Internet of Insecure Things

Looking at the Internet of Things, the market consistently fails to produce reasonably secure and trustworthy devices. This is especially true for smart home and consumer devices such as Internet routers, door locks, light bulbs and TVs. Manufacturers seem to have little economic incentive to implement secure software development processes or at least follow Security-by-Design principles. This means that billions of  severely insecure IoT devices will continue to proliferate the Internet making it far too easy for criminals to exploit those vulnerable devices. Already today's criminals are using large botnets of hundreds of thousands of compromised IoT devices to attack and temporarily take down websites, company servers and critical Internet infrastructure. These  severe attacks in recent years prompted governments around the world to start  thinking about how to improve the security of IoT devices.

Regulatory intervention will need to address the two dominant market failures: (1) Currently, manufacturers do not need to provide essential information about the security of a device such as for how long it will receive security updates. This information asymmetry between consumers and manufacturers about the security of a device makes it harder for consumers to be aware of the device’s security. (2) Criminals use IoT botnets, large networks of hundreds of thousands of compromised IoT devices, to attack websites, company servers or critical Internet infrastructure ─ never consumers. Thus the costs that are incurred due to software vulnerabilities are external costs since neither manufacturers nor consumers have to bear them.

This paper analyses both market failures and points out unique characteristics of the IoT that explain why criminals will continue to exploit vulnerable devices. In order to effectively cure the market failure, a combination of different efforts such as consumer labels, extended software liability or mandatory baseline requirements as a barrier to the market will most likely be necessary. Policy makers need to understand that all these regulatory interventions rely at some point on a robust and efficient security assessment ecosystem ─ an orchestrated effort between standardization and certification bodies, security assessment companies, ministries and market surveillance to ensure that manufacturers follow prescribed security requirements. Yet today’s dominant security assessment regimes are relatively static, expensive, time-consuming and focused on pre-market certification. All these aspects make them unfit for the IoT.

To contribute to the current policy debate about IoT security, this paper will discuss central aspects of an efficient and effective security assessment ecosystem for the IoT. The results are based on SNV’s research, expert interviews and several workshops. The goal is to inform the policy debate and underscore the importance of a responsive, open and modular security assessment for many other policy initiatives such as software liability, consumer labels and baseline requirements.