Security expert Bruce Schneier published an essay last year that called IoT device security a form of “invisible pollution,” where there’s no market incentive for device manufactures to build more secure products. This is why we saw several major DDoS attacks in 2017 powered by IoT botnets like Mirai and Reaper that relied on a huge number of insecure devices like webcams, digital video recorders and smart light bulbs. If these attacks continue to grow in severity in 2018, when will we hit the breaking point and impose some regulations on IoT devices?
WatchGuard threat analyst, Marc Laliberte recently wrote a column on this topic for Help Net Security. Based on how attacks like Reaper have improved on early botnet malware like Mirai, Marc predicts that an extremely effective botnet attack will hit sometime in 2018, and it will cause enough damage to force a major government into implementing IoT device regulation. Here’s an excerpt from the article explaining what these regulations might look like.
That’s hard to say with certainty (what these regulations would include), but the most likely scenario would involve minimum security requirements for IoT device manufacturers. Easy targets would be ensuring remote access through Telnet or SSH is disabled by default (or removed entirely), barring the use of hard-coded passwords (or at least requiring a password change during setup), and requiring security patches to remain up-to-date, at least when the device is first shipped. These regulations would finally provide the missing incentive for manufacturers to secure their products before selling them to consumers.