IoT Cybersecurity: What's Plan B?

In August, four US Senators introduced a bill designed to improve Internet of Things (IoT) security. The IoT Cybersecurity Improvement Act of 2017 is a modest piece of legislation. It doesn’t regulate the IoT market. It doesn’t single out any industries for particular attention, or force any companies to do anything. It doesn’t even modify the liability laws for embedded software. Companies can continue to sell IoT devices with whatever lousy security they want.

What the bill does do is leverage the government’s buying power to nudge the market: any IoT product that the government buys must meet minimum security standards. It requires vendors to ensure that devices can not only be patched, but are patched in an authenticated and timely manner; don’t have unchangeable default passwords; and are free from known vulnerabilities. It’s about as low a security bar as you can set, and that it will considerably improve security speaks volumes about the current state of IoT security. (Full disclosure: I helped draft some of the bill’s security requirements.)

The bill would also modify the Computer Fraud and Abuse and the Digital Millennium Copyright Acts to allow security researchers to study the security of IoT devices purchased by the government. It’s a far narrower exemption than our industry needs. But it’s a good first step, which is probably the best thing you can say about this legislation.

However, it’s unlikely this first step will even be taken. I am writing this column in August, and have no doubt that the bill will have gone nowhere by the time you read it in October or later. If hearings are held, they won’t matter. The bill won’t have been voted on by any committee, and it won’t be on any legislative calendar. The odds of this bill becoming law are zero. And that’s not just because of current politics—I’d be equally pessimistic under the Obama administration.

But the situation is critical. The Internet is dangerous—and the IoT gives it not just eyes and ears, but also hands and feet. Security vulnerabilities, exploits, and attacks that once affected only bits and bytes now affect flesh and blood.

Markets, as we’ve repeatedly learned over the past century, are terrible mechanisms for improving the safety of products and services. It was true for automobile, food, restaurant, airplane, fire, and financial-instrument safety. The reasons are complicated, but basically, sellers don’t compete on safety features because buyers can’t efficiently differentiate products based on safety considerations. The race-to-the-bottom mechanism that markets use to minimize prices also minimizes quality. Without government intervention, the IoT remains dangerously insecure.

The US government has no appetite for intervention, so we won’t see serious safety and security regulations, a new federal agency, or better liability laws. We might have a better chance in the EU. Depending on how the General Data Protection Regulation on data privacy pans out, the EU might pass a similar security law in 5 years. No other country has a large enough market share to make a difference.

Sometimes we can opt out of the IoT, but that option is becoming increasingly rare. Last year, I tried and failed to purchase a new car without an Internet connection. In a few years, it’s going to be nearly impossible to not be multiply connected to the IoT. And our biggest IoT security risks will stem not from devices we have a market relationship with, but from everyone else’s cars, cameras, routers, drones, and so on.

We can try to shop our ideals and demand more security, but companies don’t compete on IoT safety—and we security experts aren’t a large enough market force to make a difference.

We need a Plan B, although I’m not sure what that is. Comment if you have any ideas.

This essay previously appeared in the September/October issue of IEEE Security & Privacy.

Posted on October 18, 2017 at 9:58 AM73 Comments


Nicholas Weininger October 18, 2017 10:29 AM

You tried and failed to purchase a new car without an Internet connection? That’d make an interesting followup post– I know lots of cars nowadays have connections as part of their infotainment and/or navigation systems, but it’s surprising and nonobvious to a casual consumer that e.g. the low-end models without nav systems still have connections, and it’d be useful to understand why.

David Rudling October 18, 2017 10:32 AM

How about product liability legislation?
Unlimited liability for the flesh and blood damage, instead of just bits and bytes damage, won’t prevent any of the impending disasters but was ultimately effective in causing the markets to address automobile, food, restaurant, airplane, fire, and financial-instrument safety. Yes it is a terrible mechanism but it wasn’t in place before those other disasters. What if the judiciary takes the view that it should be considered to be in place now in light of those other precedents?

tz October 18, 2017 10:57 AM

You’d have to leverage the craze for the self-driving cars.
Since they are IoT, and MUST have a good connection – they can’t get anywhere without downloading a detailed “map”, and would otherwise be dangerous, they should be secure. Think Tesla – most autopilot crashes are “driver error” but if they are hacked?

Also, the truck I got last year has no internet connection.
One problem is the very “safety” regulations you advocate.
They must have back-up cameras, so they have to have screens, so already have most of the electronics. With thin margins, OnStar like things make you the product even if you bought the car. And everyone seems to want a videogame console in the dash, i.e. entertainment center with touchscreen and lots of buttons that pairs with your phone, tablet, or laptop. And navigation. But if you want navigation, it either needs to update the map via the disappearing CD or online. And it is simpler to build one version of electronics and use jumpers to turn things on.
I got a simple radio (only bluetooth and MP3-cd beyond regular AM/FM)

Try finding a smartphone that you can delete features. I have a feature phone and a LTE hotspot.

Johnny B October 18, 2017 10:59 AM

Some companies approach this issue through technology, one example of this being the F-Secure Sense router. Their marketing blurb (from here: says:

Easily secure every connected thing in your home using one device, now and in the future. F-Secure SENSE is the combination of a security router, an advanced security app and industry-leading cloud protection.

Anthony Herman October 18, 2017 11:03 AM

A single program that comprises of two incentives.

1.Tax breaks for companies that address security concerns in a timely manner.

  1. Some kind of seal that can be placed on product packages / websites to show compliance with this initiative and act as the interface with the public. For instance, this could be called the ‘fast security responder’ program or something mundane, and companies that are found to be compliant can affix the ‘fast security responder’ seal to their products. I think customers are ready for something like this.

Companies would benefit from the tax incentives and recognition for being a ‘fast security responder.’ Customers would benefit from feeling better about the long-term security of their purchases.

It needs to be as simple as possible at first to enable the industry that will spring up around compliance of these initiatives to flourish. Obviously this is still a lot of work, dedicating long term resources to embedded is as we know, a PITA.

Art October 18, 2017 11:11 AM

Markets have not failed at self-regulating. This claim is impossible on its face because we don’t have a free market in America. The US, from the 20th century to now, has one of the most overbearing bureaucratic regulatory states in world history (outside of some expressly communist or fascist countries). Even modern China has a more free market than modern America.

