Terry Dunlap Rants: “It’s Déjà Vu All Over Again as the FTC Seeks IoT Patching”
About three years ago, my team and I consulted with the FTC on their concerns about the gaping vulnerabilities in IoT devices. They knew then and know now that unsecured IoT devices pose huge security threats.
Today, we read story after story about cyber attackers who leverage thousands – no, millions – of connected devices as electronic soldiers in their armies. And the threats will continue to grow as new, unsecured devices enter the market each day.
I read this recent article entitled, “FTC sets $25,000 prize for automatic IoT patching” and shook my head (SMH). First, the prize is not enough to actually patch anything. Second, shouldn't companies also be building embedded firmware more securely before selling their devices to unsuspecting clients and consumers (more on this below...)?
Think about patching existing embedded firmware devices. Outside developers would need access to source code to patch vulnerabilities. How would this unfold? Are companies likely to share their source code given legal and other limitations? What about defunct companies whose source code is a distant memory?
It seems like the FTC seeks a magic bullet by offering prizes to patch only some of what ails vulnerable IoT devices. And we all know there are no magic bullets because, if there were, I’d be a lot taller.
Let's step back and look at the bigger picture. The FTC can run a good contest to support patching devices and encourage companies to fix their security holes. Yet, they should also consider ways to help companies be better from the start, even though many companies resist building secure IoT devices based on one factor: money. There’s little to no ROI to bake in security when firms operate on the thinnest budgets to bring their products to market.
Companies might only respond to security concerns after a cyberattack has leveraged their products or affected a company just like theirs. Or, they may slowly respond when government groups or non-profits enact laws or enforce standards. Human beings get comfortable with their own behavior - even the risky kind.
But, can't we cost-effectively build secure embedded firmware from the start? Of course we can.
Founder and CEO
P.S. On a related note, consider how many people actually apply firmware updates that are proactively issued by the manufacturers. Raise your hand if you do. Ah, just as I thought. It’s only about 55% (based on the power of Google research).