Everyone in the industry knows IoT security is a mess. The industry has proven incapable of coping with cybersecurity problems as the commoditization of technology doesn’t allow for any unnecessary costs, including security.
I have previously argued for a world cybersecurity organization. The safety of connected devices that rapidly become an ingrained part of everyone’s life cannot be left to the consumers or the producers. Nor should it be left up to individual politically-driven governments to regulate because technologies don’t adhere to the laws of physical borders.
Luckily the U.S. is stepping up. In addition to several pending initiatives and bills aimed at regulating and making IoT less of a mess, a settlement between the Federal Trade Commission (FTC) and the famous home router vendor D-Link is the first real case where the U.S. government compelled a technology giant to adhere to stricter security standards. Per the settlement, D-Link must:
- Implement security planning, threat modeling and testing for vulnerabilities before releasing products.
- Continuously monitor and address security flaws.
- Provide automatic firmware updates.
- Accept vulnerability reports from security researchers.
- For 10 years obtain biennial, independent and third-party assessments of its software security program. The assessor must keep all documents it relies on for its assessment for five years and provide them to the commission upon request.
- Give the FTC authority to approve the third-party assessor D-Link chooses.
At face value, the settlement seems like it will lead to improved end-user security. It lacks certain basic measures, such as prohibition of hard-coded password and encryption, but this is a significant step in the right direction.
Home routers criticality and the ignorance of the industry
The U.S. government probably filed the lawsuit against D-Link as it realized the pivotal role a router plays in everybody’s home. By compromising the router, adversaries get control of the aorta of the connected household.
However, D-Link is not the only one who needs to step up their security measures. Linksys, Belkin, Netgear and other famous providers of home routers suffer equally well from what seems to be an industry syndrome. Search these names and vulnerabilities to learn about the dire state of the industry.
The IoT Cybersecurity Improvement Act of 2019 seeks to force the private industry to adhere to basic security by excluding the ones who don’t from selling to the government. This security act will force the home router industry to step up.
What is next?
Given the importance of home routers, it makes sense for the government to start here. Hopefully this settlement sets a precedent for other industries to follow.
Citizens should not have to experience collateral damage before governments impose basic security hygiene. The effect of seeing similar settlements in various other industries could push IoT organizations to act while we wait for the IoT Cybersecurity Improvement Act, the National Institute of Standards and Technology and similar corrective measures.
With D-Link production centers in Taiwan and China, the regulations could seem like an act of trade war, but the charges were put forth in January 2017. Hopefully it serves the U.S. well that one of the worst-in-class players happens to be an international actor.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.