The FAA has failed us on airlines:

The FDA has failed us on food:

The Federal Reserve and Treasury have failed us on banks:

The good thing is that engineers, developers and programmers can help fix the IoT problem by leading the way regardless of what public policies are in place. There’s more opportunity than ever before to break away from the old corporate paradigm, strike out on your own, develop a world-changing product and sell it all over the world. Technology and innovation (Blockchain being one notable example) will make public policy obsolete.

It won’t be easy. There’s no magical answer. But it ultimately comes down to entrepreneurs to innovate, create, and solve these problems. To the extent bureaucrats get involved, they’ll only slow down and suppress that process.

Michaela Merz October 18, 2017 11:11 AM

Does anybody believe Governments are good when it comes to IT security? It is a matter of fact that we have surrendered our data and our digital “self” to convenience and complacency. Home automation and IoT is simply a nightmare, the requirement for units to use “proxies” to be able to pierce through NAT is a monstrous headache simply because consumers don’t know (or care) where their sensors, power sockets, switches or thermostats connect to .. and what’s inside those little gadgets. Those cheapo units .. mostly built somewhere in Asia, sit directly in our protected networks – and we have not the slightest idea if they are probing our LAN/WAN, if they are capturing packets, if they “just” spy on our daily routine. Add the fact that those IoT or home automation units are often connected/linked to several different, mostly unknown and usually unverified providers and it should be clear that you can NEVER trust them. And most people couldn’t care less. There’s no way to be certain that your Alexa connected light switch will never become a play ground for malicious entities. One can and should however isolate the LAN/WAN containing those devices. I just did it and it’s not overly complicated.

As usual, YMMV.


Starous October 18, 2017 11:26 AM

What about a voluntary cetrification of the iot devices done by some asociation? In EU you might have some stickers on food claiming that it comes from some region or is a product of bio farming. For me security is similar to bio farming, you should prove some process was followed and that you dont use pesticides or chemicals – rotten libraries.

ChrisB October 18, 2017 11:29 AM

Absent something like Brickerbot (possibly backed by ‘active defence‘ laws) how about:

  • Actively support ISP’s (cheerleading, etc) in charging per-connected-device. Think the iPhone and Apple Watch Series 3 (carriers charge extra for the cellular connectivity in the watch.) This doesn’t help security, but may help slow down the rate of deployment.

  • Apply a tax to devices based on networking chipsets/ports. The faster the communication speed, the higher the charge. Doesn’t need to be a large amount; just enough to provide an incentive for those same race-to-the-bottom manufacturers to only spec ‘fast enough’.

  • Strengthen existing data protection legislation such that all data held on a person, devices, relationships, etc must be provided in both printed and machine-readable electronic formats upon request – hardly any company will admit to holding the kinds of data they do. Sunlight is the best disinfectant etc. May help reduce the types and amount of data that can be stolen.

MikeA October 18, 2017 11:39 AM

While I agree that “the market” is unlikely to magically fix this on its own, I am less sanguine about the power of regulation. From shoddy construction work getting a pass from friendly building inspectors, to burglars getting tip-offs from friendly police, to smog-stations who will certify compliance for a slight fee increase, to “audited standards” such as ISO9000 and ISO14000 where you can certify the “quality” of a concrete life-preserver but need to document the destruction of uncertified hand sanitizer, … The major “benefit” of most regulation seems to be a healthy industry of auditors (Enron, anyone?)

Not that internal standards at many large corporations are that much better, but I can change jobs, or vendors, more easily than citizenship.

Wael October 18, 2017 11:45 AM

@Dane Cook,

Just write a virus that closes vulnerabilities.

It’s been done and gone. Search for “HP Active Countermeasures”, around 2004.

marc October 18, 2017 12:58 PM

I wonder if you have ever considered that there numerous safety features in automobile, food, restaurant, airplane, fire, and financial-instruments that are not required by regulations? Did fed bureaucrats come up with the idea for airbags? did they require them when private companies innovated and started using them? Regulators can only require what MOST people can afford. Compare the safety features of a Mercedes to entry level Hyundai that meets all the regulation. The Mercedes is much safer – can you, with your simplistic government saves us understanding, explain why that is?

Fred P October 18, 2017 1:12 PM

Personally, I’ve been impressed at the speed of change in the Medical industry in response to and

Less than 5 years ago, I was arguing that we shouldn’t have passwords stored in the clear. Less than a week ago, I was discussing what we wanted penetration tests on to verify some of our security requirements.

I think that regulation could work well in a number of other industries.

D-503 October 18, 2017 1:29 PM

Are you kidding?
For decades the auto industry fought tooth and nail against basic safety features. How much, relative to the total price of a car, does a seat belt cost?*
Voted one of the “Most Harmful Books of the 19th and 20th Centuries” Heheheh…
The beauty of the “free market” is that CEOs can impose their batty ideas on the public.
The auto industry is still fighting against fuel efficiency standards.

*Hint: With Mercedes, you’re paying for the brand name, not the safety features.

John October 18, 2017 1:32 PM

Interestingly the four Dutch political parties to form the new coalition government have presented plans which include a number of cyber security matters including security standards on IoT and a possible ban for appliances not conforming the standard or manufacturers to be hold liable for any damages caused by a breach. There are no details yet on new laws:

Fred P October 18, 2017 1:39 PM

@Dane Cook-

To put it simply, patching code to both fix a security problem and not break something else can be difficult given the sources, the hardware, dedicated test hardware, the person who wrote the code, the designer who designed the code, the architect of the project, full documentation of the product, a test suite with the personnel to run it, and an efficient way to update/upgrade the code. Even with these advantages, you’ll sometimes break things, and sometimes what you break is more important than the patches you fixed.

