> But Kennedy's biggest concern at the moment is in the area of automotive safety<p>No doubt. I was pricing out a Mercedes online, and looking through the summary one of the standard features was "over-the-air updates". That is the last thing in the world I want. An expensive car shouldn't be acting like an Android phone. It shouldn't be connected to the internet at all.<p>If it's updating anything other than the entertainment system, then they're <i>completely</i> nuts. Get the internet out of my car, I already have a phone for that.
I don't think they can be trusted to be either secure or reliable or even supported. Any of them could be remotely disabled at any time as the parent company goes out of business.<p>On the other hand, at the moment they're mostly in frivolous devices. As they become ubiquitous this is going to demand EU-level intervention, just like the existing WEEE directive against lockout chips on printer cartridges.<p>Americans will be stuck with <i>caveat emptor</i> levels of consumer protection.
IOT devices use standard, commonly available boards and chips, which are meant for widely varied applications, so offer wifi/Internet connectivity easily. So companies can add that "feature" painlessly by applying a snippet of (usually OSS) code. And collecting all the customer data they can is a bonus. No penalty of zero security, major upside if they sell it.<p>This is dangerous to all of us, even if you don't own any IOT devices.
Zero Trust. This is a basic network security tenet that was first introduced in 2010: <a href="https://www.darkreading.com/attacks-breaches/forrester-pushes-zero-trust-model-for-security/d/d-id/1134373" rel="nofollow">https://www.darkreading.com/attacks-breaches/forrester-pushe...</a>
We need something like this:<p><a href="https://foundation.mozilla.org/en/privacynotincluded/" rel="nofollow">https://foundation.mozilla.org/en/privacynotincluded/</a><p>expanded to every type of IoT. Imagine a kind of mandatory labelling for any device with data-capture and/or telemetry capabilities.
I think the clear answer to this is "no" on a couple of different levels. I don't think it's safe to trust that the actual communications are properly secured, and I don't think it's safe to trust the companies that these devices report to.
Betterridge's law of headlines strikes again: <a href="https://en.m.wikipedia.org/wiki/Betteridge's_law_of_headlines" rel="nofollow">https://en.m.wikipedia.org/wiki/Betteridge's_law_of_headline...</a>
Every time I try to buy some device that is LAN only and doesn't talk to the net, ever, I usually find zero options or few crappy, expensive choices. Why anyone would install a camera that then talks to some corporation's cloud is beyond me, I have zero interest in that.