New FTC report: a sneak preview of the coming regulated IoT

The US Federal Trade Commission (FTC), in a January, 2015 staff report titled 'Internet of Things: Privacy and Security in a Connected World', gives us a first glimpse of how Federal consumer protection policy for the IoT is likely to shape up.

The report warns of new risks, and familiar but amplified risks, stemming from the massively expanded attack surface that the IoT's billions of sensors and other networked devices - along with the copious amounts of data that they'll produce - will bring. Major areas of concern include:

  • Threats to personal safety and property - hackers disabling household locks, changing the settings on medical devices, commandeering cars, crashing drones into crowds of people, etc.
  • Harvesting and misusing personal information - everything we've been hearing about Internet privacy violations for the past few years, now coming to you on steroids. New and widely varied data sources - from sensors, for example - along with advances in data science, will allow marketers, cybercriminals, and other actors both friendly and otherwise, unprecedented insights into the attitudes and behavior of individuals. We're looking at a real double-edged sword here.
  • Compromised IoT devices, leveraged to launch attacks against consumer networks. Compromised consumer networks, leveraged to launch attacks against other networks. We've already seen cases of kitchen appliances being pressed into the service of botnets. That's just the beginning.

The FTC notes that these risks might be exacerbated by vendors who don't understand the security ramifications of their IoT-enabled products, maybe due to inexperience (washing machine vendors never had to worry about cyber attacks before). Or, who are focused on marketing inexpensive products to the point that they believe basic security controls - the ability to patch a sensor's firmware when a vulnerability is found, for example - can't be economically built into the product.

Not surprisingly, the FTC recommends that security be taken into account when designing, building, and operating any IoT-enabled system, and recommends the following:

  • Reasonably limit collection and retention of consumer credit information ("data minimization").
  • Build security into products from day one by conducting initial risk assessments, designing the products according to data minimization principles, and testing security controls - before taking them to market.
  • Give security training to employees, and make sure security issues are addressed at the appropriate level of responsibility in the organization.
  • Retain service providers that are capable of maintaining reasonable security and oversight.
  • Implement a defense-in-depth strategy for systems where material risks are found.
  • Limit access to information systems (relating both to the product and the manufacturing organization) to authorized individuals.
  • Monitor products for vulnerabilities throughout their life cycle, and patch known vulnerabilities if possible.
  • Give heightened attention to security if the product poses physical security or safety risks, collects personal information, or connects to other devices/networks in a way unauthorized access is possible.

On the privacy front, the FTC'S basic expectation is that vendors and operators will communicate their customer's privacy options to them both clearly and prominently - not buried in fine print somewhere. Some possible approaches on how to do this are suggested, including:

  • Setup wizards that provide privacy information.
  • Video tutorials to guide consumers through privacy settings.
  • Privacy information sent to customers via text or email while, or immediately after, the product is being configured.
  • QR codes attached to the product which, when scanned, would take the customer to a website with privacy information.
  • "User experience hubs” that store data locally and learn the customer's privacy preferences based on prior behavior.

Finally, the report calls for "strong, flexible, and technology-neutral" Federal legislation that would strengthen the FTC's ability to enforce cyber security policy in its domain, including mandatory notification by vendors and operators to affected consumers in the event of a data breach.

My take on the report? It's a landmark document and a positive first step. It acknowledges (at a high level) the IoT's key risks, and the need to protect consumers against them. The FTC does fall short here of taking a firm stance on privacy, beyond the very broad notion of data minimization. So the $64,000 question of how those petabytes of IoT-generated data will be throttled remains wide open. As the IoT develops and matures, I have a feeling that the FTC is going to be busy - really busy - dealing with this.

If you're a vendor or operator in the IoT space, I'd definitely recommend downloading the report here and incorporating it into your product thinking. But don't stop there. Good security - the kind that will protect your company's reputation and revenues when push comes to shove - never comes from just following compliance requirements to the letter. Especially when they're as high-level as this document. Go the distance, do your own risk assessments, hire qualified security help, and build an appropriate level of security into the DNA of your IoT-based products. That way, you'll be building a positive feedback loop of trust for both your company and the whole consumer IoT industry, at the same time.

A version of this post appeared originally on Peerlyst.

Authentication trends for 2015


Thought I'd take a stab at what will be happening in the user authentication space this coming year:

  • Hackers will increasingly use trojans such as Citadel to target the master passwords for consumer password management applications like 1Password and LastPass. That will cause big problems for users who are successfully victimized because many of their passwords, not just one at a time, will now be compromised.
  • Hackers will also continue to attack token and SMS-based one-time password systems that are used for online banking, breaking into more bank accounts and increasing pressure on banks to retire this now-obsolete technology in favor of more secure, next-generation methods that are strengthened with features like device fingerprinting, transaction verification, and behavioral analytics.
  • More companies will have their employee and customer password databases stolen and uploaded onto public torrent sites as part of high-profile cyber attacks, as happened to Sony Pictures in 2014.
  • Heavyweights in the financial services, e-commerce, and electronics industries such as Visa, MasterCard, Google, Samsung, Microsoft, and others will start moving their customers off of passwords and onto biometric authentication, aided by the new FIDO Alliance UAF and U2F standards published in December 2014, and following the lead of trendsetters like Apple, which featured fingerprint biometrics in its new smartphone and tablet releases, and heartbeat biometrics in the new Apple Watch.
  • Emerging authentication technology companies will make a strong push to get their products to market and grow their user base. Companies to watch include ThreatMetrix, YubiKey, Entersekt and Nok Nok Labs, as well as the 200+ early stage startups in this space.

