Agree.

While I love rust and think it (should) replace C for web servers and the like, the majority of the issues with IOT devices are just basic security oversights and design errors.

You raise some very good points:

1. Secure by default should be mandatory. MS learned that one the hard way.

2. Consumer protection laws would certainly get device builders attention. I think that is required. But I doubt the current administration is included to enact such laws.

It is a shame that devices are certified by UL and FCC, but there is no security certification or even a basic audit that would catch: security backdoors, default / blank passwords, auth over http, basic XSS and CSRF vulnerabilities etc.

The bad news is that we don't know how to design a device with Linux and internet services that will be secure without updates for 5-10 years. So we either insist on updating .... or we keep some of the darn devices off the internet.

At at minimum, we should insist on having devices that don't listen on ports just waiting to be hacked. Devices should only connect out.

Very good point. Even requiring the user to specify a maintenance window can ruin the experience.

Some patches should be able to be made "hot", but that takes extra ram which is often squeezed to a premium in a device.

I would recommend:

- We not put devices on the internet that do not have a core, hard requirement to be on the internet. This rules out toothbrushes, toilets, pillows etc.

- Devices do not open listening ports and only connect out. This eliminates a whole class of shodan visible attacks.

- Devices give users some option of when an update is required and when the user can apply it. If the device can be managed via a HomeKit or Phone UI - these options can be made pretty usable. Alternatively a yellow light on the front of the device if suitable to indicate an update is available.

Regardless, the current path of listening devices on the internet and not being patched is untenable.

True point. The difference is that enterprise apps understand the need to patch and update. IOT devices and device builders largely do not.

IOT devices today look pretty much like any other internet device too. Linux, good CPU horsepower, ample memory and internet connection. More than a few exploits that work on enterprise servers can be adapted for IOT devices.

Add to this a lack of awareness of basic security issues among device builders and you've got a problem. That is why we are seeing so many security issues with IOT devices.

> lack of awareness of basic security issues among device builders

I'd hate to think users were just as guilty, after all that would implicate me, but much of the IOT functionality should be firewalled or restricted to LAN, if access via handheld is the target rather than turning the stove on while on vacation. Regarding manufacturers from the POV of a consumer, they should just build devices without malfunctions. That's not a matter of security but quality.

Love it.

I know! Why do device manufacturers need to be pushed for this? We consumers keep buying stuff that has been put on the internet with little to no thought about security today or tomorrow.

IOT will get much worse before it gets better. I say this from working with device builders for 2 decades. The level of attention to security is sadly lacking.

I think that consumers aren't actually the target market for most of this always-connected-always-listening device stuff. The real products that are for sale are the data these devices generate and the distribution channel that third parties can buy access to that these devices enable.

There's an old saying that "if you aren't paying for the product, you are the product". That saying might need to be updated to reflect modern times, that "if you aren't paying for the product and maybe even if you are, you are the product".

There may also be some manufacturers who put stuff on the Internet not as a deliberate effort to monetize their customer's lack of privacy, but simply because they've bought into the marketing of other device makers and are convinced that some of the features they can enable by being always connected will make their product more desirable.

If the device does not listen, i.e. it calls out, then it is inherently much more secure. However, many devices use an embedded web server and do listen for requests.

If the device does not listen, and polls regularly for updates, then that is fine ... perhaps even ideal.

Do you mean basic & digest http auth built into the browsers? If so, yes, they are bad. The issue is you cannot reliably implement log off on all browsers.

Is this still true, for any browser that is still used? It seems a couple of decades would be long enough to get this right...

Still true when I tested last year. The core protocol does not have a defined way to get the browser to forget the login.

You have to resort to different fudges on different browser.

Net/Net: the http auth ui sucks, has bad usability, weak crypto, and is not robust with logout.

HTML/form based auth can be made robust and is a preferable alternative in every case.

I'm taking about using the 'Authentication: ' headers, not relying on the browser's handling of auth (other than making the requests).

I know, it is a very sad state of affairs.

In doing IOT for 2 decades, this is probably one of the biggest issues. At best, most devices have a "download firmware" option that 99% of users can't operate.

I could go on about dozens of other issues, like back-door field-service passwords, http not https, passwords in the clear, endless XSS vulnerabilities, but this is one of the biggest.

Thanks everyone for some great comments and discussion. Really appreciate your time and feedback on the article.

I'll fold in the feedback and the ideas and go forward with it.

Thanks all

OP: Michael O'Brien