Schneier: Buyers and sellers don’t care about vulnerabilities in Iot devices

Security expert Bruce Schneier says sellers and buyers of Internet-of-things devices, such as webcams and digital video recorders, don’t care if they contain vulnerabilities. That is why the government should introduce minimum requirements.

In his speech during a hearing of the US Congress, Schneier refers to the major DDoS attack that took place at the end of October on DNS provider Dyn. Several IoT devices were deployed as part of the Mirai botnet. According to Schneier, these vulnerable devices will remain connected to the internet and will not disappear on their own. In addition, its service life is often quite long.

He suspects that the market itself will not provide a solution, because the sellers of the devices have long been selling new models and the buyers only want a working product at a low price. That’s why the government should set minimum security requirements for Internet-of-things device manufacturers, even if the consumer doesn’t care.

One way to achieve this is to introduce liability, Schneier suggests. He recognizes that, for example, it will be difficult to impose requirements on manufacturers in Asian countries and that an international approach is needed. Minimum security requirements for products sold on the national market could still force these manufacturers to improve their security.

Schneier adds that it is unwise to wait for a major disaster with IoT devices. That would only create bad regulation, which is motivated by fear. Instead, it would be important to think about a solution in advance.