Shared a TechCrunch story recently in a G+ group I’m in on Volvo debuting a new service to upload live traffic data from its vehicles to be sent to other Volvos so they can avoid problem areas.
Or…a self-built and -hosted Waze.
You may recall that I wrote some about these kinds of things starting back in 2010.
Why, exactly, Volvo thinks it not only should do this, but expects its customers to want the manufacturer to be doing this is something I don’t understand right now.
Sure, it’s an interesting technical challenge – but it’s not exactly novel…except in the sense of the vehicle doing this for you instead of you doing it via some mobile app or other.
If this is something drivers must opt-in to use, that’s OK. If you can opt-out, it’s OK, too.
But if it’s not optional – this is a major privacy concern: one I’m sure many people would do without even stopping to take a breath, but a major privacy concern nonetheless.
Schneier has a recent article on security concerns for IoT (internet of things) devices – IoT Cybersecurity: What’s Plan B?
We can try to shop our ideals and demand more security, but companies don’t compete on IoT safety — and we security experts aren’t a large enough market force to make a difference.
We need a Plan B, although I’m not sure what that is. Comment if you have any ideas.
There are loads of great comments on the post.
Here’s the start of some of my thoughts:
There are a host of avenues which need to be gone down and addressed regarding device security in general, and IoT security in particular.
Any certification program could be good .. right up until the vendor goes out of business. Or ends the product line. Or ends formal support. Unless we go to a lease model for everything, you’re going to have unsupported/unsupportable devices out there.
We can’t have patches ad infinitum because it’s not practical: every vendor EOLs products (from OSes to firearms to DB servers to cars, etc).
A few things which would be good:
- safe/secure by default from the vendor – you have to manually de-safe it to use it (like a rifle which only becomes usable/dangerous/operable when you load a cartridge and put the safety off)
- well-known, highly-publicized support lifecycles (caveating the vendor going out of business)
- related to the above, notifications from the device as it nears end of support
- notifications from the device as well as the vendor that updates/patches are available
- liability regulations – and an associated insurance structure – affecting businesses which choose to offer IoT devices across a few levels:
- here it is :: you deal with it || no support, no insurance, whatever risk is there is your problem
- patches / updates for 1 year || basic insurance / guarantee of operation through supported period, as long as you’re patched up to date
- patches / updates for 3 years ||
- patches / updates for 5 years || first-level business offering || insurance against hacks / flaws that have been disclosed for more than 90 days so long as you have patched
- patches / updates for 10 years || enterprise / long-term support || “big” insurance coverage (up to a year, so long as you’re yp-to-date) || proactive notifications from the vendor to customers regarding flaws, patches, etc
There are probably other things which need to be considered.
But there’s my start.