Slashdot Mirror

← Back to Stories (view on slashdot.org)

FTC Has Serious Concerns About IoT Security and Privacy (onthewire.io)

Posted by BeauHD on from the product-shelf-life dept.

Trailrunner7 quotes a report from On The Wire: The Federal Trade Commission has sent comments to the Department of Commerce, outlining a list of concerns about the security and privacy of connected and embedded devices, saying that while many IoT devices have tangible benefits for consumers, "these devices also create new opportunities for unauthorized persons to exploit vulnerabilities." One of the key security problems that researchers have cited with IoT devices is the impracticality of updating them when vulnerabilities are discovered. Installing new firmware on light bulbs or refrigerators is not something most consumers are used to, and many manufacturers haven't contemplated those processes either. The FTC said the lack of available updates is a serious problem for consumers and businesses alike. "Although similar risks exist with traditional computers and computer networks, they may be heightened in the IoT, in part because many IoT chips are inexpensive and disposable, and many IoT devices are quickly replaceable with newer versions. As a result, businesses may not have an incentive to support software updates for the full useful life of these devices, potentially leaving consumers with vulnerable devices. Moreover, it may be difficult or impossible to apply updates to certain devices," the FTC comments say. In early May, the FTC issued a 10-page letter to eight leading players in the mobile communications arena requiring them to tell the agency how they issue security patches.

41 comments

  1. Glad to see you in the 21st century by Anonymous Coward · · Score: 0

    Damn republicans hold everything back. So sayeth the lord of darkness.

  2. No kidding by Ol+Olsoc · · Score: 3, Insightful
    Tell me of anything we've put on the internet that has been secure and private. I just do not want to have to buy Norton or McAfee AV for my friggin toilet or refrigerator.

    Or ad blockers. Or the ridiculous piece of crap that Samsung makes that already enables MiTM attacks. https://www.schneier.com/blog/...

    --
    The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
    1. Re:No kidding by TheGratefulNet · · Score: 2

      ctl-alt-flush

      then enter the PIN

      oh wait - the PIN was supposed to go AFTER or BEFORE the flush?

      damn.

      where's my abacus. fuck this shit.

      --

      --
      "It is now safe to switch off your computer."
    2. Re:No kidding by Anonymous Coward · · Score: 0

      The main purpose of these devices has always been to spy on people. Adding security might interfere with that, so security on IoT devices isn't gonna happen!

      IoT spy devices are not gonna happen in my home either!

    3. Re: No kidding by Anonymous Coward · · Score: 0

      Oh, they're going to happen. Wanna bet?

  3. Cold War Theorist by Anonymous Coward · · Score: 0

    Only sell vulnerable hardware, this way hackers will also suffer for any exploit they find and encourage them not to use it, lest others find out and turn off their fridge and turn on their lights so they have to drink warm mountain dew in a bright room.

    Give everyone a nuke :)

  4. Decoupling by Anonymous Coward · · Score: 2, Interesting

    Decouple the software and hardware manufacturers from each other by defining lots of open, roalty-free standards and interfaces. It will work. Maybe.

    1. Re:Decoupling by invictusvoyd · · Score: 1

      You mean like windows iot?

    2. Re:Decoupling by guruevi · · Score: 1

      The standards exist. However professional builders want to lock your smart house in their own software packages and DIY-grade want to lock you into only buying their brand (DLink, Philips, Honeywell, GE, ...). It's hell trying to find something that interoperates correctly across brands even if they support a standard like ZWave.

      --
      Custom electronics and digital signage for your business: www.evcircuits.com
    3. Re:Decoupling by Anonymous Coward · · Score: 0

      Windows IoT and Google's present offerings don't apply to the bulb firmware issue mentioned in the summary, only to the IoT controllers and bigger devices. A more lightweight framework is probably needed, with some hardware abstraction.

  5. Re:Reasons why I don't like the Internet of Things by reboot246 · · Score: 3, Funny

    Worst of all, Internet of Things devices could watch me while I make passionate love to your wife.

