FTC Has Serious Concerns About IoT Security and Privacy

Trailrunner7 quotes a report from On The Wire: The Federal Trade Commission has sent comments to the Department of Commerce, outlining a list of concerns about the security and privacy of connected and embedded devices, saying that while many IoT devices have tangible benefits for consumers, "these devices also create new opportunities for unauthorized persons to exploit vulnerabilities." One of the key security problems that researchers have cited with IoT devices is the impracticality of updating them when vulnerabilities are discovered. Installing new firmware on light bulbs or refrigerators is not something most consumers are used to, and many manufacturers haven't contemplated those processes either. The FTC said the lack of available updates is a serious problem for consumers and businesses alike. "Although similar risks exist with traditional computers and computer networks, they may be heightened in the IoT, in part because many IoT chips are inexpensive and disposable, and many IoT devices are quickly replaceable with newer versions. As a result, businesses may not have an incentive to support software updates for the full useful life of these devices, potentially leaving consumers with vulnerable devices. Moreover, it may be difficult or impossible to apply updates to certain devices," the FTC comments say. In early May, the FTC issued a 10-page letter to eight leading players in the mobile communications arena requiring them to tell the agency how they issue security patches.

No kidding

[Ol+Olsoc]

Tell me of anything we've put on the internet that has been secure and private. I just do not want to have to buy Norton or McAfee AV for my friggin toilet or refrigerator.

Or ad blockers. Or the ridiculous piece of crap that Samsung makes that already enables MiTM attacks. https://www.schneier.com/blog/...

May not?

[turbidostato]

"businesses may not have an incentive to support software updates for the full useful life of these devices"

Make mandatory by force of law and there you have your incentive.

Re:May not?

[turbidostato]

"How are you going to enforce this? The majority of "smart" devices are shipped directly from China"

The same way things like that are enforced in EU: no seal of approval? can't be legally imported. For things that are imported by a trader in USA, you go after the trader. For things that are imported by an end user, that's what things like TTIP *should* be: government-to-government agreement that this won't happen or the seller will be fined by its domestic country..

IoT: The Gift That Keeps On Taking

[JustAnotherOldGuy]

IoT is a nightmare already and is bound to get worse. None of these manufacturers take security seriously, it's all just "Hey, lets make our $gadget internet connected and brag about it!".

Most of the "benefits" are marginal or meaningless, and I can guarantee you that this whole IoT shitstorm is going to get worse- much worse- before it gets better. If it ever gets better, that is.

You think you got vulnerabilities coming out of your ass now, just wait. You ain't seen nothin' yet.