Security Experts:

Improved IoT Security Starts with Liability for Companies, Not Just Legislation

With the holiday season upon us, take a moment to think on the security of the plethora of IoT devices that will be purchased, gifted and implemented into the daily lives of countless people. Despite troubling reports like the IoT teddy bear that leaked two million message recordings of kids and was found to be easily hacked and turned into a spy device, a quick look at one recap of 2018 Cyber Monday sales shows that connected and ‘smart’ gadgets are at the top of everyone’s shopping list. And yet it seems that people are buying these devices for their homes and offices without considering, or ultimately choosing to ignore, very real risks! 

IoT Security

Whether the general population is aware of these hacks or not, there must be ways to prevent such massive breaches of sensitive information for these mainstream technologies. My question for discussion is this: if policies like the EU’s General Data Protection Regulation (GDPR) are being developed to maintain user security and privacy as companies continue to collect our data, could legislation improve the state of IoT security for devices that are also putting our privacy at risk?

I believe that in theory, legislation could help with IoT security. However, laws regulating new technologies are often poorly crafted, and can significantly hamper innovation with little benefit. It is critical that any new laws be written with great deliberation and input from all stakeholders.

One of the biggest problems with IoT devices is that most are never updated or patched. It is almost guaranteed that no one has the time or desire to manually patch their refrigerator or thermostat on a regular basis, and the average person using these devices may not even have a basic understanding of their security risks. Improving IoT security needs to start with the companies that make these devices – they must be held accountable for supporting secure, authenticated and automatic updates.

This issue is very complex, and any new laws need to avoid creating unintended negative consequences. For example, new laws should state requirements at an abstract level. If the language is too technologically specific, the law will be outdated almost immediately due to the speed at which companies are innovating and how quickly technology changes today. Beyond this kind of legislation, we need some level of liability for the damage that poorly designed IoT devices inflict. Without that, manufacturers have no incentive to spend money to make them secure. Unfortunately, there is almost no market pressure for security at the moment – bad security and good security look the same to the untrained eye.

Consider two smart toasters on the store shelf. Both have cool features, and both claim to be easy to use and secure. If one is $10 cheaper than the other, which is likely to sell best? There is huge pressure on companies to compete on price, and almost no ability to compete on security with typical buyers. Additionally, many IoT devices are created by young companies in a desperate race to get to be one of the first devices in a category and grab market share. The odds of a startup surviving at all are slim. Anything that distracts from the ability to deliver the product as fast as possible with the coolest features will be ignored if possible. And it is possible for them to ignore good security, so most do.

It is easy to vilify the IoT makers, but they are simply responding to the constraints and market realities in front of them. Moral persuasion will not meaningfully change their behavior. To get better IoT security, that needs to actually be a priority for the business, and that means changing the regulatory and liability landscape to make it so.

Laws to support swift and automatic updates for all devices, and consequence to organizations that fail to ensure their IoT devices are truly secure, would be a big step forward for IoT security. A major hurdle for this kind of change will be educating the general population that most of the devices they interact with are extremely insecure. Without public outcry, there is little chance IoT device manufacturers will be held to account for the security of their products. 

Related ReadingNew Legislation Could Force Security Into IoT

view counter
Lance Cottrell founded Anonymizer in 1995, which was acquired by Ntrepid (then Abraxas) in 2008. As Chief Scientist, Lance continues to push the envelope with the new technologies and capabilities required to stay ahead of rapidly evolving threats. Lance is a well-known expert on security, privacy, anonymity, misattribution and cryptography. He speaks frequently at conferences and in interviews. Lance is the principle author on multiple Internet anonymity and security technology patents. He holds an M.S. in physics from the University of California, San Diego and a B.S. in physics from the University of California, Santa Cruz. In his spare time Lance grows high-end pinot noir grapes in the Russian River Valley AVA.