Skip to content
Naked Security Naked Security

Should IoT vendors be told what to do by the government? [VIDEO]

Paul Ducklin discusses the thorny issue of whether to kick IoT vendors up the [redacted] to get them to admit that security matters.

Earlier this week we wrote about a law that the US Congress just proposed with the intriguing name of The Internet of Things (IoT) Cybersecurity Improvement Act.

It’s as though the US legislators have got together – this is a bipartisan Bill, backed by both sides – and said words to the effect of, “Far too many IoT vendors are taking the [ding] when it comes to security, so it’s time we gave them a kick up the [dong] to get their minds in gear.”

Even if you are generally an opponent of government intervention in IT and the internet, it’s hard not to have sympathy with that point of view.

Paul Ducklin talks you through the issues in this enjoyable short video:

(Can’t see the video directly above this line? Watch on Facebook instead.)

If you have any comments or questions, please leave them below for us to answer. (You may post anonymously.)


Paul Ducklin did an excellent job of explaining IoT security. Coming from the USA it is my hope that Congress has gotten this security floor correct. From Paul’s description it appears that they have.

Keep up the excellent reporting.


Thanks for your kind words! Even if the Bill doesn’t pass, just talking about it is a good start. As a conversation opener, going through the list of “minmial minima” should focus your listener’s mind on how woebegone IoT security is…heck, one of the things the Bill wants to insist on is that vendors actually admit vulnerabilities and bother to fix them.

(Imagine if Microsoft just shrugged off zero day exploits like it was 1999 – no one would stnd for that, and anyway Microsoft wouldn’t do it. So why is IoT-land still in 1999? [*])

[*] Rhetorical question.


It’s a pity that to see the video you have to open yourself up to Facebook.
– their attitude to privacy (tracking etc.)
– danger of them being a monopoly platform
Is Sophos incapable of hosting video?


We have lots of readers who are happy Facebook users, and Facebook Live is a great tool for doing quick, live videos. (In the same way, Twitter is a great tool for microblogging – would you expect us to run our own microblogging platform instead, and then arrogantly expect all our readers and customers to use that when all their friends and colleagues are already on Twitter?)

You don’t have to login to Facebook to watch our videos – and if you clear your cookies after watching them, they won’t ever know if you come back, even anonymously – so I’m not sure why you are saying you have to “open yourself up to Facebook” to watch them. That seems like finding a problem that doesn’t exist.

As for Facebook “being a monopoly platform”, on another post, a commenter was urging us to switch to Google instead as a “better” alternative (by which he mwant that FB was blocked by his company but YouTube wasn’t :-), so it’s a duopoly at least…


Two issues, first the US government has a history of adding tidbits into sane bills. On face value, great idea but by the time this bill gets anywhere I have a feeling some loose language will be used for backdoors in the name of Homeland security. Secondly, the demand for tighter security should be the responsibility of the end user not the vendors. Reality is users hate 2 step verification. I mean for God’s sake look at the US new shiny credit cards with smart chips that forgo the second part of a pin for proper security use. Widely reported on how we are misusing the dam cards and no one cares because we have been told we are secure and can’t be bothered to request that the PIN option be enforced.


Seems a bit unfair to say that if users don’t tell the vendors what to do then no one else can. After all, it’s the vendors who are supposed to be the experts…

However, in this case you can treat Congress as if it were “the users”, representing the US public service.


Hi, I was trying to watch the video which played for about 30 seconds or so then cut out, I tried again and got a message saying I need to upgrade flash player? Is this an April fools joke in August? or has the video been hijacked by gremlins!!!!!


Like any Facebook video, there’s no need to have Flash. (I installed Flash to check the situation: whether I set Flash “never activate” or “always activate”, Flash was not used.)

If you *do* have Flash and you haven’t updated recently, then you ought to update it, so that warning could be perfectly genuine (you will get the warning sooner or later whether you watch a video or not).

Why not try uninstalling Flash and seeing what happens? There are very few sites that actually require it these days.


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!