Internet of Things (IoT) security experts from Tripwire and Rubicon Labs reacted this afternoon to news of today’s US Senate introduction of the IoT Cybersecurity ImprKovement Act of 2017.
Craig Young, Security Researcher with Portland, Oregon-based Tripwire, who has done extensive research of smart homes and a variety of consumer IoT devices, commented below.
Craig Young, Security Researcher with Portland at Tripwire:
It is also critical to protect researchers. I have personally had a wide range of experiences when disclosing vulnerabilities. Sometimes vendors respond with bounty payment and gratitude while other times they have responded with threatening legal language. Some bug bounty programs also provide too much lee-way for vendors to ignore valid security research while simultaneously using terms of service to prevent researchers from disclosing issues when vendors will not fix the issues. (This can be the case even when bounties are not paid.)”
Rod Schultz, Chief Product Officer at Rubicon Labs:
Reduced functionality does not equate to reduced capability for digital destruction. It’s far too easy to release digital products that have security vulnerabilities, because there is no time to test and fix; the incentive to release products quickly is driven by time to market and profit requirements.
The security failures of many of these compromised IoT devices can rapidly escalate in scale and reach, having a major impact on critical infrastructure. If IoT security is not addressed appropriately by vendors it should not come as a surprise that legislation is proposed to fill that void.”