A new bill making its way through the U.S. Congress proposes to arm consumers with information about the privacy and security risks of connected devices. The move comes as some industry experts and privacy advocates are raising concerns about a flood of everyday items on the market that are connected to the internet.
The bipartisan bill, dubbed the “IOT Consumer TIPS Act,” instructs the Federal Trade Commission (FTC) to develop cybersecurity resources for consumers to protect themselves against cybercriminals when using Internet of Things (IoT) devices, such as thermostats, cameras, or digital assistants that are always connected to the internet via Wi-Fi networks.
According to the bill, the FTC has to provide within a year voluntary educational material that cites consumer attitudes and expectations and advises on device setup, passwords, recovery in case of hacking, and “end of life considerations such as resetting, deleting, or modifying data collected or retained by a covered device when it is no longer in use or expected to be used by the consumer.”
Andrei Petrus, IoT director with cybersecurity firm Avira, applauded the bill as a good, first step toward raising consumer awareness and setting industry standards. Once users are more educated, they will have some sort of benchmark to consult for their next IoT device.
He urged legislators to “enable a solid, sane framework” to preset and then handle security credentials on IoT products after their sale.
“A significant number of smart devices, including smart CCTV cameras, thermostats or smart TVs, are insecure by design,” said Petrus. “It’s not even possible to make some of them more secure as they’ve been made with hard-coded account names and passwords that can’t be changed.”
Hard-coded features are built into the hardware or software code so that they can’t be modified. The approach, added Petrus, “transforms ‘security’ into a big vulnerability just waiting to be exploited” by hackers who could compromise the network and take over the device.
In an effort to rush their products to market, some IoT manufacturers and vendors overlook security due to lack of expertise or the desire to keep costs down, said Petrus. And there are cases where vendors skip asking users to change default passwords, a basic security measure.
Securing every device is critical. The entire network has to be secured, he said, including “all smart devices at the gateway.”
Besides security concerns, there are questions surrounding privacy that not all privacy policies answer clearly. Do these devices listen in all the time in people’s homes or just respond to key commands? How much information do they collect and for how long? And who owns that information. Can it be sold?
IoT devices are “always listening at some level,” said Lee Tien, senior staff attorney for internet rights at the Electronic Frontier Foundation. Unless the vendor is forthcoming, he said it is very hard for ordinary people “to really know what it is you are subjecting yourself to in terms of information capture.”
The maker of the Roomba vacuum cleaner, iRobot, for example, went into damage control a few months ago after revelations it was planning to sell the map data the Roomba collected inside people’s homes (without permission) to third parties. CEO Colin Angle later said this would never happen.
Always-on connected devices take data-collection to a whole new level, said Tien.
“Twenty years ago, I knew for certain that my phone was collecting data but I didn’t worry about my TV requesting data,” he said. “All sorts of formerly-mute appliances are now talking appliances and we do not know what they are talking about.”
While marketers and vendors can learn a lot about consumer behavior from data collection, Petrus cautioned that the practice puts users at risk.
“Mining the usage data we leave behind with smart TVs,” he added, “can tell a lot about user’s political sympathies, movies or music genre preferences, who’s at home, when, what other Internet connected devices we have at home.”
These concerns are discouraging faster adoption of IoT devices, he said. But as the market matures, he expects consumers to force manufacturers to negotiate a way to create cheap, smart devices that are also secure.
And this has to begin with the original concept, said Tien. If connected devices are the future, will they be designed for the next decade? Will they be too complex to be figured out by ordinary users? Or will they have features that let users flip a switch to control and stop data collection? Will users actually know what the device is doing?
“What we have an ability to do, shape, or try to shape are the social norms around the technology,” he said.
3 responses to “IoT Future Needs Privacy, Security by Design”
Do you cover Micro electromechanical devices. What is the future with this type of device. It is suppose to revolutionize the future in technology.
I don’t. But if you if you look up Micro electromechanical devices in Google news, you will find some interesting results.
Securing IoT devices is challenging for several reasons.For quite a long time consumers and organizations have been obsessed with securing computers and smartphones. Businesses cannot stop IoT attacks from happening but they can be proactive in mitigating threats by updating the device continuously as said by Antonio Grasso, IoT expert in one of his blog ( https://thinkpalm.com/blogs/interview-antonio-grasso-iot/ ). And also by updating the architecture of the IoT system. Emerging platforms like blockchain can help secure IoT gadgets by disposing the dependencies on a central authority in IoT systems.