FBI dumps on IoT security
PSA: Get Internet of Things things away from the Internet or bad things will happen
The FBI has decided that your Things are too risky to be allowed anywhere on the Internet.
Curiously, given that the Internet of Things is backed by some of the largest tech vendors in the world, the Bureau has also decided that responsibility for security – and for understanding the capability of hardware and software – should rest with the technological equivalent of Homer Simpson.
The FBI's public service announcement, published on September 10 here, puts nearly all of the consumer protection responsibility on consumers.
Specific threats the FBI names in Internet of Things devices would be familiar to readers of The Register: UPnP vulnerabilities, unchanged default passwords, denial-of-service attacks, as well as using controllers to cause "physical harm" or to interfere with business transactions.
Everything from closed-circuit TVs to Wi-Fi, thermostats, garage doors, TVs, and home healthcare gets name-checked as insecure.
Leading its advice to avoid such incidents is a suggestion that will surely be anathema to IoT vendors, since the FBI reckons the last thing Internet of Things things need is the Internet: "Isolate IoT devices on their own protected networks," the public service announcement says.
Naturally, UPnP should be disabled, particularly on routers, and patches should be kept up-to-date.
For some reason, the feds think householders are going to be competent to "be aware of the capabilities of the devices and appliances installed in their homes and businesses," but the advice to change default passwords is sensible.
The FBI is also concerned about medical device security – although, again, it flicks responsibility back to the patient instead of telling the industry to fix its persistently lax practices. ®