If one were hypothetically writing a virus to “fix security issues”, you’d be doing it without most or all of the previous advantages. It will take you longer to implement, your implementation is less likely to work, and you will break things, even if accidentally. Some of the things you break will be worse than the problem you were “solving”. My understanding is that it would also be illegal, at least in the vast majority of jurisdictions.

marc October 18, 2017 1:48 PM


because their customers could not afford the airbags, ANY CUSTOMER THAT WANTED TO PAY FOR AIR BAGS HAD AIRBAGS. Do you think side curtain airbags you safer, I do. Does the government require them? Nope, too costly, even they know that. Look at any safety regulation, it is not adopted till the great majority can afford it. By that time, like airbags, they already have it.

You are safe because you are wealthy and live in a wealthy country – there is no other reason.

Contra your shared simplistic thinking, all the building codes in the world would not have reduced the death toll in Haiti. No one could have afforded to follow them. They would have lived in the same shanties.

Milo M. October 18, 2017 1:54 PM

On connected cars, some initiatives, though largely generalities and hand-wringing so far . . .

National Highway Traffic Safety Administration page on cybersecurity:

“NHTSA Report to Congress: Electronic Systems Performance in Passenger Motor Vehicles”,
December 2015:

House subcommittee hearing on “The Internet of Cars” two years ago:

Transcript at the bottom of the page:

Automotive Information Sharing and Analysis Center (Auto-ISAC):

Department of Transportation primer on connected vehicles (also available as PDF):

Society of Automotive Engineers (SAE) cybersecurity hub:

SAE library for $1,299, with a two week free trial offer:

SAE has released one relevant standard, with more in the works:

Many of the SAE publications require a subscription or purchase, though there are some free items.

News article linked by SAE quoting one of the noted Jeep hackers:

“Toasters will probably never be secure but hopefully, important things like pacemakers and cars will be,”

The word “hopefully” is a bit unsettling.

Jim October 18, 2017 2:10 PM

I wonder: is the internet connection in a car entirely in the entertainment system? Could I purchase a car with no entertainment system? Or could I remove the entertainment system after purchasing the car? Would either of these steps result in an un-connected car? Also, would the car be able to function without the entertainment system installed?

Hans Holmer October 18, 2017 2:35 PM

Although I agree that waiting for US legislators to make any part of the internet more secure is a fools errand, it nonetheless seems to me that the Plan B should be financial rather than technical. If organizations that cause consumers to suffer a confidentiality, integrity or availability failure were forced to pay each consumer a sum of money proportionate to the amount of time from the beginning of the breach until it was patched and consumers notified, then they might have an incentive to demand security from the entire supply chain.

For example, if Equifax (pick one) knew that a breach would cost them $1 per day per person whose data was lost, they would both have an incentive to demand better security from vendors and to do more to protect or destroy data that was not profitable. On internet scales, $ 1 per victim per day quickly turns into real money, particularly since it is rare that companies discover the breach themselves. $ 1 per day would also help many Americans for whom that is real money. It might have to be accompanied by regulations forcing the USG to monitor disclosure if they alerted the breached company and also punish other corporations for colluding in concealing breaches, similarly at the $1 per victim per day. I won’t be holding my breath.

aboniks October 18, 2017 2:43 PM

Plan B for individuals is to learn to distinguish between necessity and luxury, and then act on that knowledge to eschew luxuries that produce unacceptable insecurity.

There is no wider plan B for capitalist societies. As long as humans can don a corporate mantle to claim limited liability from the results of their choices and actions, functional security will continue to be deprecated in favor of “privacy”, which in practice is little more than clickbait.

Kate October 18, 2017 2:55 PM

Although this doesn’t directly address the issue you bring up in this article, what about legislation that mandates that any IoT “thing” must have a way to be disconnected from the Internet, and still work and not void the warranty?

JG4 October 18, 2017 4:15 PM

on the old blue marble of endless conflicts of interests, there are occasional market failures. I posted one of them this morning to the squid thread relating to DuPont’s decision to poison thousands of people with “C8”

airbags are a good idea, but they don’t always work as intended.

you could say the same thing about IoT. with the right safeguards, it would be a great idea. we are light-years from appropriate safeguards.

the regulations requiring cutback of foliage from powerlines don’t always work as intended, although the robots will make them work considerably better. the shareholders received a large payout as a result of management skimping on brush cutting.

to paraphrase a famous secretary of the treasury, “the carelessness is our currency, but it’s your problem.”

Sancho_P October 18, 2017 5:12 PM

(@David Rudling, Jim, aboniks, Kate, …)

They (gov) are not interested in intervention, as @Bruce wrote, very likely because they know the system is already out of control and any change / serious legislation might initiate the unavoidable collapse.
We depend on exponential growth (in any dimension), and we know it doesn’t bode well to transform to a machine / robot world without knowing what to do with the people and environment.
But they hope this will go on for a couple of years and then AI / quantum / whatever will eventually solve the problem.

So there is no plan B and we don’t need any, because IoT / cybersecurity is a not significant niche problem.
Yes, IoT / cybersecurity may initiate the collapse, but what (who? Dona**?) may not?

No certificates and safety stickers please, it would decrease, but changing all routers would increase speed. Consume!

For cars and IoT / Internet it must be understood that we need that for exponential growth, do not oppose it until you want the collapse NOW.
We need “luxury” (not essentially needed functionality) and there must be no way to disconnect it from the Internet (this would decrease speed, act as antagonist).

So this is the direction we run, even if some (me too) don’t like it:

Anthony Grimm October 18, 2017 5:24 PM

I believe there’s a potential novel legal long-shot in establishing badly secured devices as ‘attractive nuisances.’ Victims of DDoS with solid legal support (such as Akamai or Verisign) could in theory accelerate the matter through our courts. There’s generally no doubt regarding the origin of Layer 7 attacks and all it would take would be two or three precedents against a negligent device owner to start changing the liability landscape. Whether it’s the device owner or the device manufacturer who actually owns the (liability) problem is best determined on a case-by-case basis.

neill October 18, 2017 5:41 PM

laws and oversight will not make IoT safe

WE (users) have to do it. nowadays i see cloud services as a solution, with MSS / CASB etc, where ALL your traffic goes thru a big datacenter, it gets supervised / filtered / blocked automatically. basically the user network has only one big VPN connection into said datacenter. could be made easy to setup even for novices.

of course that comes with more latency, traffic, and cost. but alas users do not have to ‘fiddle’ with their own security nor firewalls anymore.

