Sunday, September 11, 2016

IoT - Do it better?

I am reading and hearing more and more about 'hacks' on IoT devices and other network connected devices (like cars).  Security must be the first thing a maker has in mind and not money or being able to brag that they are first to market.  The makers of IoT need to get together and define a number of things, if they don't do this then I will not be surprised when (not if) the government gets involved and imposes a solution.

Common API.

  •  suspect a lot of functions could be described by a common, free to use API.  The GPL worked well for Linux and maybe it could be the model here too.
  • Open it up so the end user can also tinker with the device.  Look at what has happened and is still happening to Linux over 25 years.
  • With a common API you can present to the users a consistent front-end for setting values, reviewing settings over a number of products in your IoT product offerings.  When there is a new product it would simplify the development work on building a front end as code for common functions are already there.


Security.

  • Too often there is a security hole and there is no way for the end-user to fix or for the manufacturer. Many times the users don't know there is a hole until news about the issue hits mainstream media, or, hobbyist friends send them a note.
  • What would it cost to allow the user to get patches and updates?
  • For certificates there MUST be a way to update the certificates when they are compromised.  Right now we either live with compromised devices or trash the devices.
  • Default settings, allow the user to modify what goes out over the network.
  • Makers claim their devices are secure, but, without being able to inspect how they implemented their security we don't know for sure.

Life of device.

  • Define what the process is, what will be patched and for how long and when it will not be supported.  Dropping support and killing the servers that result in the device being a paper weight isn't acceptable.

Communication. 

  • Be up-front on what is captured, why and the frequency it is sent.  Allow the end-user to select the level of information sent out and explain why it is needed and functionality lost by opting out.
  • When the device gets hacked (not if) be up-front to the community on what happened, what was taken and the steps being taken to close the problem and fix so that it won't happen in the future.

No comments: