It’s a start…but not enough.
Agreed. It’s a good start, in theory.
I’m sorry, but the cynic in me is a bit concerned. One problem is that if your goal is 100% security, the only solution is a system which no-one can access. Ever. There’s a real risk that the standards they come up with will be over-kill.
Another issue is the make-up of the committee. If it’s filled by employees of the big IoT corporations, their goals may not align with the DIY community. If I were a manufacturer, I’d want 100% control of the devices, to reduce my support costs and the risk of hobbyists using my equipment in an “unsecure” way and giving my company a bad name. So, there would be no open APIs or local control options. Oh, and I’d use a subscription model for my pricing.
Not really the direction we want for this industry.
Agree. I was being kind with my assessment. I want 100% local control and the ability to inspect the firmware before I trust a consortium of big tech telling me they have approved devices that meet their security standards.
Posting this before anyone else does:
Agreed 100%. How many times have manufucturers (intentional typo) used this excuse to shut down their open APIs and to charge subscriptions just to access the devices you already paid for?
All that needs to be done to keep things secure is to not rely soley on cloud based connections and to actually keep the IoT devices firmware updated with security patches as well as people not reusing passwords for many services without MFA enabled. Its not rocket science.
I’ve done pcap on local only IoT devices and found some nefarious stuff like phoning home encrypted info to foreign servers. So, local only is not necessary the answer. I had to create a firewall rule to block those devices.