Posted by Martin Zinaich on April 16, 2017.
Soon coming to the Internet of Things (IoT) is the Injunction of Technology (IoT). In another post I noted that my WiFi router’s power brick had a UL certification, yet the actual WiFi router had nothing similar stating it was safe to use on the Internet. In addition, nothing to ensure it would not hurt other’s use of the Internet. To be sure, recently a number of Web Cams and DVR’s were used to take out a portion of the Internet, using them for Distributed Denial of Service (DDoS) attacks.
I have had this debate before, regarding pushing for professionalizing the Information Security profession, which might inculcate Information Security into businesses in such a way as to make products and services more secure. I also predicted if such did not happen Information Security would soon be pushed down from Government in the way of regulations. This is much less optimal than being pushed laterally by the profession. I also prophesied the former would happen shortly after a major outage, caused by the lack of secure controls.
Is it a coincidence that shortly after that Internet takedown we see a new bill proposed in California? California SB 327 Information privacy: connected devices – notes the following requirement:
…require a manufacturer that sells or offers to sell a connected device, defined as any device, sensor, or other physical object that is capable of connecting to the Internet, directly or indirectly, or to another connected device, to equip the device with reasonable security features appropriate to the nature of the device
It also goes further to include privacy concerns. On this front, I am sure the released version of Windows 10 will actually violate said bill. Therefore, I do expect major pushback and large donations going to develop detractors:
and the information it may collect, contain, or transmit, that protect it from unauthorized access, destruction, use, modification, or disclosure, and to design the device to indicate when it is collecting information and to obtain consumer consent before it collects or transmits information
You may question how difficult it would be to enforce such a law and how to properly define a violation. It will be even harder when such is coming from a non-technical Government megalith. Yet some basic violations of due care are easy to highlight. Let me give a simple example.
Most WiFi routers come with a default login (some with a blank password). That account is the same for all models manufactured by a company. As such, there are large compilations of device / credentials available. A great example is http://www.routerpasswords.com/. Simply pick the vendor and get a list of Models and Logins.
How many home users know enough to change the default administrator password? Should the device not force a password reset upon installation (some do, most have not). If you manufacture a ton of Internet devices, contributing to the Internet of Things (IoT) and you default all your devices to the same administrator login and make that administrative console available on the Internet, you just might be an Idiot of Technology (IoT).
Imagine that a company could be smart enough to manufacture a WiFi router, web camera, or security DVR and the advance technology that goes inside, yet be so obtuse to even basic Information Security practices. This goes a long way in demonstrating the lack of InfoSec business integration. Therefore, I continue to predict that just as PCI-DSS awoke businesses to the need of an Information Security Office, soon legislation will continue the – apparently required – heavy-handed approach.Submitted in: Martin Zinaich |