FTC recommends manufacturers need to do more to protect IoT devices

Recognizing the proliferation of IoT-connected devices, the federal agency issued a paper last month on the Consumer Product Safety Commission’s (CPSC) Notice of Public Hearing and Request for Written Comments (RFC) on The Internet of Things and Consumer Product Hazards.

While highlighting the benefits of IoT for everything from light bulbs and smart TVs to wearable fitness trackers, medical devices, and connected cars, the FTC also says that data integrity could be breached in IoT devices, presenting a hazard for consumers.

To address this, it suggests companies that manufacture and sell IoT devices must take reasonable steps to secure them from unauthorized access. Poorly secured IoT devices create opportunities for attackers to assume device control, opening up risks that may include safety hazards. It cites examples such as the Mirai botnet used by hackers — comprised of IoT devices, such as IP cameras and routers, infected with malicious software — to engage in a distributed denial of service (DDoS) attack on unprotected residential building management systems in Finland. By blocking Internet access, hackers sent these connected management systems into an endless cycle of rebooting, leaving apartment residents with no central heating in the middle of winter.

It adds that a company setting up a program to address security risks on its IoT device should take measures to secure that device from hackers, for both privacy and safety issues. Its recommendations to the CPSC focus on three high-level requirements:

1. Ensuring best practices for predicting and mitigating security hazards
2. Developing processes for encouraging consumers to register for safety alerts and recall information, including vulnerability disclosure
3. Understanding the evolving role of government in IoT security
   
   

In its guidance on best practices to predict and mitigate against safety hazards, the FTC says a company must evaluate its security program as part of its risk assessment, both at the device level and the interface with the cloud. Companies also have a duty to test a product’s security measures before launch. This is predicated on a company’s understanding of security, and its willingness to utilize third-party experts while they are still learning.

This is a case of “unknown unknowns” for many organizations, where they simply have no knowledge of what they don’t know, and therefore, may suffer significant issues through ignorance of the threats they will face. However, ignorance of a law is no defence in court, and organizations have to quickly come to terms with their responsibilities in our uber-connected world.

The paper adds that while security protections are generally the responsibility of the manufacturer, IoT devices often are a product of components and software from a variety of service providers.  Prior to selling their products to consumers, IoT device manufacturers should therefore take reasonable measures to evaluate the overall security of those products, including any risks that their service providers might introduce. Companies should provide oversight and leadership by exercising due diligence in their selection of service providers, incorporating security standards into their contracts, and taking reasonable steps to verify compliance with those evolving security standards on an ongoing basis. The issue, as previously outlined, is how organizations verify that they are following best practice guidelines.

The FTC also recommends that companies must implement ongoing processes to keep up with security practices as threats, safety hazards, technologies, and business models evolve.  This includes companies taking reasonable steps to address threats to privacy, security and safety after launching products, including by issuing updates and patches. In a study of mobile security updates that the FTC carried out, it found that the security update process varies significantly among mobile device manufacturers, and although they have made improvements, bottlenecks remain. Hence, it stresses all actors in the ecosystem ensure that devices receive security updates for a period of time that is consistent with consumers’ reasonable expectations.

These recommendations highlight the importance of taking a holistic approach to security and building in a supply chain of trust right from the beginning of new product development. Security can no longer be an afterthought, and security (or lack of it) now transitions to an existential threat to every company, elevating it to the C-suite dashboard of high-ranking discussions. All CEOs must understand the impact of security — both the threats and the opportunities forthcoming — to their company.  Products must be developed with unique identities and confidentiality integrated into their DNA. Organizations must have a way of supporting products across their entire lifecycles, delivering secure updates to integrators and users, and informing them of vulnerabilities far beyond the traditional end-of-life point. Plus, in the centre of this maelstrom of new requirements is the need to protect brand value and expensive research dollars embodied in the intellectual property, requiring a robust yet trusted supply chain.

With federal agencies recognizing the need to protect consumers from the risks and potential hazards of IoT-connected devices, security does indeed need to be considered right from development and manufacturing as well as all the way through the lifecycle of a product. The question now sits with the industry on how to respond.

Haydn Povey, Chief Strategy Officer, IAR Systems is working with an ecosystem of silicon vendors, to develop the tools required to meet the challenges of these new security demands, and provide the trusted frameworks for a supply chain of trust. Haydn is also on the Executive Steering Board of the IoT Security Foundation.