Friday, 15 June 2018

Consumers should be able to reject IoT products as not secure with these simple checks

There is a lot of support to get poorly secured products off the market. The recent research by Andrew Tierney on the TappLock is just another demonstration of some of the rubbish that is allowed to be sold. I was pleased to see that it had been de-listed by Amazon.



We still have some way to go - the public feedback on the UK government's IoT security Code of Practice is being reviewed right now, then it's onto next steps following the publication. My own personal feeling is that this is not about creating lots of new things in terms of security - much of what needs to be done is already written down and we know what good looks like. What it is a lot about is adoption and enforcement. How we check that runs us down the rabbit hole of how to do compliance (cf. the upcoming EU Cyber Security Act). I would prefer that we take the low-hanging fruit for now in order to improve things significantly and really quickly. The top three of the UK's Code of Practice are easily testable. If you don't have these as a vendor you're going to be in serious trouble anyway, the rest almost don't matter at that point.

How a consumer can check a product hasn't been designed with security in mind

The good thing about this is that even a consumer could check those things - if any of these three things are missing, my view is don't buy the product:

1) Does it have a default password? (I don't want it).
2) Can people report security vulnerabilities to the manufacturer? (check website - no? I don't want it).
3) Can I update the software and for a period that I know about? (No - I don't want it).

I've described these things before as insecurity canaries - if the vendor is not adhering to some basic things that anyone can check, what does the rest of the product look like under the bonnet?

If you go to the /security page of Tapplock's website you get a "coming soon" screen (yes I know, I thought that somewhat amusing too). So this already means I can't easily report security vulnerabilities to them. To be fair, there is a lot of good practice out there that just needs adopting. There is an window of opportunity for IoT vendors and service providers to get it right before governments start bringing out the big stick. At the moment consumers are being defended by a small band of concerned security researchers who are demonstrating just how poorly secured some of these products really are.

No comments:

Post a Comment

Note: only a member of this blog may post a comment.