(was: ‘How to force manufacturers to take IoT security seriously?’)

This is just a brief thought which has popped into my head that I thought I’d share.

Ars Technica have an interesting article as context.

In short, there’s a BrickerBot going around bricking insecure IoT devices.

What I imagine BrickerBot looks like when it’s posing for a selfie. *swoon*

Basically, the problem with IoT security is that security costs money. People don’t understand security and therefore don’t want to pay for it, so IoT manufacturers have no incentive to make their devices secure (since it necessarily would make their product cost more than the competition — who aren’t securing either).

Without an economic incentive to secure it, it remains insecure.

I think I should co-opt that as Hall’s Law. I’m well-overdue having my own law.

It’s not to suggest that the IoT manufacturers are being unreasonably obstinate in the face of Rest-of-World who are busy being good citizens — we have a huge raft of legislation, standards, and frameworks all designed to force Rest-of-World up to their self-annointed high ground.

But the point is, when it comes to personal data, there’s The Law. In the UK the Data Protection Act establishes some high level requirements and has a moderate enforcement capability. Soon to be replaced by the substantially empowered EU GDPR which is getting much more detail and a much bigger enforcement stick to boot — a weighty 4% of turnover fine.

When it comes to credit card data, there’s PCI-DSS. A lot of people consider it to be an onerous standard, when in fact it’s more or less entry-level security — and yet we still find it difficult. Penalty for breach of credit card data or non-compliance? Fines.

See the pattern?

Without an economic incentive to secure it, it remains insecure.

So, back to the BrickerBot.

Who it is and what they want is unknown but the interesting effect (or side-effect) of what it’s doing is that it’s covertly creating an economic incentive for manufacturers to improve security. Because if I buy my internet-connected toilet-flusher, and it comes with bad security, and BrickerBot comes along and bricks for it me, then I’m going straight back to the manufacturer and getting a refund.

Over time, this creates the necessary incentive to take security seriously for manufacturers.

Is it efficient? No. Is it entirely fair on the consumer? No. Is it likely the only viable way of addressing the IoT security problem? Probably.

(edit: title changed based on feedback from franciscop on HN)