  6. Air-gap by Todd+Knarr · · Score: 3, Informative

    Proper setup for IoT: wired networking (via powerline is probably the easiest), no WAN access. Vulnerabilities can still be exploited, but the attacker has to be inside your house to do it. A compromised PC could be used to stage an attack, but if they're compromised your PC they can control the devices directly if those are the targets and if the PC's the target they don't need to compromise the devices at that point.

    For the wireless fans, I have bad news: there isn't any safe way to access IoT devices over WiFi. The connectivity-at-a-distance nature and lack of interface to configure encryption/authentication keys on the devices makes it inherently impossible.

    1. Re:Air-gap by silas_moeckel · · Score: 1

      I have what I think is a fairly proper setup. If you want access to camera's thats wired with VPN access. You could get on my zwave network and what look at thermostats and dimmers? Sure you could turn the lights on but nothing more mischievous that costing me some money, you could see when I'm moving about and what temperature etc. Wifi you could know how much propane is in my grill and that network deadends. Primary security is hardwired it keeps my insurance guy happy, I've got some RF in that if you were realy crafty you could block it and break into my shed and get away with garden tools. I've got some proprietary radios you could turn up my hot tub or read my weather station. I'm sure somebody could come up with an attack that jumps from one of these networks through vera or openhab to get further up the stack but you still need to get past network levels controls to get out of the HA portion of the network or even into the CCTV portion.

      --
      No sir I dont like it.
    2. Re:Air-gap by Todd+Knarr · · Score: 1

      The big threat isn't that, it's a vulnerability in a server program on the zwave network that provides data from the devices that can be exploited to let you execute code on that device. Now you can load a program onto it that, rather than doing it's normal job, can connect to any of the PCs that can see that data. The PCs will see an internal connection which bypasses the router's firewall and quite possibly the PC's individual firewall if like most people you've told your PCs they're on a home network and can trust other local computers. Being able to do that only if you already have access to the inside of the house isn't particularly risky, the set of potential attackers is pretty limited. Being able to do that via WiFi, OTOH, means anybody driving by on the street could attack you and that's a whole 'nother order of risk.

    3. Re:Air-gap by silas_moeckel · · Score: 1

      Thus my I'm sure somebody could come up with an attack that jumps from one of these networks through vera or openhab to get further up the stack statement. And why both of those have very little access to anything. I would frankly be far more worried about somebody getting into one of these cloud connected HA controllers I picked gear specifically that will work without an internet connection.

      --
      No sir I dont like it.
    4. Re:Air-gap by Anonymous Coward · · Score: 0

      Proper setup for IoT: wired networking (via powerline is probably the easiest), no WAN access...

      Proper setup for secure computing: A system with an IP of 127.0.0.1 (probably the easiest), no WAN access...

      Thanks. Appreciate the utterly pointless suggestions here that currently do not apply or would break 95% of the IoT market. The "no WAN access" is especially hilarious considering most of IoT is subsidized by advertisements and big-brother data collecting.

      Can't wait when my kitchen appliances require internet access in order to simply work. No, there are no knobs or settings on the new IoT toaster, only the toaster gurus in the cloud know how to do that, so plug in, get ready for your butter and jam ads, and kindly STFU.

  7. May not? by turbidostato · · Score: 3, Insightful

    "businesses may not have an incentive to support software updates for the full useful life of these devices"

    Make mandatory by force of law and there you have your incentive.

    1. Re:May not? by guruevi · · Score: 1

      How are you going to enforce this? The majority of "smart" devices are shipped directly from China and don't even have things like manuals, English text or UL listings let alone up to date software. I've seen some heavy duty equipment even that have 200W lasers ship with an aquarium pump and software that runs only on XP with Windows 95 compatibility.

      --
      Custom electronics and digital signage for your business: www.evcircuits.com
    2. Re:May not? by geekmux · · Score: 2

      How are you going to enforce this? The majority of "smart" devices are shipped directly from China and don't even have things like manuals, English text or UL listings let alone up to date software. I've seen some heavy duty equipment even that have 200W lasers ship with an aquarium pump and software that runs only on XP with Windows 95 compatibility.

      Then perhaps it's time we stop importing cheap SHIT that fails to meet basic standards.

      Since price trumps all for the ignorant masses, I guess we'll have to wait for those trillion-dollar class-action lawsuits. You know, because those are sooooo worth it to consumers in the end when we receive a free coupon for a month's worth of light bulb monitoring service.