Clive Robinson October 18, 2017 7:16 PM

@ Bruce,

We need a Plan B, although I’m not sure what that is…

I’m not sure that even if there was a “Plan B” it would be of any use in either the short or long term.

To see why consider this paragraph of yours again,

But the situation is critical. The Internet is dangerous — and the IoT gives it not just eyes and ears, but also hands and feet. Security vulnerabilities, exploits, and attacks that once affected only bits and bytes now affect flesh and blood..

And ask yourself “Why is ‘the situation is critical’?”. It’s actually an assumption that is based on a false premise of unfettered communications.

If there was no communications then the situation would not be critical. The reason the Internet is dangerous is it’s unfettered nature.

Security vulnerabilities are a given due to the very poor way we develop software. However to turn a vulnerability into an exploit that is worth attacking, the attacker needs unfettered communications.

Thus I propose “Plan D” which I’ve mentioned in various forms before. It stands for “Plan Disconnect” if you remove “unfettered communications” then a vulnerability can not be exploited by an attacker.

More formally we go for “segregation” with the “unfettered communications” replaced with a strongly mandated and instrumented choke point.

Marketing, the SigInt Agencies and the likes of major corporate “PII/data rapers” like Alphabet / Google, Facebook and more recently Microsoft might hate it, but they are all rather besides the point.

Because we can not “fix the Internet” nor are we ever going to “remove all vulnerabilities” the pragmatic solution is “keep them appart” as much as possible if not completely…

I will lay a small wager that at some point in time people will give up on the hype from “security software” vendors and simply put in “security segregation” as standard… Which is “Plan D”.

Wael October 18, 2017 7:17 PM

Comment if you have any ideas.

I may have an idea or two, but let me flush this out of my system first…

We need a Plan B,

I’m not sure if that’s optimism or pessimism. As if we had plan A 🙂

although I’m not sure what that is.

That”s just not gonna cut it, @Bruce! You’ve gotta tell them what Plan B is. Otherwise this will bee it!

PS: So the latest iOS update changed the ” character to something else that doesn’t work with <a href “URL”>. Now I have to type things on my laptop. How annoying!

Tom October 18, 2017 8:05 PM

So I think that we need to start thinking of this a global problem. Sure the United States thinks it is the leader in IoT but all the devices I have worked with have been manufactured in Asia. I mention this because I think the legislation proposed is almost as good as it could have gotten. We style ourselves in the United States as a capitalist market based economy and by and large we are proud when our government takes market based approaches to problems (right or wrong). So by using the bully pulpit of being a huge consumer our government proposes to sway the market by buying more secure devices (notice not secure just a bit more secure than the market average). This means our government has placed some value on its IoT infrastructure being secure which is the same as recognizing the economic downside of exploitation. Here’s the problem our government is a mess. It can’t possibly make security decisions about things that are practically disposable. Now if we got all the “western” powers to buy a bit more secure that’s a bigger chunk of consumers and a bit more push but we can also start to see the more global nature of things.

Frankly, I hope everyday that I wake up to find that the United States has not become a failed state though half expecting it has. The party in power has as an more or less explicit goal to tear down the government. Whether by neglect or self sabotage they are keep trying and only the inertia of the government keeps things going. Remember the last administration that thought government was a good thing that built roads and steadied markets also struggled to modernize “legacy” IT infrastructure. So regulation by the United States probably wouldn’t be more than a token effort even if this legislation passed.

But accepting that the international market is largely driven by supply and demand I think this effort is representative of at least one part of the solution. If large consumers and governments are some of the largest could be convinced to buy into this minimal security requirements for purchase then I think the demand grows and new suppliers will be able to secure funding and come to market. Of course how will these consumers insure that the devices they purchase meet the standards they specify?

Underwriters Laboratories (UL) has been one of the most important multinational success stories in product security. However, as far as I know the UL doesn’t test many IoT devices or maybe only tests them for electrical discharge risk. The FCC has traditionally been a force for multinational cooperation or at least a model regulatory body (even as dysfunctional as it is). But the FCC only cares if devices emit interfering EM radiation. I believe the second step is a body that puts a seal of approval on devices. This makes the government regulation on which devices can be purchased easier and it means that manufacturers have an incentive to submit devices for testing. Whether it is multi government as a UN sponsored body, industry driven as with UL (insurance), industry driven as with ASTM or just one exemlary government regulator that happens to do a good job that other governments feel they can then rely upon this third party endorser will need to grow into the role.

Third, IoT is sort of the Wild West. Nobody knows what to do with it (the success stories like wild life/livestock monitoring drones aren’t exactly IoT) but everybody wants a piece of it. This means that manufacturers are rushing products to market in the hope that they might corner a portion of the market and thus control the evolution of the market. This might look good if you are a manufacturer but I would argue it is easier to build a device that conforms to a standard. (Constraints can be inspiration) And while I might have to accept competition, behave more ethically and accept a slower return on investment it also means a more stable marketplace which means a longer term in which to realize the return on investment. So I believe standards have a role to play.

Now I remember scoffing at many FIPS standards because while they were implemented in Windows, the underlying architecture was so bad that did it really matter if some feature required by some standard was implemented? And to be blunt, I feel that many FIPS standards were written to favor Microsoft over say OpenBSD. But if you look at what happened when governments established standard weights and measures, when cement testing became standardized, when drug testing became methodical… trade became more equitable, products improved and safety improved despite widespread fraud and cheating.

Fourth what ever happened to defense in depth? Why do we put these things on the public network? Sure IP security cameras are great. I have deployed a few networks of them. But I have known for a decade that the security of the Security cameras was lacking so I try to put the cameras on their own network without a direct link to the internet. I prefer to have a “controller” in a DMZ or some other separation between the cameras and the world. The potential for abuse is too great, no matter how good the camera’s security.

