On this just-released episode of the O’Reilly Radar podcast (MP3), I talk about EFF’s lawsuit against the US government to invalidate Section 1201 of the DMCA, which will make it legal to break DRM in order to fix security vulnerabilities in the Internet of Things devices that, today, are almost invariable insecure, and are also designed to be as privacy-invading as possible (to create “monetizable” data-streams) — a brutal combo.
Auditing IoT products is a liability for security researchers
Think about the conditions under which IoT companies operate. Their business plan—the thing they show to VCs to get the money to go into the business—is to monetize data. They’re all designed with security as an afterthought. They’re all designed with the minimum viable security to make this product not immediately burst into flames after you put it inside your body or put your body inside of it. Even worse, security researchers face total, brutal liability for investigating these devices and telling people which ones are and aren’t safe. It is completely nightmarish.
New pro-security business models
Note: The Electronic Frontier Foundation is representing Bunnie Huang and Matthew Green in a case challenging the constitutionality of Section 1201 of the DMCA.
One of the things that our DMCA lawsuit would provide for is a pro-security business model. Imagine if you could start a commercial consultancy that would come in and deworm your IoT household. It could come in and jailbreak all the devices and check their firmware loads, and replace the firmware loads with open firmware or patched firmware, or something else that sits in between. All of those things, all that commercial stuff as well, is currently off-limits, and would be available in the same way that you can enable third-party parts and services if there are no legal impediments. The hardware service and support market in the U.S. for all classes of goods, from lawnmowers to cars to air conditioners to computers, is 2 to 4% of America’s GDP. It’s a gigantic multi-billion-dollar sector, and in many cases, these are small and medium-size enterprises.