Sigfox leads with its chin on security for internet-connected things
'Imagineer's declaration' betrays industry-wide apathy
Comment French Internet of Things bods Sigfox have published a “Universal Declaration of IoT Rights”, which, as well as being a bit awful, sheds light on a wider boredom with proper security.
Hopefully published tongue-in-cheek, the declaration was written by Sigfox’s “vice president imagineering” (not a typo), opening: “We have a vision that one day, everything around us will have a 'voice' through IoT connectivity.”
It gets a little Asimov-ish after this.
Article 1 – All connected objects are created equal in dignity and rights. They are endowed with connectivity and should act towards the Internet in a spirit of brotherhood.
Article 2 – Every connected object is entitled to all the rights and freedom set forth in this declaration without distinction of any kind. Furthermore, no distinction shall be made on the basis of the technology choice of their inceptors, of the country or territory where they are deployed, or whether the deployment be peer-to-peer, LAN, WAN or LPWA.
Article 3 – Every connected object has the right to security.
Article 4 – No connected object shall be subjected to hacking or to damaging treatment or tampering.
Article 5 – No connected object shall be subjected to arbitrary attacks or denial of service.
Article 6 – No connected object shall be subjected to arbitrary interferences with its operation. Every connected object has the right to protection against such interference or attacks.
“Our vision could be perceived as utopian,” a mildly self-aware Raoul Mallart tacked onto the end of the post, adding: “It is our hope that this bold declaration will set a direction and an achievable goal for the IoT ecosystem.”
Back in the real world, where the Mirai botnet turned millions of internet-connected IoT devices into a rampaging botnet army which knocked out Dyn DNS last year, and where the same nasty is now out in the wild and being used with carefree abandon against ISPs, we have a serious problem. No amount of paraphrasing of The Three Laws is going to make an appreciable difference to IoT security.
While end users can’t be bothered to update their IoT devices and wannabe regulators are – seriously – proposing to address the glaring IoT security problem with stickers, sensible efforts like the GSMA’s security recommendations are being drowned out almost completely.
For sure, Sigfox’s “declaration of IoT rights” is not exactly a substantial manifesto, and nobody’s pretending otherwise. Yet phrases like like “Sigfox-Ready objects are protected and cannot be hacked from Internet” – lower down in the blog – are what we in the UK call “leading with your chin”: if that isn’t an open invitation for some miscreant to go and prove Sigfox wrong by hacking one of its networks, what is?
Whimsical posts like this one – and Sigfox isn't alone here – betray a wider industry attitude towards IoT security that can seemingly be summed up as follows: "Meh". ®