    3. Re:May not? by turbidostato · · Score: 3, Insightful

      "How are you going to enforce this? The majority of "smart" devices are shipped directly from China"

      The same way things like that are enforced in EU: no seal of approval? can't be legally imported. For things that are imported by a trader in USA, you go after the trader. For things that are imported by an end user, that's what things like TTIP *should* be: government-to-government agreement that this won't happen or the seller will be fined by its domestic country..

    4. Re:May not? by Anonymous Coward · · Score: 0

      Do you need the government to wipe your butt? Those companies that produce crap will go out of business, if people decide not to buy crap. That's the MARKET at work.
      --
      roman_mir

    5. Re:May not? by Anonymous Coward · · Score: 0

      Oh, so that's why Microsoft went out of business 20 years ago...

    6. Re:May not? by turbidostato · · Score: 1

      "Do you need the government to wipe your butt?"

      This is a democracy. I *hire* the government to wipe my butt.

    7. Re:May not? by Anonymous Coward · · Score: 0

      Business has an incentive to kill the devices after a short "lifetime". After all, "good consumers" are addicted to upgrading their devices every few years, "bad consumers" need to be "encouraged" to do the same. Sure their will be some outrage-churn, but all businesses are playing the same game, so people out will more or less equal people in.

  8. Re:Reasons why I don't like the Internet of Things by Anonymous Coward · · Score: 0

    I got news, I don't think anyone is interested in watching you do that, unless you are an 18yo girl and naked.

  9. Re:Reasons why I don't like the Internet of Things by Anonymous Coward · · Score: 0

    I didn't know that Hulk Hogan posted here. Congrats on your victory over Gawker.

  10. best way by Anonymous Coward · · Score: 0

    Enable special class action lawsuits for people who lose some security from an IoT device. Everyone who bought the same device is automatically entered in a class action lawsuit against the company.
    That is the only way companies will pay attention to security before releasing the product.

    1. Re:best way by Anonymous Coward · · Score: 0

      Nice. You're on the money there. The only thing companies understand is a feckin' big stick! You wack them around a bit to set an example then sit back and see which ones are greedy/stupid enough to get another dose.

  11. Is someone deliberately posting this stuff? by AbRASiON · · Score: 1

    https://slashdot.org/comments....

    Seriously it's meaningless bullshit, STOP.

  12. Vald concerns by the FTC by Anonymous Coward · · Score: 1

    Companies have grown very obnoxious: Samsung's TV which listens to what is said in your home so it can deliver targeted ads http://money.cnn.com/2015/02/0... http://www.bbc.co.uk/news/tech... and Microsoft's Windows 10 which spies on everything you do http://bgr.com/2015/07/31/wind... http://www.independent.co.uk/l...

    Unlikely people would buy a Samsung's TV if they knew about this, but Microsoft has a virtual monopoly we can't avoid. Time for the FTC to stop these repugnant companies for abusing their dominant positions.

  13. IoT: The Gift That Keeps On Taking by JustAnotherOldGuy · · Score: 4, Insightful

    IoT is a nightmare already and is bound to get worse. None of these manufacturers take security seriously, it's all just "Hey, lets make our $gadget internet connected and brag about it!".

    Most of the "benefits" are marginal or meaningless, and I can guarantee you that this whole IoT shitstorm is going to get worse- much worse- before it gets better. If it ever gets better, that is.

    You think you got vulnerabilities coming out of your ass now, just wait. You ain't seen nothin' yet.

    --
    Just cruising through this digital world at 33 1/3 rpm...
  14. not all things require the same security by Anonymous Coward · · Score: 0

    variety is the spice of life

    1. Re:not all things require the same security by geekmux · · Score: 1

      variety is the spice of life

      Hack and screw around with voltage regulation, and you could start a fire.

      Hack a fridge during the day and shut it off for a few hours. Turn it back on so the consumer doesn't notice its become a food poison death trap.

      If you think IoT doesn't require a security baseline, you're being ignorant of the dangers.

