| Agree. While I love rust and think it (should) replace C for web servers and the like, the majority of the issues with IOT devices are just basic security oversights and design errors. You raise some very good points: 1. Secure by default should be mandatory. MS learned that one the hard way. 2. Consumer protection laws would certainly get device builders attention. I think that is required. But I doubt the current administration is included to enact such laws. It is a shame that devices are certified by UL and FCC, but there is no security certification or even a basic audit that would catch: security backdoors, default / blank passwords, auth over http, basic XSS and CSRF vulnerabilities etc. The bad news is that we don't know how to design a device with Linux and internet services that will be secure without updates for 5-10 years. So we either insist on updating .... or we keep some of the darn devices off the internet. At at minimum, we should insist on having devices that don't listen on ports just waiting to be hacked. Devices should only connect out. |