Skip to content
  • Stuff
  • Travel
  • Beverages
  • Support Antipaucity
  • Projects
  • About

antipaucity

fighting the lack of good ideas

what is “plan b” for iot security?

Posted on 16 November 2017 By antipaucity 4 Comments on what is “plan b” for iot security?

Schneier has a recent article on security concerns for IoT (internet of things) devices - IoT Cybersecurity: What’s Plan B?

We can try to shop our ideals and demand more security, but companies don’t compete on IoT safety — and we security experts aren’t a large enough market force to make a difference.

We need a Plan B, although I’m not sure what that is. Comment if you have any ideas.

There are loads of great comments on the post.

Here’s the start of some of my thoughts:

There are a host of avenues which need to be gone down and addressed regarding device security in general, and IoT security in particular.

Any certification program could be good .. right up until the vendor goes out of business. Or ends the product line. Or ends formal support. Unless we go to a lease model for everything, you’re going to have unsupported/unsupportable devices out there.

We can’t have patches ad infinitum because it’s not practical: every vendor EOLs products (from OSes to firearms to DB servers to cars, etc).

A few things which would be good:

  • safe/secure by default from the vendor – you have to manually de-safe it to use it (like a rifle which only becomes usable/dangerous/operable when you load a cartridge and put the safety off)
  • well-known, highly-publicized support lifecycles (caveating the vendor going out of business)
  • related to the above, notifications from the device as it nears end of support
  • notifications from the device as well as the vendor that updates/patches are available
  • liability regulations – and an associated insurance structure – affecting businesses which choose to offer IoT devices across a few levels:
    1. here it is :: you deal with it || no support, no insurance, whatever risk is there is your problem
    2. patches / updates for 1 year || basic insurance / guarantee of operation through supported period, as long as you’re patched up to date
    3. patches / updates for 3 years ||
    4. patches / updates for 5 years || first-level business offering || insurance against hacks / flaws that have been disclosed for more than 90 days so long as you have patched
    5. patches / updates for 10 years || enterprise / long-term support || “big” insurance coverage (up to a year, so long as you’re yp-to-date) || proactive notifications from the vendor to customers regarding flaws, patches, etc

There are probably other things which need to be considered.

But there’s my start.

commentary, ideas, technical Tags:iot, security

Post navigation

Previous Post: david pogue’s 1996 mac holiday sing-along
Next Post: you can make anything online – even grave markers

More Related Articles

sap bapis and hp oo complaint
guess it’s good this server is in the united states commentary
never outshine the master – law 1 – #48laws by robert greene books
remembering sqrt technical
fruitful city planning ideas
they asked the right question firsts

Comments (4) on “what is “plan b” for iot security?”

  1. Eric Hydrick says:
    16 November 2017 at 12:23

    It wouldn’t hurt to design these devices to be easily-installable and easily-replaceable. Given that there is an inevitable end-of-life, the “thing” is going to need to be replaced to maintain security. This also requires creating a culture of regularly upgrading these devices, but designing these products to be replaced from the beginning would the be the first step in that process. Then the device could warn you that it’s approaching end-of-life, and needs to be replaced or else it’s at risk of being hacked.

  2. Warren says:
    16 November 2017 at 02:14

    That’d be a clever “buy a new one of me” things – but it’d need to be disableable/ignorable (after all, even if Ecobee goes out of business, the thermostat will still work)

    It could also backfire into a “I’m about to die, get a new one” turning into “buy a competitor’s device”

  3. Eric Hydrick says:
    16 November 2017 at 03:00

    The thermostat may work, but it’s not getting security updates (as you mentioned in your post). I’m assuming if the company is still in business they’ll have made new products by the end-of-life period that would be tempting upgrades. They could also offer to port settings/configurations/preferences over to the new device if you stay “on-brand”. For example, if I replace my 2017 Ecobee thermostat with a 2020 Ecobee thermostat, it’ll migrate over my temperature preferences and save me having to set up and train the new thermostat, vs. me having to train a new Nest thermostat from scratch.

    I’m focusing purely on security here, and not on general business practices, although Schneier is correct in pointing out how those 2 conflict (and why security loses). However, having a regular replacement culture for these devices might create the business incentive need to have *some* security support (since it’s not a lifetime commitment at this point).

  4. Warren says:
    16 November 2017 at 03:11

    Part also of why security loses is that it’s not thought about early / first.
    And the rational business decision, though not necessarily the best from the customer point of view, is to have the lowest cost widget to sell – even when corners are vut (liek security).

Comments are closed.

November 2017
S M T W T F S
 1234
567891011
12131415161718
19202122232425
2627282930  
« Aug   Dec »
RSS Error: WP HTTP Error: cURL error 60: SSL: no alternative certificate subject name matches target hostname 'paragraph.cf'

Books

  • Debugging and Supporting Software Systems
  • Storage Series

External

  • Backblaze
  • Cirkul
  • Fundrise
  • Great Big Purple Sign
  • Password Generator
  • PayPal
  • Tech News Channel on Telegram
  • Vultr
  • Wish List

Other Blogs

  • Abiding in Hesed
  • Chris Agocs
  • Eric Hydrick
  • Jay Loden
  • Paragraph
  • skh:tec
  • Tech News Channel on Telegram
  • Veritas Equitas

Profiles

  • LinkedIn
  • Server Fault
  • Stack Overflow
  • Super User
  • Telegram
  • Twitter

Resume

  • LinkedIn
  • Resume (PDF)

Services

  • Datente
  • IP check
  • Password Generator
  • Tech News Channel on Telegram

Support

  • Backblaze
  • Built Bar
  • Cirkul
  • Donations
  • Fundrise
  • PayPal
  • Robinhood
  • Vultr
  • Wish List

35-questions 48laws adoption automation blog blogging books business career centos cloud community documentation email encryption facebook google history how-to hpsa ifttt linux money networking politics prediction proxy review scifi security social social-media splunk ssl startup storage sun-tzu tutorial twitter virtualization vmware wordpress work writing zombie

Copyright © 2025 antipaucity.

Powered by PressBook Green WordPress theme