Possible finalist for "Dumbest Thing to Put on the Internet" ...
But the stupid thing is we simply let it happen - it is part of the supply chain and we continue to progressively and technologically grow and accept the invasion of such systems into our homes, organisations without thinking about it at all. Look at the affects of the latest Mirai Bot and IOT preparations to exploit even more systems in 2019?
Are we plain stupid or we don't care at all?
If anyone has read https://www.schneier.com/books/click_here/ "Click here to kill everybody"
The silly thing is we simply just permit it to happen and by the time we realise it i.e. wake up to reality. They will be firmly embedded into most household items and possibly controlled by persons with malicious intent to do harm unto others.
HNY by the way
I agree, but this now branches into privacy, trust and security and it is certainly about time, a lot of people and organisations simply wake up and realised the implications - or certainly commence writing a whole set of new security and privacy policies to provide direction and guidance.
Do we really need new anything, or do we need to ensure people apply the rules they should already be applying? That is, is there any real difference between an IoT enabled world, a mobile phone enabled world, and a PC enabled world? Other than numbers? What I have seen from IoT hacks and issues are the same things we were fighting 20 years ago. Change default passwords, turn off unused services, and authenticate connections. If every IoT device had these 3 things done, we would have a vastly safer world. There are people out there that will always push the boundaries and find ways around the simple steps, but its statistical. If we can stop the script kiddies from being able to utilize the devices, we'll knock out 85-95% of the actors.
I believe the issue, is not that we understand what should happen in the case of IoT. It comes down to the bare facts that it is far cheaper for a manufacturer on mass apply firmware attributes in the production line i.e. web interface with default settings, digital certificates - self signed, or with default settings; default passwords, defaults protocols including many protocols which specific to IoT devices and still being defined and many have never been through the engineering specifications or any standards scrutiny at all.
As stated previously look how cheap an ARM chip is these days per unit - and then look at their specifications i.e. two 1 Gigabit interfaces on board ready to go - sufficient to cause a DoS within a device or organisation etc.
Although the issue has been known back in 2012, with NIST producing bare bones standards this was plainly ignored and only now in 2018/2019 is the implications being felt with standards being endorsed for Medical devices via the USA and UK, but this has previously never been enforced - it was simply allowed to run away.
There are many instances as @rslade has indicated including the famous London Council who introduced Wi-Fi enabled dustbins, which had the capability to track and locate any one with a mobile phone, until it was found out that the council were making money via advertising by selling the collected information - a breach of privacy etc. We are producing Smart Buildings, which uses IoT devices - which have operational cost savings in terms of monitoring and when to call out the Service Engineer (JIT) etc.
What we are concerned with the rate that technology is being introduced, without the full implications being realised as to whether we should be applying controls at manufacturing time etc. We are running into situations, whereby it seemed to be a good idea, until someone realises the implications normally far too late or it is too costly to apply etc.
With the convergence of Privacy by Design and Security by Design being thrown at us, with GDPR and other Privacy issues - we simply carry on doing the same old thing again and again, without understanding the implications and the associated risks balanced against the benefits.
Who gains? We must apply good security design by default to each and every situation - which probably marks us as the the bad guys in terms of an organisation, as they want to make clients happy, meet their every customized needs, and keep them on board. However, we cannot stop or slow down progress, we have to be part of it and be the voice of sanity, ready to deal with some very interesting challenges, clearing up the mess when the full implications are realised and by then it may be too far gone.
Increased legislation and the implications of privacy breaches along with a whole host of API's in 2019, will come be top of mind to us. However, most organisations will be monitoring the wider economic down turn carefully, and looking for increased innovative means of using overcoming these issues, whilst keeping the share holders happy. As the old adage goes, if it costs 500K in what ever currency to put in resilience and safe controls vs 30 million cleaning up, I know which one I would prefer.
But once again the human condition, we must feel the pain, before something is done about - often too late.