Home Mobile IoT Is A Security Mess And Regulators Are Paying Attention

IoT Is A Security Mess And Regulators Are Paying Attention

SHARE:

bewarethetoasteriotThe internet of things will be a top enforcement priority for the Federal Trade Commission and the Federal Communications Commission in 2017 – especially in the wake of the recent distributed-denial-of-service attacks against Dyn.

Dyn, which provides online infrastructure and domain services, was the victim of a DDOS onslaught that temporarily shut down major websites like Spotify, Twitter and The New York Times, disrupting ad delivery, obstructing publisher traffic, messing with reporting and causing revenue declines.

Hackers gained access through a massive IoT botnet.

The internet of things is a lot for the regulatory bodies to police – everything from washing machines, thermostats, refrigerators and doorbells to baby monitors, smart TVs and Xboxes.

The estimates vary, but most sources agree that somewhere between 6 billion and 12 billion devices are already connected to the internet, a number Cisco predicts will reach 50 billion by 2020.

“As we see the rise of mobile and the internet of things, we’re seeing a multiplicity of actors in the ecosystem,” said Maneesha Mithal, associate director of the FTC’s division of privacy and identity protection, speaking at an International Association of Privacy Professionals event in Washington, DC, on Wednesday.

“There’s going to be a lot of questions about the liability of these various actors,” Mithal said.

While the FTC’s concern is mainly about deceptive practices and consumer data privacy, the FCC is more focused on security protocol for IoT devices, which are notoriously slack on that front.

Security professionals have a quippy name for the IoT: the “internet of insecure things.”

In a Dec. 2 letter to Sen. Mark Warner (D-Va.) from FCC Chairman Tom Wheeler, the latter highlighted the cybersecurity threat created by connected things.

Wheeler laid out the FCC’s plans for IoT cybersecurity risk reduction, including collaborative efforts with key internet stakeholder groups, increased intra-agency cooperation and the potential for regulatory solutions to fill in whatever gaps private-market ISPs aren’t able to address on their own.

Subscribe

AdExchanger Daily

Get our editors’ roundup delivered to your inbox every weekday.

Of course, Wheeler is more than likely a lame-duck FCC chief. He acknowledged that the commission has had to postpone some of its work in light of the impending change in administrations, but “addressing IoT threats remains a national imperative and should not be stalled by the normal transition of a new president,” he wrote.

Future enforcers urgently need to address the lack of security in IoT devices, said FCC enforcement chief Travis LeBlanc, a Wheeler appointee also likely to move on after President-elect Trump is sworn in.

The next generation of IoT devices will probably have better security and privacy protection baked in, but there will still be billions of insecure devices out there from before – devices like smart doorbells, with longer life cycles than mobile phones – which are easy pickings for hackers looking to gain entry to a network, LeBlanc said.

And in toto the data that can be pulled from ubiquitous sensors is also far more comprehensive and personal than what can be obtained from online browsing behavior.

“It’s true that you can track everywhere someone goes on the web, but with IoT you can track where someone works, what food they eat, how long they exercise for, how much electricity they consume,” said Heather Zachary, a partner at law firm WilmerHale. “It’s a full picture of your entire life and that’s only going to become more the case.”

In a now-seminal report from 2012, the FTC laid out a series of core precepts to help protect consumer privacy in what the commission referred to as “an era of rapid change.”

Basic rules of thumb include privacy by design, the notion of building privacy protection into your product or service at the beginning during the development process, providing notice and choice and being transparent about what data you’re collecting, how you’re using it and who you’re sharing it with.

But in all likelihood, consumers are unaware of the data streaming out of their IoT devices and into the ecosystem, which makes providing notice and choice essential and a tricky thing to accomplish. What’s the process for consumers to opt in to data collection from their washing machines? There’s no clear precedent.

“It’s a lot harder to comply with those foundational privacy principles on these connected devices,” Zachary said. “Your Fitbit does have a tiny screen, but you can’t get a privacy policy onto that and many devices have no screen whatsoever.”

The FTC provided some guidance in a report on IoT privacy in 2015, with a few creative suggestions for how to handle notice and choice, including QR codes that take users to a site where they can opt in online, an opt-in screen during the initial setup process on another device or a video tutorial.

But it’s been almost two years since the report came out and companies are still grappling with how to provide notice and choice in a way that’s clear, contextual and prominent enough that the consumer will see it.

Opt-ins aside, however, cybersecurity issues loom.

In 2014, the FTC brought its first case against an IoT company called TRENDnet, which sells connected video cameras. A security breach in 2012 allowed hackers to take control of live video stream from people’s homes which were then posted online. The FTC was able to nail TRENDnet for falsely advertising that it could safely transfer video over the internet.

“There are all these sensors all over the world constantly collecting information,” Zachary said. “The risk is that unauthorized parties can gain access to and misuse [it].”

Because the fact is the internet of things is highly vulnerable, often the “weakest link in a chain,” she said. Just look at what happened to Dyn.

IoT devices are “a doorway to get into a system and then hackers move laterally through the network to get to more sensitive things,” Zachary said. “In the past, people used ordinary computing devices, [but with Dyn] they summoned an army of devices that could attack and shut down the Eastern seaboard’s internet.”

Must Read

Google Ads Will Now Use A Trusted Execution Environment By Default

Confidential matching uses a TEE built on Google Cloud infrastructure to create an isolated computing environment for ad targeting and measurement. It will now be the default setting for all uses of advertiser first-party data in Customer Match.

In 2019, Google moved to a first-price auction and also ceded its last look advantage in AdX, in part because it had to. Most exchanges had already moved to first price.

Unraveling The Mystery Of PubMatic’s $5 Million Loss From A “First-Price Auction Switch”

PubMatic’s $5 million loss from DV360’s bidding algorithm fix earlier this year suggests second-price auctions aren’t completely a thing of the past.

A comic version of former News Corp executive Stephanie Layser in the courtroom for the DOJ's ad tech-focused trial against Google in Virginia.

The DOJ vs. Google, Day Two: Tales From The Underbelly Of Ad Tech

Day Two of the Google antitrust trial in Alexandria, Virginia on Tuesday was just as intensely focused on the intricacies of ad tech as on Day One.

Privacy! Commerce! Connected TV! Read all about it. Subscribe to AdExchanger Newsletters
A comic depicting Judge Leonie Brinkema's view of the her courtroom where the DOJ vs. Google ad tech antitrust trial is about to begin. (Comic: Court Is In Session)

Your Day One Recap: DOJ vs. Google Goes Deep Into The Ad Tech Weeds

It’s not often one gets to hear sworn witnesses in federal court explain the intricacies of header bidding under oath. But that’s what happened during the first day of the Google ad tech-focused antitrust case in Virginia on Monday.

Comic: What Else? (Google, Jedi Blue, Project Bernanke)

Project Cheat Sheet: A Rundown On All Of Google’s Secret Internal Projects, As Revealed By The DOJ

What do Hercule Poirot, Ben Bernanke, Star Wars and C.S. Lewis have in common? If you’re an ad tech nerd, you’ll know the answer immediately.

shopping cart

The Wonderful Brand Discusses Testing OOH And Online Snack Competition

Wonderful hadn’t done an out-of-home (OOH) marketing push in more than 15 years. That is, until a week ago, when it began a campaign across six major markets to promote its new no-shell pistachio packs.