FTC Has Serious Concerns About IoT Security and Privacy

Trailrunner7 quotes a report from On The Wire: The Federal Trade Commission has sent comments to the Department of Commerce, outlining a list of concerns about the security and privacy of connected and embedded devices, saying that while many IoT devices have tangible benefits for consumers, "these devices also create new opportunities for unauthorized persons to exploit vulnerabilities." One of the key security problems that researchers have cited with IoT devices is the impracticality of updating them when vulnerabilities are discovered. Installing new firmware on light bulbs or refrigerators is not something most consumers are used to, and many manufacturers haven't contemplated those processes either. The FTC said the lack of available updates is a serious problem for consumers and businesses alike. "Although similar risks exist with traditional computers and computer networks, they may be heightened in the IoT, in part because many IoT chips are inexpensive and disposable, and many IoT devices are quickly replaceable with newer versions. As a result, businesses may not have an incentive to support software updates for the full useful life of these devices, potentially leaving consumers with vulnerable devices. Moreover, it may be difficult or impossible to apply updates to certain devices," the FTC comments say. In early May, the FTC issued a 10-page letter to eight leading players in the mobile communications arena requiring them to tell the agency how they issue security patches.

No kidding

[Ol+Olsoc]

Tell me of anything we've put on the internet that has been secure and private. I just do not want to have to buy Norton or McAfee AV for my friggin toilet or refrigerator.

Or ad blockers. Or the ridiculous piece of crap that Samsung makes that already enables MiTM attacks. https://www.schneier.com/blog/...

Re:No kidding

[TheGratefulNet]

ctl-alt-flush

then enter the PIN

oh wait - the PIN was supposed to go AFTER or BEFORE the flush?

damn.

where's my abacus. fuck this shit.

Decoupling

Decouple the software and hardware manufacturers from each other by defining lots of open, roalty-free standards and interfaces. It will work. Maybe.

Re:Reasons why I don't like the Internet of Things

[reboot246]

Worst of all, Internet of Things devices could watch me while I make passionate love to your wife.

Air-gap

[Todd+Knarr]

Proper setup for IoT: wired networking (via powerline is probably the easiest), no WAN access. Vulnerabilities can still be exploited, but the attacker has to be inside your house to do it. A compromised PC could be used to stage an attack, but if they're compromised your PC they can control the devices directly if those are the targets and if the PC's the target they don't need to compromise the devices at that point.

For the wireless fans, I have bad news: there isn't any safe way to access IoT devices over WiFi. The connectivity-at-a-distance nature and lack of interface to configure encryption/authentication keys on the devices makes it inherently impossible.

May not?

[turbidostato]

"businesses may not have an incentive to support software updates for the full useful life of these devices"

Make mandatory by force of law and there you have your incentive.

Re:May not?

[geekmux]

How are you going to enforce this? The majority of "smart" devices are shipped directly from China and don't even have things like manuals, English text or UL listings let alone up to date software. I've seen some heavy duty equipment even that have 200W lasers ship with an aquarium pump and software that runs only on XP with Windows 95 compatibility.

Then perhaps it's time we stop importing cheap SHIT that fails to meet basic standards.

Since price trumps all for the ignorant masses, I guess we'll have to wait for those trillion-dollar class-action lawsuits. You know, because those are sooooo worth it to consumers in the end when we receive a free coupon for a month's worth of light bulb monitoring service.

Re:May not?

[turbidostato]

"How are you going to enforce this? The majority of "smart" devices are shipped directly from China"

The same way things like that are enforced in EU: no seal of approval? can't be legally imported. For things that are imported by a trader in USA, you go after the trader. For things that are imported by an end user, that's what things like TTIP *should* be: government-to-government agreement that this won't happen or the seller will be fined by its domestic country..

IoT: The Gift That Keeps On Taking

[JustAnotherOldGuy]

IoT is a nightmare already and is bound to get worse. None of these manufacturers take security seriously, it's all just "Hey, lets make our $gadget internet connected and brag about it!".

Most of the "benefits" are marginal or meaningless, and I can guarantee you that this whole IoT shitstorm is going to get worse- much worse- before it gets better. If it ever gets better, that is.

You think you got vulnerabilities coming out of your ass now, just wait. You ain't seen nothin' yet.

Where is the outrage for smartphones?!?

[geekmux]

So the FTC is suddenly concerned about updating software or firmware for IoT devices. Can someone please explain to me where the hell the outrage is for vendors who stop supporting smartphones well before their useful life?

Humans carry around their lives in smartphones these days. Needless to say, having my "vulnerable" light bulb hacked isn't going to have the same impact as rooting my phone.

Believe me, I like the attention IoT security is perhaps finally receiving, but talk about priorities...