Finally, I feel like I have to point out that IoT has to date largely been a failure. Where has it really made a difference? Why do we as consumers consider an IoT device over a traditional device? They are more expensive, have more that can go wrong, have a high cost of adoption and have shorter expected lifetimes. For the most part they do not make economic sense. Where I have advocated for them are things like card activated doors and IP cameras because the costs are lower. Revoking a card is cheap compared to rekeying a building or campus. IP cameras when PoE Layer 2 switches are already installed and the cameras go in one VLAN separate form everything else means I’m not pulling coax or managing DVR’s in every network closet. But a computer controlled car? I’d rather buy a simpler car, because it is cheaper and more reliable. (I like fuel injection but the chip doesn’t have to be connected to the internet to work now does it?) Maybe as consumers we need to do something radical and not buy into the new thing, at least not right away. Certainly, we need to grow into our roles as IoT consumers which will take time but eventually we’ll get there. In the mean time we need to understand we are going to scrap many IoT devices while few will pay back our investment.

Frances October 18, 2017 9:46 PM

Airbags were required because Americans would not use seat belts and no one would require them to. Three-point seat belts are very effective but a lot of people resist using them for reasons that escape me. However, side air bags are a good idea because seat belts are not effective for collisions from the side. I have experience of this when we were hit from behind when we were at an angle to the colliding car and my head bounced off the side window, luckily not very hard.

Ponder life deeply October 18, 2017 10:08 PM

@Hans Holmer • October 18, 2017 2:35 PM

Great idea, will say, this creates a incintive to avoid detectig a breach. If you get breached you don’t want to be linked.

The hacker may name the company when selling the database.

neill October 18, 2017 10:10 PM


in an 1968ish car magazine i read a story that a guy was ejected from his car, that then burned out. he said ‘… if i had remained in the car i would be dead now!’

one security technology can help others to be following (like airbags, anti-lock-brakes etc) once the ‘users’ see that lifes are being safed, despite higher costs

Wael October 19, 2017 12:20 AM

I can’t think of a Plan B. What I can propose is a model of the ecosystem so we get a more accurate reading of the dynamics, dependancy trees, etc… then we can treat it like a problem which needs a solution.

Actors, their goals, concerns, and MO

  1. Polulation
    • Don’t care about Security
    • Most care about cool devices and fashionable items
    • Don’t care to pay extra for “security”
  2. Government Representative Organizations
    • Enforce National Security
    • Don’t really care for the population’s saftey
    • Desires to use IoT as data collection channel
  3. Manufacturers
    • Financial Profit
    • Statying relevant and keeping up with technolgical advancements
    • Competition
    • Speed to market, cost, and priorities
    • Lack of other innovative ideas. Buzzwords rule

Then define what our ultimate high level goal is: to make IoT secure? Create a special Internet for IoT like darknet or use a separation of domains Principe to contain IoT within their own “internet segment” which is not compatible with the “legacy Internet”? Limit IoT to certain APIs that are tested and approved — you know, an industry standard?

I mean whom are we trying to protect from what? Us from IoT, I guess…

The above is neither complete nor accurate. The methodology is what I am proposing. And that too could be completely wrong. The takeaway is: We should think of it (whatever “it” is) methodically and in a structured, well-defined manner. We may either find an optimal path to the solution or find out that their is no solution, and their are such problems. In that case we can fail fast and live happily ever after.

QnJ1Y2U October 19, 2017 3:07 AM


Does the government require [side airbags]? Nope, too costly, even they know that.

Adding side airbags costs about $33 per car.

The US government now requires that cars meet a side-impact occupant protection standard. The standard doesn’t compel a specific technology, it just describes tests that the vehicle has to pass.

Performance standards like that are one of the best ways to ensure products meet requirements that markets treat as externalities (like safety and security). But useful performance standards are tough to create, and as Bruce has noted, we’re not likely to see anything even remotely like that in the IoT market.

James October 19, 2017 3:59 AM

“It requires vendors to ensure that devices can not only be patched, but are patched in an authenticated and timely manner”

Wouldn’t that have the effect of destroying the Yubikey? Not being able to be “patched” is a security feature, not a flaw.

This sounds like typically well meaning but poorly worded legislation and will have more ill effects than good.

Wulf October 19, 2017 5:18 AM

@Gunter Königsmann: “If the industry were required to print on evey package how long they are going to support this product that would change a lot”

I don’t think so. For problematic products, a company could simply create a subsidiary for selling the product, that goes “bankrupt”, when they want to stop supporting the product.

Dan H October 19, 2017 6:45 AM

“What’s Plan B?”

Plan B is an operating system designed to work in distributed environments where the set of available resources is different at different points in time. Its 4th edition is implemented as a set of user programs to run on top of Plan 9 from Bell Labs.

Graveyard Legislation, Here We Come October 19, 2017 9:05 AM

Plan B? Well, I hate to say it, but it may be up to the bad guys to make the good guys do the right thing. Hasn’t that always been the way?

Once someone remotely blows up an old politician’s pacemaker or drives their car off the cliff while it’s still moving, that’ll spark some change. Bonus points if their family’s in the car while it happens.

It’s not like they don’t need cars, phones and medical devices. If anything, they need those things more than the common person. I have no idea why the government is being so reckless with what really amounts to their own, selfish lives. I’m honestly puzzled.

Beep Beep October 19, 2017 9:37 AM

Hey Bruce, do you know how viable/possible it would be to have a mechanic physically sever the Internet connection from your car? Then just get essential software upgrades by visiting your dealership in-person rather than get OTA upgrades.

Would your car still work, or do you think your car would disable itself a quarter-mile down the road with some sort of overzealous DRM-based countermeasure? Either way, say goodbye to your warranty if you remove your Internet connection, I’ll bet. Still, I don’t know about you, but I’d prefer to waive my warranty than my safety.

All this said, I wonder if “Internet Removal Services” will become a new industry in the near future, kinda like asbestos removal for the modern age. Getting rid of what people rushed to install everywhere because they only looked at the benefits of it before realizing the consequences were worse.

Anselm October 19, 2017 9:56 AM

Hollywood notwithstanding, cars today very rarely if ever catch fire when they crash. You’re vastly better off strapped into your car seat with a seatbelt than you are being thrown about inside (and maybe, or maybe not, escaping a worse fate by being thrown out) without one.

Marco Schwier October 19, 2017 10:02 AM

I would suggest a two-pronged approach on this. First make security fixes for products mandatory. The idea in the IoT law above should be working. Second make the users liable if they do not apply adequate security for they devices. It seems harsh, but on the other hand you also loose insurance if the house is open or the gun is lying around.
I think that one without the other will not work simply because neither producer nor user has any incentive to care for security.

