Apa agreed that manufacturers, “typically prioritize marketing and logistics rather than security.”
He said this is typical in a relatively new industry where, “the extra effort to make their product mainstream absorbs part of the resources that could have been used for hardening their initial prototypes.”
So that means it will take class-action lawsuits brought by victims of robot hacks, or government intervention, which security guru Bruce Schneier has been promoting for some time.
Schneier, CTO of IBM Resilient, who has testified before Congress urging government regulation of the IoT, wrote in a recent blog post on internet development that, “We're building a world-size robot, and we don't even realize it.”
That, he wrote, is bringing cyber threats to a new level. “Give the internet hands and feet, and it will have the ability to punch and kick,” he wrote.
Danny Lieberman, CTO of Software Associates, agreed, saying a regulatory agency like the Food and Drug Administration (FDA) should oversee the IoT, “in a multiple tier system of non-regulated, low-risk, mid-risk and invasive/high risk devices.”
But he said for such a model to work, it would have to be much different from the typical government bureaucracy.
“It would have to use an entirely different organizational construct, built from day one on online submission and distributed approval with a very small bureaucracy. Otherwise, it won't happen,” he said.
Ostashen called for government, “standards that have consequences.”
If manufacturers fail to meet standards or to use best practices, “then the manufacturer must pay a fine,” he said, adding that there ought to be fines levied also for breaches due to poor security.
Apa said he thought government involvement would, “bring attention from consumers and producers to the problems.”
But he said it would only work if, “security regulations are implemented effectively, from the right people and in a realistic way.”
He said he and Cerruda notified the six robot vendors surveyed in the report and just four – SoftBank Robotics, UBTECH Robotics, Universal Robots and Rethink Robotics – responded and were sent a report with the research details. Just one, SoftBank Robotics, said they were going to fix the problems, but offered, “no details on when and how they are going to do it and what issues they were going to fix,” he said.
“Universal Robots said our findings were interesting and that they should do something about it without giving any more details,” he added.
CSO tried to contact all six vendors and got a response only from Rethink Robotics – a prepared statement that had been released to other media outlets earlier. It said two of the items noted were intentional design features that would apply only to the “research and education version” of its robots. The other items, “were already known to us and addressed in Rethink’s software release in February,” the statement said, although it offered the disclaimer that, “we also expect that the robot is connected to a secure corporate network.”
Sign up for CIO Asia eNewsletters.