Developer liability, data proliferation at center of FTC report on IoT
Chris Rouland, founder and CEO, Bastille
The Federal Trade Commission (FTC) and Ofcom, the communications regulator in the UK, recently released reports on the Internet of Things (IoT). Both reports were void, probably intentionally so, of actionable advice, reinforcing the suspicions of many security professionals that we're still charting new territory with the IoT.
One key takeaway from the FTC report is its strong recommendation to IoT device manufacturers to start producing devices with “security by design,” meaning that security must be considered at the onset of product development. However, in somewhat of a contradiction to this recommendation, the FTC openly questions whether or not device manufacturers actually have the security experience and expertise to really ensure that products coming to market are safe. The FTC also cautions that many devices are inexpensive or “disposable,” essentially calling into question whether the threat assessment and internal productivity outweigh any reward of consistently patching new attack vectors each time one is discovered.
As you might suspect, billions of connected devices have increased the attack surface in organizations' networks exponentially. In fact, 2014 was referred to as “the year of the hack” by multiple news outlets. What many people don't know is that the Home Depot and Target breaches are actually the result of exploited IoT within the enterprise. Of course, there were also notable IoT breaches to consumer devices in 2014. German researchers, for example, were able to hack a smart meter to determine what TV shows people watch and hackers even heckled a toddler through a baby monitor.
One of the most critical discussion points left out of the FTC report, but highlighted by Ofcom, is the IoT communication infrastructure. IoT devices are currently operating on a broad range of the radio frequency (RF) spectrum. While the report noted that availability would not be a barrier to the success of the IoT, it did bring up the long-term viability of available bands. The same holds true to for network availability for all of the millions – potentially billions – of devices in our future. Simply put, enterprise security and detection for devices that operate on the wireless spectrum outside of Wi-Fi are non-existent; making corporations highly susceptible to increasingly sophisticated adversaries with tangible motives.
Perhaps the greatest lesson we have yet to learn is how to truly protect our data. As the IoT ushers in modern conveniences like not having to call our doctors to report pacemaker information, and provides us with the ability to access enterprise control systems remotely – the real value is for the adversaries residing in devices' networks that collect and store user data like location and banking information, or control things like a user's heartbeat or a home security system.
In a sense, IoT devices are really just a courier for data flow, allowing us to analyze trends and, ultimately, make more informed decisions about our lives and our businesses. In order for this to happen, however, we must not only agree to give up our data, but also allow it to be transmitted to our vendors – and potentially their vendors – so that in turn, we can access actionable insights into our performance. But, how much of our data should be up for grabs?
Data privacy was one of the most contentious issues addressed in the FTC's report, as it correctly noted that device manufacturers are looking to harvest as much data as they can, seeing infinite possibilities for future product enhancements and offerings. However, the FTC warns that any accumulation of data only serves to make companies and consumers more attractive to criminals that want to misuse it.
The FTC recommends data limitation - only collecting what is necessary and destroying data after it's needed; in addition to plainspoken privacy statements and opt-in abilities for consumers to choose what they share. We encounter so many of these lengthy documents (averaging around 2,500 words) each year that we rarely have the time to read them, but as long as consumers are willing to give up everything in the name of convenience, which many millennials have proven they will, IoT device manufacturers will continue to collect all available information to profit off your patterns in the future.
The FTC report, in large part, is nothing more than a starting point for a debate on IoT and the security concerns it creates. The truth is simply that none of us, including the FTC and Ofcom, fully know or understand the extent for which the unintended consequences of IoT will show its ugly head. But with billions of devices set to enter the market in the next 5 years, we're sure to find out soon.
Chris Rouland is a cybersecurity expert and entrepreneur, and founder and CEO of Bastille, the first company to detect and mitigate threats to the Internet of Things.