaked two million message recordings of kids and was found to be easily hacked and turned into a spy device, a quick look at one recap of 2018 Cyber Monday sales shows that connected and ‘smart’ gadgets are at the top of everyone’s shopping list. And yet it seems that people are buying these devices for their homes and offices without considering, or ultimately choosing to ignore, very real risks! 

IoT Security

Whether the general population is aware of these hacks or not, there must be ways to prevent such massive breaches of sensitive information for these mainstream technologies. My question for discussion is this: if policies like the EU’s General Data Protection Regulation (GDPR) are being developed to maintain user security and privacy as companies continue to collect our data, could legislation improve the state of IoT security for devices that are also putting our privacy at risk?

I believe that in theory, legislation could help with IoT security. However, laws regulating new technologies are often poorly crafted, and can significantly hamper innovation with little benefit. It is critical that any new laws be written with great deliberation and input from all stakeholders.

One of the biggest problems with IoT devices is that most are never updated or patched. It is almost guaranteed that no one has the time or desire to manually patch their refrigerator or thermostat on a regular basis, and the average person using these devices may not even have a basic understanding of their security risks. Improving IoT security needs to start with the companies that make these devices – they must be held accountable for supporting secure, authenticated and automatic updates.

This issue is very complex, and any new laws need to avoid creating unintended negative consequences. For example, new laws should state requirements at an abstract level. If the language is too technologically specific, the law will be outdated almost immediately due to the speed at which companies are innovating and how quickly technology changes today. Beyond this kind of legislation, we need some level of liability for the damage that poorly designed IoT devices inflict. Without that, manufacturers have no incentive to spend money to make them secure. Unfortunately, there is almost no market pressure for security at the moment – bad security and good security look the same to the untrained eye.

Consider two smart toasters on the store shelf. Both have cool features, and both claim to be easy to use and secure. If one is $10 cheaper than the other, which is likely to sell best? There is huge pressure on companies to compete on price, and almost no ability to compete on security with typical buyers. Additionally, many IoT devices are created by young companies in a desperate race to get to be one of the first devices in a category and grab market share. The odds of a startup surviving at all are slim. Anything that distracts from the ability to deliver the product as fast as possible with the coolest features will be ignored if possible. And it is possible for them to ignore good security, so most do.

It is easy to vilify the IoT makers, but they are simply responding to the constraints and market realities in front of them. Moral persuasion will not meaningfully change their behavior. To get better IoT security, that needs to actually be a priority for the business, and that means changing the regulatory and liability landscape to make it so.

Laws to support swift and automatic updates for all devices, and consequence to organizations that fail to ensure their IoT devices are truly secure, would be a big step forward for IoT security. A major hurdle for this kind of change will be educating the general population that most of the devices they interact with are extremely insecure. Without public outcry, there is little chance IoT device manufacturers will be held to account for the security of their products. 

Advertisement. Scroll to continue reading.

Related ReadingNew Legislation Could Force Security Into IoT

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.