have been linked to a significant share of the hacked devices.
The big question is just what should happen next to make these devices – and the Internet – a safer, most secure location. And who can go do it? Is this something for the private sector, a government, or some certified outside agency. The primary options at this time are limited – and only theoretical at this time.
Name and shame – Lists like those posted on Krebsonsecurity could help highlight the issue and push companies to self-regulate themselves as to not damage their reputation. Prior to the Mirai attack, popular awareness of IoT security issues was close to zilch.
Legal action – Entities such as Dyn or Krebsonsecurity could launch a class-action suit against the manufacturers of insecure devices for the losses that their businesses have endured during a DDoS attack. If you can sue a car company for faulty ignition switches or airbags – what about a company that makes loose cannon devices that can fire away at anyone on the Internet?
Government enforcement— The European commission is reportedly working on the requirements needed to boost the security in IoT devices. This could result is a security label something like the energy efficiency labels on refrigerators.
Independent agency – One option would be for an independent testing or certification agency to step in and issue a security rating for IoT devices. This could function like a Good Housekeeping for American housewives or the German crash test from ADAC for motorists.
Just think about it: A less than four star ADAC crash rating can really crimp a car’s initial sales and even the resale value.
In terms of time and political feasibility, I would put government enforcement at the bottom of the list. In addition, legal action might only work in the United States. A name and shame tactic, where companies are “outed” due to the security weaknesses of their products, is the best option so far. So before you buy your next device, take a look at Kreb’s list.
According to an Yahoo article the first company manned up and took its social responsibility in regard to the attack against Dyn: It recalls millions of products sold in the U.S before 2015. Hangzhou Xiongmai Technology which is a manufacturer for web-connected cameras and digital recorders told Yahoo that products sold after that date had been patched and no longer constitute a danger.