| I cannot wait for some type of top-down pressure to force IoT developers to take security seriously. The movement has been pushed into overdrive thanks to insane levels of competition where you either crush your R&D into the smallest breakneck period or you live to see your creation being sold for half of what your budget can allow by other firms lifting your efforts while you're still at the workbench.[1] I've been getting cozy with Shenzhen-based hardware accelerators for the past year as part of a personal side-venture and I have not seen a group so pressured to deliver a product as fast as possible with security being a casual afterthought. To get a decent taste of what it's like, I wholeheartedly recommend WIRED's Future Cities documentary on Shenzhen and the companies that dwell there.[2] Their struggles for ephemeral market-share are endemic of the entire community that's taken over embedded hardware for the past few years. The saddest aspect of it all is that this market competition isn't benefiting the consumer. IoT devices are coming out of the factories poorly engineered, badly maintained for far too short of a time, and as we've learned from this attack, being used as vectors for network intrusion and distributed censorship. Even arduino founder Massimo Banzi's widely-lauded IoT Manifesto[3] fails to approach any comprehensive statement regarding a dev's responsibility to build in some level of security to their devices. It just isn't part of the fast-and-loose culture that has been bred by trend-setting companies with unlimited budgets making bad decisions from the very start.[4] In addition, the if-you-can't-beat-'em-join-'em attitude the West has taken towards churning out hardware devices as fast as they can before jumping to the next IoT piece of junk before the ripoffs can hurt them is really disappointing as it prevents any considerable effort from going into a device pre-and-post release. All in all, the IoT community is not going to change their priorities unless someone very powerful forces them to and it can't happen soon enough. [1] http://qz.com/771727/chinas-factories-in-shenzhen-can-copy-p... [2] https://www.youtube.com/watch?v=SGJ5cZnoodY (This is over an hour long but very worth it) [3] https://create.arduino.cc/iot/manifesto/ [4] https://techcrunch.com/2014/01/06/nest-4-0-firmware-battery-... & again in 2016 http://www.nytimes.com/2016/01/14/fashion/nest-thermostat-gl... I'm not going to even touch the dropcam and IoT smoke detector. |
I hate this phrase. It's not like a bunch of people gathered and said "let's make shitty IoT stuff!". It's not a "community", there aren't groups around advocating against security best practices.
If anything the actual community around IoT stuff takes security more seriously than most HNers.
The problem is the companies and manufacturers that aren't part of the community.
And I take issue with your [4]. That has nothing to do with security. It was a glitch, and it happened, and I personally don't like Nest as a company very much and think they make pretty shitty products, but they take security seriously, and in a discussion about IoT security linking a non-security related software bug serves no purpose. Everything has bugs, that doesn't mean it's absolute shit when something goes wrong.
Your [3] is also incorrect. The Arduino IoT Manifesto's second point is that a dev should make sure their product can be updated, and even if it's abandoned it should be able to be repurposed in something else, or updated by someone else.