Google, T-Mobile, Cisco and several other companies offered a plan this week to help boost the security of baby monitors, Wi-Fi routers, traffic lights, and the millions of other devices that make up Internet of Things (IoT).
The plan, published on Tuesday by the Broadband Internet Technical Advisory Group, argues for a major shift in the way device manufacturers approach security. They should be "restrictive instead of permissive," meaning instead of automatically allowing Internet traffic, in some cases without a password or firewall, IoT devices of the future should be inaccessible to inbound connections by default.
Only after a user configures the device's security options would it be able to send and receive Internet traffic. For connected home devices like thermostats and baby monitors, that setup would have the additional benefit of not relying on the protection of a single firewall located in the home's Wi-Fi router.
The advisory group, formed in 2010, counts several major cellular and cable providers among its members, in addition to device manufacturers and content companies like Disney. Besides arguing for more default security, its report also suggests strong encryption and automated software updates, two measures that security experts have been calling for in the wake of a massive DDoS attack that crippled much of the Internet's infrastructure last month.
The inevitability of software bugs makes it critical for the IoT industry to "design their devices and systems based on the assumption that new bugs and vulnerabilities will be discovered over time," the report suggests.
It's a similar argument to one offered by ARM, the company that makes many of the chips that power IoT devices. The company's CEO Simon Segars expressed concern last month over the lax security of many of the devices its customers build.
"The security is non-existent," he said. "I mean, scarily bad. You can see the Wi-Fi password going by in clear text. Lots of people are building products like that."