> > Yes, I agree it's possible to do better, but what's the incentive for > > a bottom-feeding vendor of cheap devices to bother? > > I hate to say this, but how about legal solutions?
My reading of the tea leaves: either the industry creates its own certification plan, or the regulators will do it for us. Here is a data point: https://www.euractiv.com/section/innovation-industry/news/commission-plans-cybersecurity-rules-for-internet-connected-machines/ In the US, both the FCC and FTC are showing keen interest. I'd rather the industry get there first. And, BTW, it's also been suggested that devices list their "end of life" date when they're sold. After which no updates may be provided. And remotely-triggered "kill switch" may be used if a bad vulnerability is discovered after that date. Another recommendation is default passwords be unique per device, and not easily determined from MAC address, firmware revision, etc., and be changeable. That is, it's not just about upgradability. It is also passwords, encryption, and messaging/promises/guarantees that are made. Just like cars now have seatbelts, front and side airbags, crumple zones, and lemon laws. There are a number of industry whitepapers coming out on this topic, and conferences/meetings being held. It's all the rage right now. Barbara _______________________________________________ homenet mailing list homenet@ietf.org https://www.ietf.org/mailman/listinfo/homenet