Aussies Propose Crackdown On Insecure IoT Devices

We’ve all seen the stories about IoT devices with laughably poor security. Both within our community as fresh vulnerabilities are exposed and ridiculed, and more recently in the wider world as stories of easily compromised baby monitors have surfaced in mass media outlets. It’s a problem with its roots in IoT device manufacturers treating their products as appliances rather than software, and in a drive to produce them at the lowest possible price.

The Australian government have announced that IoT security is now firmly in their sights, announcing a possible certification scheme with a logo that manufacturers would be able to use if their products meet a set of requirements. Such basic security features as changeable, non-guessable, and non-default passwords are being mentioned, though we’re guessing that would also include a requirement not to expose ports to the wider Internet. Most importantly it is said to include a requirement for software updates to fix known vulnerabilities. It is reported that they are also in talks with other countries to harmonize some of these standards internationally.

It is difficult to see how any government could enforce such a scheme by technical means such as disallowing Internet connection to non-compliant devices, and if that was what was being proposed it would certainly cause us some significant worry. Therefore it’s likely that this will be a consumer certification scheme similar to for example the safety standards for toys, administered as devices are imported and through enforcement of trading standards legislation. The tone in which it’s being sold to the public is one of “Think of the children” in terms of compromised baby monitors, but as long-time followers of Hackaday will know, that’s only a small part of the wider problem.

Thanks [Bill Smith] for the tip.

Baby monitor picture: Binatoneglobal [CC BY-SA 3.0].

39 thoughts on “Aussies Propose Crackdown On Insecure IoT Devices

  1. ” It’s a problem with its roots in IoT device manufacturers treating their products as appliances rather than software, and in a drive to produce them at the lowest possible price.”

    Right. Consumers ignore sales, don’t shop at Wal-mart, and buy the most expensive devices on the shelves.

  2. This of course only arises as they feel the need to insert themselves into your data stream. My LAN of things has no such issues, and isn’t even visible on the internet if I don’t want it (which is nearly always) to be. They want to make users dependent on them, get user data to sell, and no doubt, someday charge rent for their service – or your very house won’t work. No thanks…heck, even if some outfit decides to become non-free, what about going bankrupt? Poor homeowner can’t right now, at any price I’m aware of, buy an off the shelf system like I built for myself, that just isn’t dependent on some third party. Yes, they’re cheap, but that doesn’t seem to be the main issue here (yet). The average person doesn’t have an option, unless they can afford to hire someone to build a really good implementation for the.

  3. Let me think for a moment….

    Australian government and Internet …..

    National Broadband Network …….

    And the policy makers think they can do anything positive in respect to the internet services ROFL

    Just for clarification for people unfamiliar with the state of internet supply in Australia. If you don’t live in a capital city you don’t have any need for reliable fast internet, a couple of tin cans and string attached to your acoustic coupler is all that ISPs are required to provide and it will cost the same as a fiber container connection in the Sydney ( the capital of Australia) oops Sorry Sydney IS Australia….

    1. Well speaking from a lot of relevant experience I can say confidently that your claims are complete and utter bullshit, of the millions of connected homes there are really very few significant issues and they are often temporary, location and subcontractor specific. The other issue is with ISPs selling connections at speeds that when aggregated are far greater than the size of the channel they are paying for, i.e. the problem is caused by them chasing greater profit margins as resellers and nothing to do with the underlying network which is actually rock solid and very fast.

    2. It’s worse than that, many parts of Sydney are not even going to get fibre!

      My suburb is not remotely an outer suburb, we’re still not on the NBN, and when we are it will just be a re-branding of the Optus HFC network…

      1. Thanks for sharing your interesting but statistically irrelevant personal anecdote, that RF based cable network will get retired eventually, then fibre will go into those areas. Throwing it out early would be economically and environmentally irresponsible because there is little chance that all of those cables and gear getting recycled. Even the old telephone wires have just been abandoned in situ in the areas that do have optical networks, and will probably stay there until somebody figures out how to steal all that copper without getting caught, LOL.

          1. That is a useless comparison Australia is way bigger than all of those places put together. The fact that some kid on an outback cattle station the size of a small European country can get satellite based internet is actually something to be celebrated even if there is a bit of a lag. Only a fool would consider such comparisons relevant.

          2. Yes Dan, the ever repeating “way bigger/lower population density” argument. Is that why NY/Manhattan is a place in US where you pay $220 for a 35/5 cable? or $420 for 20/20 VDSL 500GB data cap in Sydney (until 2 months ago https://www.youtube.com/watch?v=HeEAVj2Szbg)?
            http://www.eevblog.com/forum/chat/lab-nbn-installed!/

            for comparison in Europe (even small towns) UPC (liberty global) offers ~$22 500/25 cable(eurodocsis3, you can run several modems at the same time if you need more speed, I did 3 briefly for fun). Orange offers $24 600/60 FTTH, and those two are only the biggest ones, usually you can pick between 3-5 ISPs.

            Lets face it, you are just a frog in your little prison Island cooking pot, insane internet prices, insane wages (hey, where did all the car manufacturing go?), insane property prices (getting primed for collapse). The problem is not population density, but politics/power.

    3. You should careful to differentiate between the legislature (Turnbull and his mates who f**ked the NBN) and the public service (DSA/ASD/CIOG, ACSC) who have some reasonable competence in this area. Go download the ISM and tell me they’re clueless – sure it could be a bit better, but it’s a really good start on defining infosec best practises and anyone can make sure of it if they want to put the effort in.

      Note that the proposal here is a rating, not banning/regulation. So it’s pretty low-interference, and it will probably do some good.

      Nothing will change for reals until there is commercial and/or criminal liability for software faults and/or negligence.

  4. Yay what a good idea, I wish I had have though of that, it seems so obvious.

    I guess that enforcement will be via commercial liability for the retailer, importer and or manufacturer. At the moment you can by a “thing” and have it become effectively useless due to security issues while still being under 12 month replacement laws, yet not be able to replace it because it still functions and you can’t easily prove it is no longer “fit for use”. In fact some companies will block your attempts to prove the device is insecure by accusing you of hacking, or breaking the devise, i.e. dishonestly deflect the blame for the problem from them and onto you.

      1. That’s pretty much a given, but easily avoided by not purchasing toys. In the event IoT is necessary part of a life critical device, why would anyone bitch about paying more for increased security?

  5. From another comment “I hope they don’t crack down on unsigned firmware”. Most likely all firmware will be required to have signatures, for any standards to be effective. No doubt the burden of denying products that don’t meet standards will fall upon the iSPs, and mobile phone carriers. Thing brings up a vulnerability in makerdom, no all encompassing national or international bodies that look after the interests of makers .Like amateur radio operators, RC model air, and model rocketry have. Probably doesn’t matter because many maker would not respond to propose regulation because the name and comments will become part of the public record for all to see. IMO while a heads up is warranted, but any hand wringing should be put off until actual regulation proposals are made public

  6. It seems to me that if you want both security and internet connectivity you are living in the wrong reality.
    Suppose you had a room and you didn’t want people to enter it. You put a lock on the door. Seems reasonably secure. Now you put the external doorway in every second house on the planet. All of a sudden that lock ain’t as secure as it seemed.
    The internet is inherently insecure. If you want your devices secure don’t broadcast the entry points to the world.

  7. HAHAHA, $10Mil Budget for the first year, 1 employee that is qualified expenses + new office + equipment they’ll be lucky if it runs for 5months.

    This is another typical handout scheme for a politicians friend to slurp tax $ from the people one way or another they consistently approve these pathetic outdated schemes.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s