  15. Security is an afterthought by Natales · · Score: 1

    The IoT market is indeed insanely hot and competitive, and time-to-market can make or break a product's success. This means that the MVP version (minimum viable product), that is supposed to be just the first step in an iteration, many times ends up becoming the version that gets shipped.

    It's very rare that security is considered in an MVP. Some simpler types of IoT devices (typically send-only), that rely more on the cloud back-end, may have better luck by improving the security of the cloud-based components over time, but if the device accepts input and network commands, all bets are off.

  16. Re:Reasons why I don't like the Internet of Things by Anonymous Coward · · Score: 0

    Don't forget, what the advertisers get is likely stored insecurely (remember, to a lot of companies, security has no ROI), so that data winds up going to all sorts of places on the Internet.

    Combine that with overreach from some country LEOs that can use the info obtained fro IoT devices to arrest and convict on things (some device spies bacon coming into a house? 40 lashes. Another device sees a cross in a believer's house? Beheading time. Someone made a funny about a Tai royal? 20 years.)

    I already have a phone that tracks 24/7, a tablet that does the same, and a computer that I have to firewall (twice) so it doesn't hand over data it shouldn't. I don't need any more tattle-tale devices.

  17. Re: Reasons why I don't like the Internet of Thing by Anonymous Coward · · Score: 0

    The IoT is going to happen whether you like it or not. You will have to adapt, sucks to be you.

  18. Where is the outrage for smartphones?!? by geekmux · · Score: 4, Interesting

    So the FTC is suddenly concerned about updating software or firmware for IoT devices. Can someone please explain to me where the hell the outrage is for vendors who stop supporting smartphones well before their useful life?

    Humans carry around their lives in smartphones these days. Needless to say, having my "vulnerable" light bulb hacked isn't going to have the same impact as rooting my phone.

    Believe me, I like the attention IoT security is perhaps finally receiving, but talk about priorities...

    1. Re:Where is the outrage for smartphones?!? by swillden · · Score: 1

      Can someone please explain to me where the hell the outrage is for vendors who stop supporting smartphones well before their useful life?

      Sure.

      It doesn't exist because the vast majority of smartphone buyers simply don't care. Many expect to replace their phone every other year or so (or more often as the devices get broken), and most of the cost-conscious don't care because in practice the security issues don't affect them. Sure, in theory their old, unpatched devices are horribly unsecure, but in the real world nothing bad actually happens because of it. The real problems that affect users are things like SMS fraud and ransomware, which have little to nothing to do with security vulnerabilities.

      So, the only people who get outraged are geeks and pundits, and no one pays much attention to them. The FTC pays attention to worries about IoT devices because they're in the future which makes it easy to worry that the problems will be horrendous. Smartphone security issues are in the present, and in terms of real-world impact they're pretty minimal so no one gets too worked up.

      If we as a society want our smartphones to be supported for longer, we're going to have to be willing to pay for it, because phone manufacturers (other than Apple) are already operating on razor-thin margins. I can see three ways it could happen:

      1) OEMs could increase the price of devices across the board. Since the additional cost would be widely distributed, the per-unit increase would be pretty small. However, this would mean that all of the users who don't care about long-term support would be subsidizing those who do. It would also mean that manufacturers who don't do this would have a competitive advantage over those who do because, again, the vast majority of smartphone users don't care.

      2) Governments could mandate long-term support. That would effectively impose a tax on users who don't care about long-term support in order to subsidize those who do.

      3) OEMs could offer long-term support contracts to the users who care about them. I don't know for sure, but I suspect the number of such users would be small enough that the support contracts would be expensive. Perhaps enough that it would make more sense for users to want the support to simply buy a new device.

      In any case, in the current situation, the way you get support is by buying a new device every other year.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
  19. Correction: by argStyopa · · Score: 1

    Correction: any rational person has severe concern about security and the ridiculous "IoT".

    --
    -Styopa
  20. What is this thing you call... computer? by JesseEnjaian · · Score: 1

    “IoT devices are capable of collecting, transmitting, and sharing highly sensitive information.”

    "these devices also create new opportunities for unauthorized persons to exploit vulnerabilities."

    “The massive volume of granular data collected by IoT devices enables those with access to the data to perform analyses that would not be possible with less rich data sets,”