US think-tank wants IoT device design regulated, because security

Washington DC think tank the Institute for Critical Infrastructure Technology is calling for regulation on "negligence" in the design of internet-of-things (IoT) devices.

Researchers James Scott and Drew Spaniel point out in their report Rise of the Machines: The Dyn Attack Was Just a Practice Run [PDF] that IoT represents a threat that is only beginning to be understood.

The pair say the risk that regulation could stifle market-making IoT innovation (like the WiFi cheater-detection mattress) is outweighed by the need to stop feeding Shodan.

"National IoT regulation and economic incentives that mandate security-by-design are worthwhile as best practices, but regulation development faces the challenge of … security-by-design without stifling innovation, and remaining actionable, implementable and binding," Scott and Spaniel say.

"Regulation on IoT devices by the United States will influence global trends and economies in the IoT space, because every stakeholder operates in the United States, works directly with United States manufacturers, or relies on the United States economy.

"Nonetheless, IoT regulation will have a limited impact on reducing IoT DDoS attacks as the United States government only has limited direct influence on IoT manufacturers and because the United States is not even in the top 10 countries from which malicious IoT traffic originates."

State level regulation would be "disastrous" to markets and consumers alike.

The pair offer their report in the wake of the massive Dyn and Mirai distributed denial of service attacks in which internet of poorly-designed devices were enslaved into botnets to hammer critical internet infrastructure, telcos including TalkTalk, routers and other targets.

The authors also join the ranks of those pointing at China, warning that foreign-developed IoT devices are a risk to US infrastructure suggesting that in the "long-term" the Mirai malware could be used by Beijing-backed hackers.

"Nation-state activity may be the serious long-term threat of IoT malware because nearly every one of the predicted 50 billion IoT devices in active use by 2020 will have been developed and manufactured by enemy nation states," they say.

Scott and Spaniel go on to say developing software backdoors for law enforcement is a bad idea since the same mechanisms could be exploited by criminals, placing consumers at risk.

Internet-of-things vulnerabilities are unlikely to disappear anytime soon; even cashed-up enterprise vendors lack incentive to push out sufficiently secure products and are subject to an ongoing array of critical remote code execution vulnerabilities. Small cost-sensitive internet-of-things developer teams have little incentive to invest in rigorous security testing.

Some penetration testers have gone further satirically arguing that a vendor's state of software security is inverse to its use occurrences of the term 'enterprise'. ®