Sigfox leads with its chin on security for internet-connected things

'Imagineer's declaration' betrays industry-wide apathy

Comment French Internet of Things bods Sigfox have published a “Universal Declaration of IoT Rights”, which, as well as being a bit awful, sheds light on a wider boredom with proper security.

Hopefully published tongue-in-cheek, the declaration was written by Sigfox’s “vice president imagineering” (not a typo), opening: “We have a vision that one day, everything around us will have a 'voice' through IoT connectivity.”

It gets a little Asimov-ish after this.

Article 1 – All connected objects are created equal in dignity and rights. They are endowed with connectivity and should act towards the Internet in a spirit of brotherhood.

Article 2 – Every connected object is entitled to all the rights and freedom set forth in this declaration without distinction of any kind. Furthermore, no distinction shall be made on the basis of the technology choice of their inceptors, of the country or territory where they are deployed, or whether the deployment be peer-to-peer, LAN, WAN or LPWA.

Article 3 – Every connected object has the right to security.

Article 4 – No connected object shall be subjected to hacking or to damaging treatment or tampering.

Article 5 – No connected object shall be subjected to arbitrary attacks or denial of service.

Article 6 – No connected object shall be subjected to arbitrary interferences with its operation. Every connected object has the right to protection against such interference or attacks.

“Our vision could be perceived as utopian,” a mildly self-aware Raoul Mallart tacked onto the end of the post, adding: “It is our hope that this bold declaration will set a direction and an achievable goal for the IoT ecosystem.”

Back in the real world, where the Mirai botnet turned millions of internet-connected IoT devices into a rampaging botnet army which knocked out Dyn DNS last year, and where the same nasty is now out in the wild and being used with carefree abandon against ISPs, we have a serious problem. No amount of paraphrasing of The Three Laws is going to make an appreciable difference to IoT security.

While end users can’t be bothered to update their IoT devices and wannabe regulators are – seriously – proposing to address the glaring IoT security problem with stickers, sensible efforts like the GSMA’s security recommendations are being drowned out almost completely.

For sure, Sigfox’s “declaration of IoT rights” is not exactly a substantial manifesto, and nobody’s pretending otherwise. Yet phrases like like “Sigfox-Ready objects are protected and cannot be hacked from Internet” – lower down in the blog – are what we in the UK call “leading with your chin”: if that isn’t an open invitation for some miscreant to go and prove Sigfox wrong by hacking one of its networks, what is?

Whimsical posts like this one – and Sigfox isn't alone here – betray a wider industry attitude towards IoT security that can seemingly be summed up as follows: "Meh". ?

Biting the hand that feeds IT ? 1998–2017

                                    1. 3239961348 2018-02-21
                                    2. 8189611347 2018-02-21
                                    3. 1166571346 2018-02-21
                                    4. 905911345 2018-02-21
                                    5. 238301344 2018-02-21
                                    6. 9856121343 2018-02-21
                                    7. 7107891342 2018-02-21
                                    8. 616201341 2018-02-21
                                    9. 97671340 2018-02-21
                                    10. 7844621339 2018-02-21
                                    11. 9607131338 2018-02-21
                                    12. 3095441337 2018-02-21
                                    13. 9602111336 2018-02-21
                                    14. 5723751335 2018-02-21
                                    15. 1275371334 2018-02-21
                                    16. 8517591333 2018-02-21
                                    17. 230661332 2018-02-21
                                    18. 3311101331 2018-02-21
                                    19. 6181321330 2018-02-20
                                    20. 6139401329 2018-02-20