Thursday October 19, 2017 11:34 AM

Economics of security is a factor. Currently, cheap IoT is more a form of modern industrial art than a matured industry. If we take stock of the current state of the market, this is positive, because it means a brighter future ahead as the marketplace matures.

We know IoT’s problem is largely software. Certifying software presents a very challenging problem for the industry, because it’s difficult and costly. If we want better software, we need higher quality input (i.e. better trained programmers). Trying to patch and certify bad software is often futile. We see this all too often in the release-now, patch-later Agile software world.

From the consumer standpoint, I believe the reason UL-style certifications will not work well for IoT is because consumers don’t understand software in their devices like they do electricity to their lamps and toaster ovens. They can easily understand that if they buy a lamp with faulty wiring, it may burn down their house and harm their loved ones, so they buy the ones that are certified by UL or other safety consultants whom they’ve built a trust. They don’t grasp that software can be harmful in the same ways when integrated into what they trust is a ‘safe’ device.

Consumers seem to make IoT purchasing decisions based on features, aesthetics, and price; not necessarily in that order. Safety takes a back seat. Manufacturer loyalty is not yet well established for large swaths of IoT, because we have currently a marketplace flooded by many manufacturers each producing few types of devices. We can expect though that as the explosion of IoT device types sees more competition there will be a contraction of manufacturers in the marketplace. Eventually there will be fewer manufacturers producing more types of devices. Fewer manufacturers means larger entities with more at stake than simply getting a device to market first. This is a good thing for IoT security and safety and a significant factor in IoT economies.

me October 19, 2017 12:43 PM

I, too, would be interested in what your requirements and findings were in your connected-car search, Bruce. I don’t know what the market is like in your area, but as far as I have been able to determine, my 2015 Accord (without the nav package) has no 2-way radio device in it…maybe things changed a heck of a lot in a year, or there’s a transceiver in the Accord that I didn’t know about.

Clive Robinson October 19, 2017 2:33 PM

@ Thursday,

Certifying software presents a very challenging problem for the industry, because it’s difficult and costly.

I think the word you might be looking for is “impossible”.

The recent example of the Infineon smart card software being FIPS certified but being nether the less vulnerable to an attack thay has been known since the 90’s should be a wake up call.

Having passed the FIPS 140-2 Level 2[1] and the Common Criteria standards. With NIST manageing anf overseaing both certifications you would not expect such a thing to happen. It is after all a known attack from an expert that has been read by many security practicioners.

As I’ve pointed out on the odd occasion there are both classes and instants of attacks. Thus we can have “Known classes with Known instances” “Known classes with Unknown instances” and “Unknown classes with Unknown instances”. Only the first of which we can knowingly defend against.

But at the end of the day those unknown classes will become known as new istances of attack become known, and this will in all probability happen some time after a product has been certified…

So nearly all security certified products are destined to fail. Which raises the issues of revocation and recertification on products.

As we appear incapable of managing the revocation of PKcerts the odds of getting it effective on products is probably very close to zero, so will fail…


Wael October 19, 2017 2:40 PM

@Clive Robinson,

Having passed the FIPS 140-2 Level 2[1] and the Common Criteria standards.

It means nothing. A check in the box.

David Rudling October 19, 2017 5:42 PM

I see the bill was referred to the Senate Committee on Homeland Security and Governmental Affairs. Someone at Homeland Security might helpfully point out to Senators that this bill is, for example, to help prevent terrorists being able to assassinate them by taking control of their automobiles. Of course they might have to wait until after the first such incident in order to get an attentive hearing in the Senate.

Drone October 20, 2017 5:25 AM

There is only one way to solve this problem:

Educate the general population to demand privacy and security from the products they buy, and the leaders they elect.

Unfortunately, the Government-run, Union-controlled public education system today has no interest in teaching about the need for public privacy and security. The less privacy an individual has, the easier they are to control. And as for the wholesale dangers we face because of a lack of security – quoting Rahm Emanuel, “Never Let A Good Crisis Go To Waste”.

If public privacy and security was as important as global warming and social justice is to our young people today, we would not be facing such a dangerous future.

Ollie Jones October 20, 2017 7:53 AM

The problem is regulatory inaction at the USA federal level.

A possible solution: regulatory action at the state and local level.

Why is this helpful?

For one thing, it means residents of some jurisdictions can benefit from good regulations even if the USA legislature won’t act. Examples: California clean air regulations, Massachusetts right-to-repair laws, Massachusetts firearms regulations (here in MA we actually had a well-regulated militia at the time the Bill of Rights was adopted).

For another thing, it fragments the market. This is machievellian: if various influential jurisdictions (say, New York City and Santa Clara County, CA) adopt conflicting regulations, the manufacturers of regulated products will show up hat-in-hand at the federal level begging for unifying regulations so they don’t have to sell different product variants in different places. The USA legislature often acts when business people ask them to.

Thirdly, state and local jurisdictions can adopt regulations that are harmonized with foreign markets. California and New York can harmonize with Canada, for example, helping their local manufacturers get a broader market for compliant products. Or, they can follow ITU-T and ITU-R international standards to get those broader markets.

ssol October 20, 2017 8:12 AM

Here’s a small data point; I work with someone whose car has cameras on the side view mirrors. The right side stopped working several weeks ago and he could not fix it. But today, when he unpaired his iPhone from the car, the mirror cam started working again.

Thursday October 20, 2017 2:35 PM

@Clive Robinson

“I think the word you might be looking for is \”impossible\”.”

To clarify, what I mean by a software certification process is quite literally checking the boxes. Software companies aren’t checking the boxes even to minimize attack surface of a device before it leaves the factory. There’s something fundamentally lost in today’s software development that could be improved by checking some basic boxes before companies roll off the production line with a new device. I’m not advocating that certs are the way to go, only that they have their place.

