My casual quick read did not see any manufacturers being held liable for security breaches.
Liability as security panacea keeps come up here. It's kind of ridiculous imo.
Electrical components, for example, aren't made safe by liability but by standards. And given there's no set way anyone knows how to manufacture secure components, it's hard to come up with a "you should have known" standard for liability.
Liability guidance is effective at being clear about who needs to pay for security. An example of where this is effective is the rollout of chip-and-pin credit cards. Only when retailers became liable for forgery due to the "weakest link" liability clause put forward by Mastercard and Visa did they become motivated to deploy card terminals that could do chip-and-pin. And fraud has been significantly reduced as a result[1].
> Electrical components, for example, aren't made safe by liability but by standards.
The NFPA and NEC were created by insurance companies, the standards exist because of the liability. UL stands for Underwriters Laboratory, underwriters being the people who write insurance policies (to transfer risk aka liability).
IE, just liability isn't sufficient. Regulation were created to avoid a situation of liability because "raw liability" doesn't work.
The thing is, electrical regulations are not regulations merely on manufacturers, indeed, they only require particular, simple components. They are mainly for the users of electrical components, builders and the electrician they employ.
The constant whine here at HN is that software companies are held liable for their insecure applications. The problem is that the security isn't primarily about buying secure components. It's about having secure practices in place.
For "critical infrastructure", things like "don't connect shit that doesn't need connecting and "build from source, don't download anonymous binary blobs." are standards that should be on the end-user, just for example.
Why do you believe component and product quality and liability doesn’t involve on going manufacturing process best practices and recalls?
IoT and software isn’t special. It’s just getting a free pass because the vendors and solution providers want to dodge the responsibility for as long as they can.
Why do you believe component and product quality and liability doesn’t involve on going manufacturing process best practices and recalls?
-- Maybe I'm not saying it well. But my point is that until someone defines an overall use context, calling a given thing "unsafe" is futile. In an intranet not connected to the outside, an IP camera with no security at all is fine.
Without "customer classes" defined, without security use cases defined, and so-forth, of course manufactures will produce anything they want and why shouldn't they? The implicit standards of security now are the wild, wild west.
The original situation is IP cameras and other devices sold with pathetic security. Sure, it seems intuitively obvious that "these people were doing it wrong and ought to pay". But you can't really do that because there reasonable situation where these devices are reasonable.
IE, manufacturer responsibility can't exist, can't be pinned down, until standards exist.
> anyone knows how to manufacture secure components
I know how to manufacture components that cannot have their firmware updated by malicious code. Put a hardware switch on the "write enable" line for the ROMs. Like people used to do.
Then malware won't survive the "reboot" switch.
The next step is to add a hardware timer that does a hard reboot once a day (or more often for critical stuff).
I don't know why security professionals with clout don't demand this. I would.
There's something wrong with "we need to be able to remotely update the ROMs to protect the ROMs from remote updates."
> trained operator
I'm not sure that flipping an "enable updates" switch requires training.
> reinfected five minutes after they reboot
Scenario A: malware installs itself in device ROM. You remove malware, the ROM code reinfects the system. You have no idea if the device is compromised or not. Your only choice is to buy all new components.
Scenario B: malware keeps reinfecting system 5 minutes after reboot. You remove the malware. Reboot. Your system is clean.
> Scenario B: malware keeps reinfecting system 5 minutes after reboot. You remove the malware. Reboot. Your system is clean.
... for about 5 minutes.
This is very close to what happened with the Slammer worm.[0] It was in-memory only, spread like wildfire, and any unpatched systems were infected within minutes.
There will always, always be entrepreneurs who gamble that they won't get caught, or that they as individuals can cash out early end up money ahead even if the company gets caught and goes down in flames.
Liability as security panacea keeps come up here. It's kind of ridiculous imo.
Electrical components, for example, aren't made safe by liability but by standards. And given there's no set way anyone knows how to manufacture secure components, it's hard to come up with a "you should have known" standard for liability.