Australia wants IoT security guarantees – another poor tech idea from our government
As the quote goes… “The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards – and even then I have my doubts.” And therein lies the problem with Australia passing “new laws cracking down on vulnerabilities in web-enabled devices “.
Apparently our connected cameras, light-bulbs, and televisions are under a deluge of attack and we need protection. This plan sounds great at first blush, which is of course why it’s being pushed by a politician, but it doesn’t stand up to a lot of scrutiny.
The Turnbull government is pushing the technology industry to come up with its own consumer advice rating that could be a “cyber kangaroo” logo giving a tick of approval or a star system similar to the health stars on some packaged food, and energy stars on electrical appliances.
So let’s run through this. First the very nature of connected devices means that any star-rating sitting on the box when you buy a device is likely to be obsolete within months, let alone years. However secure you think your device is the real test will be when the next smart hacker finds a vulnerability to exploit. This isn’t a static situation – it’s a constantly evolving playing field. That’s why the US suggestion that connected devices need to be able to be updated with security patches makes some sense – although that process is itself a potential security vulnerability.
Then there’s the unavoidable fact that modern devices form part of a network. It’s no longer a point to point thing where you have a device and it’s directly connected to your phone, for example. So the security vulnerability in your smart home may well be your computer or phone, not the light-bulb or camera that’s being given a rating.
How do you go about judging security? Self regulation seems fraught with confusion and peril. Of course there’s one group of people who, thanks to a few years of leaking, we know perfectly well have a comprehensive list of holes, back-doors, and exploits – the five-eyes governments led by the USA. So forget the cyber kangaroo – maybe what we really need is a rating system done by the USA’s National Security Agency. Given that’s not going to happen, the question remains – how on earth do you judge security and reduce it to a star system that has any meaning? Five stars for the security camera that records only to video tape?
And while we’re in that vein, of we do increase security we will also need politicians to stop banging on about requiring manufacturers to build back doors into their devices. You simply can’t have a secure system that has a back door built into it. Does a device lose a star because the US government has access, or only if the Russian government has access?
For most devices, the threat of hacking simply isn’t a huge deal. The level of sophistication required to hack into a device that’s been properly set up and secured is beyond casual use. And no star-rating of cyber kangaroo is going to alter the fact that the real and significant danger is that people leave their passwords on the default setting. That’s the major risk and one which the government might usefully spend some time addressing through education – but wont because that doesn’t make for a sexy press release with a cyber kangaroo to talk about.
Anyway, let’s finally recognise the unavoidable fact that Australia is simply not a powerhouse producer or consumer of internet-of-things devices. We can pass whatever laws we like and the major impact is going to be to limit Australian consumers’ access to imported devices.
Hey, but I guess if we can’t buy devices, that’s a form of security in itself.