The IoT Security Time Bomb has gone off

For mobile, security had been a topic long before it was a real issue. For IoT, everything went a lot faster. Plus, the problem is a lot bigger, at least in terms of “global” impact, on the internet in general. (While mobile remains the bigger issue for personal security. Luckily, not everybody is at a high risk of becoming a victim of highly targeted attacks, like Ahmed Mansoor.) Actually, IoT is shattering records.

Recent DDoS attacks launched with the help of huge botnets, for example on hosting provider OVH and the blog Krebs on Security, reached new levels. In terms of consequences, Krebs speaks of a democratization of censorship. Somewhat ironically, it looks like IoT not only brings the internet to all remaining corners of life that were previously “undigitalized”, it also threatens the somewhat open nature of the internet we enjoyed thusfar.

What could be done to mitigate this threat?

If you buy electric devices, they (should) have a CE certification in Europe, a FCC label in the US, or (as I learned this week at work) a Giteki mark in Japan. This gives you some reassurance that the device is unlikely to electrocute you, or suddenly explode, as it follows some safety standards.

A similar mandatory certification for all internet connected devices would be imaginable, which would reassure you that your device is unlikely to become part of a botnet which spams or participates in a DDoS. As software security need to be an ongoing process and effort and not a “one off” (at the time of certification), this would only prevent the most obvious flaws.

Another option would be manufacturer liability, which then also gives an incentive for continous updating.

These are regulatory options. Consumers taking security into consideration when selecting their devices, would be a “cultural” one. The incentives for that are not very strong though – the individual consumer does not have the costs – so I think it’s unrealistic to expect anything much in that direction.