"[...] it reckons businesses running the services devices connect to need to include a sunsetting model."
More built-in short-life obsolescence?
About time: the GSM Association has released a bunch of guidelines to try and address the chronic insecurity of the Internet of Things. The significance of the initiative is that it's been agreed to by a collective of major carriers – the organisation's announcement lists AT&T, China Telecom, Etisalat, KDDI, NTT DOCOMO, Orange …
Now THAT is the right kind of approach. No molly-cuddling, no pretty please, no endless collection of second chances.
Where security is concerned, I totally subscribe to that. Enough with the kindergarden view of connecting things to the Internet.
I hope the words will be followed by actions.
Only problem is, this is GSM. So a device with dodgy security won't be connected through any of the networks... but will still be able to connect to the average Joe Punter's Wi-Fi, because that's down to him to control, and he doesn't understand the security implications of connecting insecure tat to his network.
Exactly, and I expect that home-wifi-connected IoT stuff outnumbers GSM-connected things by multiple orders of magnitude - this might help with your electricity / gas meter, but hardly with anything you'd install yourself, inside your home...
So when is someone going to produce a reference design complete with TPG accepted TPM that costs only pennies as a hard core?
Having hundreds of startups all beating down the same security bush over and over again (ok, presuming they even care, as a startup they probably don't have time to care) is lunacy. If TSMC or SMIC popped out a bit of reasonably cheap silicon it may make penetration easier, or at least, one would have less of an excuse for failing security.
The root of the problem is that security isn't value add-- any more than door locks on a house are. You need the security because of the environment, but the product being sold isn't security (usually) but something else. A startup focuses on what is needed for their target market... thus having a strap on security reference design avoids hemorrhaging labor into something that isn't specific to whatever the startup is trying to do.
Biting the hand that feeds IT © 1998–2020