(This post originally appeared as an answer on Quora)

Citadel trojans are targeting popular password manager services

Recent news on Citadel trojans being used to capture master passwords from password manager services like LastPass, RoboForm and Dashlane is a reminder that the SSO (single sign-on) technology these services use has an Achilles heel: a single point of failure. Master passwords are like the keys to the kingdom: if they’re compromised, so is everything else behind them. If that happens, as a password manager user you may be worse off than if you’d stuck with common practices that security experts love to chasten users with as unsafe (I won’t list them all here … you know, things like using the same password over and over again, etc.). That’s because now, the attacker knows all of the sites that you frequent and the password for every one of them, all packaged in a single, convenient display. You’re done. Consumer-focused password managers are great for simplifying your life as a user while in one sense upping security and usability, because they easily enable you to set a unique and complex password for every individual website you visit. I use Dashlane myself and find it pretty satisfactory, but now have to worry about being keylogged. I can’t trust my antivirus 100 percent to pick that up. Password manager services will now have to get more sophisticated with their authentication processes: upgrades like multi-factor authentication, out-of band messaging, transaction signing, and using behavioral analytics on the authentication transaction all come to mind. On the endpoint side, use of behavioral analytics on the anti-malware application could also help. Things could get pretty ugly in the meantime.

(via Peerlyst)

Authentication startup AnchorID wins Finovate Best-in-Show


New York startup AnchorID has garnered the Best-in-Show award at Finovate Fall, which just wrapped up in New York. There, the company demonstrated its consumer authentication technology for websites and mobile apps, which is purportedly set to launch any time now (Fall of 2014, according to the company website). AnchorID is tackling the notorious multiple password management problem, following in the footsteps of companies like AgileBits and Dashlane. AnchorID looks to improve on these earlier-generation consumer SSO offerings by completely eliminating passwords - providing secure access to both websites and mobile apps via a proprietary smartphone app, and by letting the user choose which type of authentication token he or she wants to use. The explanatory video lists fingerprint and voice biometrics, PINs, and a simple Yes/No button - that is, proceed with the login or not - as options. The user has to pick a single user name (their "Universal Username"). Again, no passwords are involved - so the authentication factors are the user's Universal Username, the app/smartphone combination (presumably including some level of device identification), and the token value (biometric, yes/no, etc.) as selected by the user. The company says they don't gather any personal data about the user. Integration to the target website or mobile app is via AnchorID's API.

AnchorID was founded in January 2014 and, according to Crunchbase, has received two rounds of angel funding totaling US $510,000. They're coming into an extremely crowded and noisy market, so success will depend as much on execution as on their technology.

Congratulations to AnchorID on making Best-in-Show!

iPhone 6 Touch ID has already been hacked


That was quick. Marc Rogers, Principal Security Researcher at Lookout, has managed to break the iPhone 6 Touch ID feature, and posted how he did it. Marc is the guy who did the same thing on the iPhone 5s when it came out about a year ago. What isn't so good is, despite a few noted improvements in the new version (a higher-resolution sensor, for example), Marc used the exact same procedure to hack the iPhone 6 Touch ID as he did with the iPhone 5s version - basically with a bit of  fingerprint powder and super glue.

While I don't see this as a show stopper for Apple Pay, it doesn't look good, and comes at a time when Apple is already on the defensive about security because of the recent iCloud hacking incident involving nude celebrity photos. Marc does note that the hack is hard to do, but I can see someone developing the necessary skill set when the stakes are high (for example, to break into some VIP's iPhone).

I've thought for a long time that fingerprint biometrics work better as a usability feature than as a security feature. For something like mobile payments, both usability and security are paramount. The technology offers a measure of security (just like the lock on your front door offers a measure of security ... if someone really wants to break it, and has the skills, time, and patience, they will do it). The security flaws of fingerprint biometrics - vulnerability to spoofing, etc. - have been widely discussed for years and are well known. Apple even acknowledged that they're aware of these flaws in their patent filing for the Touch ID technology.

A vulnerability in a given security control doesn't mean that it shouldn't be used: it just means that when it is used, it should be part of a well-conceived, defense-in-depth strategy, with additional security layers in place for when the control fails. Apple has provided additional layers - for example, the kill switch feature available for all IOS 8 devices, and the use of card number tokenization in Apple Pay. But I still think there's room for improvement with Touch ID.

(Via The Official Lookout Blog)