Security Experts:

Connect with us

Hi, what are you looking for?



Improved IoT Security Starts with Liability for Companies, Not Just Legislation

With the holiday season upon us, take a moment to think on the security of the plethora of IoT devices that will be purchased, gifted and implemented into the daily lives of countless people.

With the holiday season upon us, take a moment to think on the security of the plethora of IoT devices that will be purchased, gifted and implemented into the daily lives of countless people. Despite troubling reports like the IoT teddy bear that leaked two million message recordings of kids and was found to be easily hacked and turned into a spy device, a quick look at one recap of 2018 Cyber Monday sales shows that connected and ‘smart’ gadgets are at the top of everyone’s shopping list. And yet it seems that people are buying these devices for their homes and offices without considering, or ultimately choosing to ignore, very real risks! 

IoT Security

Whether the general population is aware of these hacks or not, there must be ways to prevent such massive breaches of sensitive information for these mainstream technologies. My question for discussion is this: if policies like the EU’s General Data Protection Regulation (GDPR) are being developed to maintain user security and privacy as companies continue to collect our data, could legislation improve the state of IoT security for devices that are also putting our privacy at risk?

I believe that in theory, legislation could help with IoT security. However, laws regulating new technologies are often poorly crafted, and can significantly hamper innovation with little benefit. It is critical that any new laws be written with great deliberation and input from all stakeholders.

One of the biggest problems with IoT devices is that most are never updated or patched. It is almost guaranteed that no one has the time or desire to manually patch their refrigerator or thermostat on a regular basis, and the average person using these devices may not even have a basic understanding of their security risks. Improving IoT security needs to start with the companies that make these devices – they must be held accountable for supporting secure, authenticated and automatic updates.

This issue is very complex, and any new laws need to avoid creating unintended negative consequences. For example, new laws should state requirements at an abstract level. If the language is too technologically specific, the law will be outdated almost immediately due to the speed at which companies are innovating and how quickly technology changes today. Beyond this kind of legislation, we need some level of liability for the damage that poorly designed IoT devices inflict. Without that, manufacturers have no incentive to spend money to make them secure. Unfortunately, there is almost no market pressure for security at the moment – bad security and good security look the same to the untrained eye.

Consider two smart toasters on the store shelf. Both have cool features, and both claim to be easy to use and secure. If one is $10 cheaper than the other, which is likely to sell best? There is huge pressure on companies to compete on price, and almost no ability to compete on security with typical buyers. Additionally, many IoT devices are created by young companies in a desperate race to get to be one of the first devices in a category and grab market share. The odds of a startup surviving at all are slim. Anything that distracts from the ability to deliver the product as fast as possible with the coolest features will be ignored if possible. And it is possible for them to ignore good security, so most do.

It is easy to vilify the IoT makers, but they are simply responding to the constraints and market realities in front of them. Moral persuasion will not meaningfully change their behavior. To get better IoT security, that needs to actually be a priority for the business, and that means changing the regulatory and liability landscape to make it so.

Laws to support swift and automatic updates for all devices, and consequence to organizations that fail to ensure their IoT devices are truly secure, would be a big step forward for IoT security. A major hurdle for this kind of change will be educating the general population that most of the devices they interact with are extremely insecure. Without public outcry, there is little chance IoT device manufacturers will be held to account for the security of their products. 

Related ReadingNew Legislation Could Force Security Into IoT

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.