IoT devices are particularly vulnerable to infection with malware such as Mirai. Users may not even realize the devices have passwords and so never change the defaults. They may not pay attention to updating the devices with security patches.
Ideally, having seen the potential for catastrophe, the makers of IoT devices would take steps on their own (or better yet, as a group) to boost security. But that isn’t likely to happen. IoT devices are price-sensitive —manufacturers won’t spend money on security if they don’t expect to be able to compete with the companies that ignore it. In addition, makers of consumer devices such as refrigerators and video recorders don’t have enough people with security expertise on staff.
The consequences of this go beyond the internet itself. Sanjay Sarma, a professor of mechanical engineering at MIT and IoT expert, told Computerworld’s Patrick Thibodeau, "This is just the beginning. There's more coming, sadly — perhaps a power plant." Given that medical devices are internet-connected, they can be hacked as well, with catastrophic consequences. Former Vice President Dick Cheney told 60 Minutes that his doctors had the wireless capabilities of his heart implant disabled because they feared it could be used in an attempt to assassinate him.
For all these reasons, the government needs to step in and enact security regulations for IoT devices. Mikko Hypponen, chief research officer for F-Secure, told Business Insider, “We're regulating things on appliances anyway. They should not be able to give you an electric shock, they should not catch fire.” To that list, he adds, “They should not leak your WiFi password either.” Basic regulations could include a requirement that consumers must change the default password in IoT devices before they can be used, for example. Laws can be enacted that levy civil and criminal penalties on companies that build insecure devices. The devices can be required to have a base level of security built in.
Some people argue that U.S. regulation won’t solve the problem because many of the devices are made by foreign manufacturers. But the U.S. is such a massive market that companies will have a big incentive to adhere to its regulations rather than forgo a chance to sell here.
Government regulation of tech should always be a last resort. But when it comes to IoT, we’ve already gone beyond the last resort. It’s time to crack down on IoT devices for a safer internet and a safer society.
Sign up for CIO Asia eNewsletters.