On Sun, Aug 13, 2017 at 10:57 AM, Phillip Hallam-Baker <phill@xxxxxxxxxxxxxxx> wrote:
I think we are sleepwalking into a similar disaster with IoT. Right now, the message Congress is getting is that the biggest priority in IoT is to force devices to accept software updates.Well no it is not. Software updates are only going to make things worse if you don't do it securely. The update mechanism provides the attacker with a vector to own the machine entirely unless you authenticate. Do you think the IoT folk do that right?
OK so there is a bill now and it does address authentication. Which is good.