I think anyone would agree FIPS 140-2 Level 2 is a fairly rigorous certification process, but no one should be surprised that vulnerabilities are still in the certified result. Even regressions from a class of known vulnerabilities is no huge surprise when we factor complexity and human error. I assume you mean that certifying that something is ‘secure’ (as in outside of a vacuum) is impossible and I wholeheartedly agree. Should one trust a FIPS 140-2 validated product though over one that comes with no representation at all?


Whether the argument is certification, validation, or rules and regs there is a call to IoT manufacturers (particularly ones producing >100’s of devices annually) to improve their security process and enforce methods of oversight, be that from public or private regulation or certification. We know consumers are not security conscious and there’s no reason to believe that alone will ever tip the balance toward security in the marketplace. As mentioned previously though market changes do have an effect (i.e. consolidation of devices manufacturers into larger generally more trust-worthy entities).

A cautious tale about public regulation is that no matter what is pushed into law today we can be certain that it will not keep a pace with technology or attack vectors in the future. The fact that this proposed bill is unlikely to ever see the light is testament to a probability that it is the wrong course of action.

Before everyone thinks I’ve shot down regulatory solutions altogether, I’ll propose one [non-groundbreaking] evil recipe for IoT risk mitigation…

  1. Governments should require IoT manufacturers to obtain tailored Cyber Liability Insurance coverage for each product at levels commensurate with the volume of units produced.
    • Criteria? //this one’s for Clive
      if ($volume_sold > $x_units_per_year &&
      $device_connects_to_internet) {; }
  2. Insurance underwriters should demand independent product-level validation before a product may be channeled/sold at volumes above x-units per year.
  3. Governments should impose tariffs on imported IoT products that do not adhere to above.

Leon October 21, 2017 9:48 AM

What about Terrorism? Disrupting society via IoT attacks will become more and more likely. The military could be your partner in this.

Alasdair Allan October 24, 2017 6:49 PM

Some of us have gotten together to create a consumer facing “trustmark” for smart devices. Called #iotmark it’s an effort to an attempt to push beyond the EU’s GDPR and look at the entire life cycle of a smart device, from design to manufacture, to final disposal. We hope it could help encourage the industry to make different and more ethical design choices. More at

Gappa October 25, 2017 12:12 AM

Perhaps a lobbying effort to convince vendors to offer non-Internet-connected alternatives would be fruitful? At least let those who want to opt out of this oncoming hell on their personal property have a option.

PeaceHead October 25, 2017 4:38 PM

Although, some still might think this is a bad idea, I feel that eventually it will look more and more appealing. As others have said, developing “vigilante” viruses, worms, and beneware to fix vulnerabilities seems to me to be a good idea.

At least it probably can’t make the situation any worse. You can’t fall when you’re lying down on the floor–type of logic.

It’s kind of like if you see a kid about to wander into oncoming traffic to pick up his/her toy ball. Either you try to prevent the tragedy or you don’t.

If the tools and techniques exist, we should use them. And if they don’t exist, we should try to build them. It might make the internet more like the Amazon jungle, but strike one point in favor of biodiversity.

We need more circumstances to make true security more likely. Automating the process of fixing holes isn’t so abstract when you think about it.

If people won’t comply with protecting themselves and each other from harms which could actually threaten lives and businesses, we might as well start creating digital vigilantes. It makes a lot more sense than self-driving cars!

PeaceHead October 25, 2017 5:01 PM

…one thing to add…

If a “fixer-upper” benevolent-ware virus (I call it a “vigilante virus”) supposedly caused more damage than fixing, that might actually spur people on sites to actively patch up their holes, even if accidentally.

Not all breakages are cataclysmic nor disastrous. It depends upon technical specifics.

Often in practical computing, to make something work better you HAVE to break something. But if what you break is totally undesirable, it’s NOT REALLY A BREAKAGE at all.

If some privacy-invading applet/widget/gadget breaks, that’s hardly a problem.
If some other process/function/API that causes a lot of security problems breaks down, that’s probabbly not really a true problem either.

You can’t blindly equate “breakage” with “problem”.

In Windows OS systems historically, for example, to optimize such a system for proper digital audio recording/synthesis/composition, users deliberately and systematically disable unneeded and unwanted services, applications, scheduled tasks, and filesystem defaults. From the perspective of the recording engineer and/or musician, it’s OPTIMIZING THE SYSTEM for Professional use.

But from the perspective of a typical naive email/facebook/twitter user, the system is possibly not as user-friendly, because all the stuff not crucial to music production/post production/composing/etc is TURNED OFF AND/OR PERMANENTLY REMOVED.

This is both a science and an art. And it’s the same for Linux and MacOS systems. It’s very conventional now, and people regularly share each other’s successful “tweaks” and optimizations. Some of them are incidentally security fixes also… because, if you are mixing and mastering digital audio you sure as hell don’t need something uploading and downloading via BlueTooth or WiFia and wasting your CPU and RAM.

In pro audio, unneeded resource activity can actually spoil recorded audio files with unrecoverable types of errors which are audible and very frustrating. The ethos and methodology of digital audio workstation optimization is about turning the computer back into a POWERTOOL, instead of some kind of slacker leisure hive space as mainstream culture promotes.

For gamers, it can be slightly similar. Overclocking hardware is about getting measurable results of increased performance for the sole purpose of good gaming. All else can figuratively speaking “go to hell”. Yeah, it might make the hardware wear out sooner, and disabling all of microsofts WMI logging and all that nonsense they might consider “breakage” but from a raw user perspective, if it gets in the way of what the user wants, breaking it is QUITE DESIRABLE.


Even in terms of power companies, when a fuse “breaks”, that’s quite desirable. When part of a system shuts down, often that’s a lot more desireable than the whole entire thing breaking. Stuntmen comprehend the idea also. NASA has “fault tolerant” systems. Breakage, is actually part of the success of preventing disasters.

A roadblock is a “breakage” in terms of speed demons who risk killing people, but in terms of safety, a roadblock is quite desirable. Bullet-proof glass is “breakage” with respect to criminal firearms activity. But in terms of safety, we don’t care that the velocity of an incoming bullet was “broken”. We are glad for this.

So timidity is not the answer.

Legal indemnification can probably be accomplished by the likes of the FBI and NSA and related organizations or their other internacional sibling organizations.

