The company was tanking and they were looking to make a quick buck. What market motivation would they have to spend extra time and money securing it properly? This is a fine example of why we need IOT regulation.
> This is a fine example of why we need IOT regulation.
Cool, let's just inundate the industry with pointless government "security" checklists that don't actually accomplish anything. That way, instead of a small fraction of all the cool, affordable products we now have access to occasionally getting hacked, we can just not have any cool, affordable products except those made by companies big enough to hire enough corporate lawyers to CYA their way to government approval.
How about, if you care so much about teddy bears getting owned, you just don't buy them? It's easier and more polite than taking them away from everyone else as well.
You can't legislate security into existence. That's not how it works. Security isn't a solved problem, so the government can't force people to do it correctly. The only think you can possibly accomplish is either making products more expensive (with no/negligible actual security benefit) or removing them from the market entirely.
I agree that regulating this will just cause security theater. However, it's also unreasonable to expect non-technical consumers to understand what's going on and what the implications of their choices might be for any given IoT device. Many probably would have a hard time deciding what devices are even IoT. Maybe this is a gap that could instead be filled by a consumer review product service that focuses on IoT devices and their security. I expect that the general public didn't care enough though to make this viable. Maybe once more toys got compromised...
Edit: I also wonder if stronger punishments for people involved in extreme cases like this would help. If you make a reasonable effort to secure your service and get hacked anyway that's one thing. But not even attempting to secure your service at all is something you shouldn't get away with. Of course the problem is how "reasonable effort" would be interpreted legally.
I don't necessarily disagree but I will note that Bruce Schneier, who so many people on these pages are a big fan of, was basically advocating for government regulation at a recent conference.
- any personal data stored is inaccessible to the outside world without AT LEAST a password
- minimum password length for users
just anything to slow the shitstorm combination of incompetent developers and corner cutting executives.
AND such regulations are reasonably easy to enforce, anyone can check network traffic to verify protocol and api tokens or setup a new account with a short password, port scanning would catch most public databases.
>This is a fine example of why we need IOT regulation.
This sort of thing almost (but not quite) always results in things that are no more secure, just more bureaucratic. Large companies keep building the same insecure crap they always have but can afford to hire an army of lobbyists and paper pushers to get "approval". Small innovators who could actually fix the issue are kept out by the high cost of useless paperwork. The industry stagnates at a dismal low point.
In short, prematurely regulating an industry is usually a fantastic way to strand an industry at a local maximum far below its potential.
Computer security is a new thing in those industries; regulations have yet to catch up.
The point here was, there are always companies that are looking to make a quick buck and which will always refuse to "spend extra time and money securing it properly". Such companies have the market forces on their side - the less they give a shit, the faster and cheaper they can sell their products/services. Regulations in established industries ensure that the minimum level of giving a shit is still safe enough for people.
Hopefully this event will be 'market motivation' enough for them and any companies who will follow them. If this stuff is insecure it will be found and brought to light. The only question is will the good guys find it or the bad guys.
