An FTC Forum on security and the Internet of Things showed industry doing its best to muddy the water when it comes to building secure products.
This was a big week for the Internet of Things (IoT) in Washington D.C., as the Federal Trade Commission (FTC) hosted its first ever workshop to discuss security and privacy issues created by the proliferation of IoT technology.
The Workshop was an important step to raising the profile of IoT and its impact on consumer privacy and safety. (FTC had been forced to bow out of an earlier IoT Conference in D.C. because of the government shut-down.) But it also exhibited what are likely to become fault lines between an emergent IoT ‘lobby’ and the security and privacy advocates who would like to hold new and existing IoT technology to a higher standard.
Case in point was the FTC panel on Tuesday that addressed concerns about “connected homes.” The panel pitted security researchers like Craig Heffner, a vulnerability researcher with the firm Tactical Network Solutions against Michael Beyerle, a Marketing Manager for GE Appliances. The crux of the dispute was whether new, Internet enabled products used due care in protecting consumers. (Video)
Beyerle, like other executives from manufacturing firms, celebrated their company’s modern appliances, which were more like computers than household tools.
“Our engineers like to joke that our new refrigerators are just 72-inch computers that happen to keep your food cold,” he joked. Beyerle assured the audience that connected appliances were safe and secure – observing that the software running on them was managed by GE and designed to keep appliances from functioning outside of approved ranges.
But Heffner raised cautionary flags. Speaking to the audience in Washington D.C., he said that his research on intelligent consumer devices has shown that they typically “don’t have any security, at least by industry standards.”
Backdoor administrative accounts are common – either created on purpose to make remote support easier, or created during the development process, and left in inadvertently once the product was released. Heffner, who teaches a five-day course on hacking embedded systems says attendees are astounded at the primitive protections that most such devices have, compared to more traditional computing endpoints like servers, laptop and desktop systems.
Connected devices for “smart homes” often fail to independently secure communications to and from the device. Too often, manufacturers assume that the consumer will have secured their home wireless network and that will protect their device from unauthorized access, Heffner said.
Moreover, security features and protections in IoT products vary greatly between product categories, said Jeff Hagens, the CEO of IoT platform vendor SmartThings.
“Regardless of connectivity, the level of security (in IoT products) is relevant to some perception of risk by manufacturer,” Hagens said. “Connected light bulbs have no security whatsoever, whereas connected door locks have lots of security. The question: ‘Is that OK from a consumer perspective that someone could drive by my house and hijack my lights?’“ he wondered.
Presented with such concerns on the “connected home” panel and others at the FTC Workshop, however, manufacturers too often had little substantive to say. A common response was to reiterate the conveniences of “intelligent” appliances. Beyerle invoked the image of a mom checking on the roast in the oven while she is weeding your garden. On the question of security the answer from industry was often “trust us” – or even “that’s the wrong question.”
For example, responding to the question of communications security for connected home appliances, Beyerle said that asking consumers to type in a 32-character string to securely encrypt communications would make the refrigerators less consumer friendly. “We want to make it so consumers can use our devices,” he said.
And, on a panel looking at connected automobiles, Christopher Wolf of the tech industry-backed Future of Privacy Forum argued that the public safety advantages of connected vehicle technologies like crash avoidance, crash detection and geo-tracking simply outweighed security and privacy concerns.
But these arguments set up a false dichotomy. Experts like Heffner and Hagens aren’t saying that security should trump usability. Rather, they’re saying that manufacturers should make security and data privacy a priority in their product development process that coexists along usability and cool design.
Instead, companies are now driven by bottom line concerns that often cause them to skimp on security during development, and on quality assurance for completed products, Heffner said.
Leaving it to the “court of public opinion” to decide isn’t really an option. Problems with insecure design and implementation are too sophisticated for technology-challenged consumers to grasp.
“How often,” Heffner asked the audience, “have you read a negative product review on Amazon.com based on a security vulnerability?”
What’s the solution? Heffner said the FTC’s recent action against home surveillance camera maker TRENDNet was a good start, but that more action is needed. “Going forward, we need to push vendors - give them some financial incentive or slap them on the wrist when they get it wrong,” he said.