Laws are ultimately supposed to protect us. Motive is also a factor in legal terms. When laws fail to protect us, they are changed and/or ignored. This is not news, and it’s nothing to fear.

The next generation of unsung heroes may be precisely those who dare to do damage control and break a disaster down into more manageable and SAFER parts. Firemen need to be able to break down doors and walls to save lives. It’s time we have our digital equivalents of heros with their bags of tricks as well.

Corporate billionaires might complain about profits lost during outtages, but if such outtages ultimately save lives and the stability of many others, it’s worth ruffling their feathers every time, even if and especially if the laws aren’t up to date with the technological flaws and debaucles of our time.

Don’t lay down and surrender to these problems without a fight.

Slawek November 15, 2017 6:18 AM

Plan B

I propose a free market solution. Make consumers responsible.

If your IoT device causes damage then you should face the consequences. Of course it’s not possible in many cases, but judges should have no problems understanding some simple cases like your hacked device spying on your neighbor etc. When first few people get to pay for that then it will be an interesting news for the media. Then the market will start to work miracles. Suddenly people will become more willing to pay more for secure devices and producers will provide them. That’s how free market usually solves these types of problems.

I’m not sure it will work in US though. The amount of government regulation blocking this process may be too big.

I think that, even without this plan B, things will improve over time anyway. Your insecure IoT device is most dangerous to other people, but it is also dangerous to you. People will learn that over time and act in their own best interest.

Patrick November 15, 2017 6:34 AM

Plan B must be a solution that addresses the problem on a global basis without the need for any government coordination. So find links in the global supply chain that can be coerced into mandating the low security bar described in the post by Bruce. A Wal-Mart mandate, similar to requiring suppliers to add barcodes or passive RFID tags to inventory, would be one model to copy. The coercion comes via lobbying Wal-Mart or another large U.S. retailer (not amazon) to get the party started. And perhaps a large EU-based retailer as well. With some retail leadership, large US govt buyers like DoD will follow suit.

Chris Drake November 15, 2017 6:44 AM

Plan B is global digital identity – it’s an exhaustively long explanation for how this could be achieved, but once there, only simple steps are needed for this to then secure IoT itself.

If you read this deep in your comments, let me know and I’ll explain how and why.

The problem is interesting: each IoT gadget out there contains components from literally thousands of different authors, many with altruistic open-source ideals, many with their own excellent care and best practice, but not all. Securing IoT requires identifying the broken bits and the bad apples. You’ll never do this without global identity, and you’ll never get global identity without some extremely interesting implementation plan: you can’t force this stuff on people, so it needs to be designed so everyone wants it. That’s the exhausting bit to explain.

Clive Robinson November 15, 2017 6:55 PM

@ Slawek,

That’s how free market usually solves these types of problems.

No it does not that’s the drivel you get in neo-business books and op-eds.

To see why let’s take your notion of,

Suddenly people will become more willing to pay more for secure devices and producers will provide them.

That’s not what happened with the US car industry. People were literally dying to have chrome tail fins rather than safety features like brakes that worked with the mass of the vehicle or gas tanks that did not explode with a low speed tail shunt.

The US car industry was in a donward spiral, what marketing said marketing got. The marketers of one manufacturer more or less played follow my leader with another msnufacturer. What we would call “focus groups” asked all the wrong and frankly marketing opinion biased questions. So the US consumer choice was like the Python’s Spam sketch only with chrome, tail fins and other dead weight the brakes could not stop.

Such spirals are “tail spins” as pilots will tell you the way out is to do the opposite of what is not working even though your brain might be telling you it’s the wrong thing to do.

What saved the US car industry was safety regulation. It got them out of the chrome spiral of death.

The same problem exists in IoT before it’s even got going it’s in a marketing inspired features tail spin, spiraling ever downward.

The way out is the right sort of legislation and proffessional patent and other capture trick standards with proper certification conformance testing and licencing.

It’s worked well for mobile phones on the regulated side and would be better still if the regulations started moving over to the unregulated Smart side.

warren November 16, 2017 10:10 AM

There are a host of avenues which need to be gone down and addressed regarding device security in general, and IoT security in particular.

Any certification program could be good .. right up until the vendor goes out of business. Or ends the product line. Or ends formal support. Unless we go to a lease model for everything, you’re going to have unsupported/unsupportable devices out there.

We can’t have patches ad infinitum because it’s not practical: every vendor EOLs products (from OSes to firearms to DB servers to cars, etc).

A few things which would be good:

  • safe/secure by default from the vendor – you have to manually de-safe it to use it (like a rifle which only becomes usable/dangerous/operable when you load a cartridge and put the safety off)
  • well-known, highly-publicized support lifecycles (caveating the vendor going out of business)
  • related to the above, notifications from the device as it nears end of support
  • notifications from the device as well as the vendor that updates/patches are available
  • liability regulations – and an associated insurance structure – affecting businesses which choose to offer IoT devices across a few levels:
    1. here it is :: you deal with it || no support, no insurance, whatever risk is there is your problem
    2. patches / updates for 1 year || basic insurance / guarantee of operation through supported period, as long as you’re patched up to date
    3. patches / updates for 3 years ||
    4. patches / updates for 5 years || first-level business offering || insurance against hacks / flaws that have been disclosed for more than 90 days so long as you have patched
    5. patches / updates for 10 years || enterprise / long-term support || “big” insurance coverage (up to a year, so long as you’re yp-to-date) || proactive notifications from the vendor to customers regarding flaws, patches, etc

There are probably other things which need to be considered.

But there’s my start.

PeaceHead May 9, 2018 6:37 PM

This problem is clearly not going away, yet neither is our concern.

Good comments.
I think we need a list of the who is who of IoT…

It’s totally manufarctured arbitrary false demand.
Nobody ever needed an IoT, and it’s NOT inevitable!
Is this an NSA thing?

Which corporations and organizations and individuals are pushing for it to happen?

Maybe if more of them were fairly and rationally discredited, then there would be more of a chance to stabilize the compound situations. Eventually they will humiliate themselves, but perhaps it needs to happen sooner, for the sake of protecting the masses from their technocratic synthetic disasters…

This is just an idea thus far, what do you think?

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.