New FTC report: a sneak preview of the coming regulated IoT

The US Federal Trade Commission (FTC), in a January, 2015 staff report titled 'Internet of Things: Privacy and Security in a Connected World', gives us a first glimpse of how Federal consumer protection policy for the IoT is likely to shape up.

The report warns of new risks, and familiar but amplified risks, stemming from the massively expanded attack surface that the IoT's billions of sensors and other networked devices - along with the copious amounts of data that they'll produce - will bring. Major areas of concern include:

  • Threats to personal safety and property - hackers disabling household locks, changing the settings on medical devices, commandeering cars, crashing drones into crowds of people, etc.
  • Harvesting and misusing personal information - everything we've been hearing about Internet privacy violations for the past few years, now coming to you on steroids. New and widely varied data sources - from sensors, for example - along with advances in data science, will allow marketers, cybercriminals, and other actors both friendly and otherwise, unprecedented insights into the attitudes and behavior of individuals. We're looking at a real double-edged sword here.
  • Compromised IoT devices, leveraged to launch attacks against consumer networks. Compromised consumer networks, leveraged to launch attacks against other networks. We've already seen cases of kitchen appliances being pressed into the service of botnets. That's just the beginning.

The FTC notes that these risks might be exacerbated by vendors who don't understand the security ramifications of their IoT-enabled products, maybe due to inexperience (washing machine vendors never had to worry about cyber attacks before). Or, who are focused on marketing inexpensive products to the point that they believe basic security controls - the ability to patch a sensor's firmware when a vulnerability is found, for example - can't be economically built into the product.

Not surprisingly, the FTC recommends that security be taken into account when designing, building, and operating any IoT-enabled system, and recommends the following:

  • Reasonably limit collection and retention of consumer credit information ("data minimization").
  • Build security into products from day one by conducting initial risk assessments, designing the products according to data minimization principles, and testing security controls - before taking them to market.
  • Give security training to employees, and make sure security issues are addressed at the appropriate level of responsibility in the organization.
  • Retain service providers that are capable of maintaining reasonable security and oversight.
  • Implement a defense-in-depth strategy for systems where material risks are found.
  • Limit access to information systems (relating both to the product and the manufacturing organization) to authorized individuals.
  • Monitor products for vulnerabilities throughout their life cycle, and patch known vulnerabilities if possible.
  • Give heightened attention to security if the product poses physical security or safety risks, collects personal information, or connects to other devices/networks in a way unauthorized access is possible.

On the privacy front, the FTC'S basic expectation is that vendors and operators will communicate their customer's privacy options to them both clearly and prominently - not buried in fine print somewhere. Some possible approaches on how to do this are suggested, including:

  • Setup wizards that provide privacy information.
  • Video tutorials to guide consumers through privacy settings.
  • Privacy information sent to customers via text or email while, or immediately after, the product is being configured.
  • QR codes attached to the product which, when scanned, would take the customer to a website with privacy information.
  • "User experience hubs” that store data locally and learn the customer's privacy preferences based on prior behavior.

Finally, the report calls for "strong, flexible, and technology-neutral" Federal legislation that would strengthen the FTC's ability to enforce cyber security policy in its domain, including mandatory notification by vendors and operators to affected consumers in the event of a data breach.

My take on the report? It's a landmark document and a positive first step. It acknowledges (at a high level) the IoT's key risks, and the need to protect consumers against them. The FTC does fall short here of taking a firm stance on privacy, beyond the very broad notion of data minimization. So the $64,000 question of how those petabytes of IoT-generated data will be throttled remains wide open. As the IoT develops and matures, I have a feeling that the FTC is going to be busy - really busy - dealing with this.

If you're a vendor or operator in the IoT space, I'd definitely recommend downloading the report here and incorporating it into your product thinking. But don't stop there. Good security - the kind that will protect your company's reputation and revenues when push comes to shove - never comes from just following compliance requirements to the letter. Especially when they're as high-level as this document. Go the distance, do your own risk assessments, hire qualified security help, and build an appropriate level of security into the DNA of your IoT-based products. That way, you'll be building a positive feedback loop of trust for both your company and the whole consumer IoT industry, at the same time.

A version of this post appeared originally on Peerlyst.

Locks, keys, and passwords have all seen their heyday


When I first started paying attention to smartphone-based locks, I was worried about them being hacked and their batteries going dead. Still am. I initially thought that we would still be defaulting to physical locks and keys for some time to come. But it turns out that those are compromised as well, with usable replicas of some of the most secure keys - so-called bump keys -- now able to be 3D printed.

With passwords falling out of favor at the same time (for good reason), we're going to have to reinvent how we securely access things, both physical and virtual, in the future. Very interesting times are ahead for authentication and access management technology. I guess we'll end up with an electronic something or other with wearables, biometrics, device fingerprinting and data analytics somewhere in the mix, but I expect a good bit of trial, error, security incidents, and maybe a startup bubble between now and then. The key (as it were) will be to strike that magic and elusive balance between security, usability, speed, and cost.

via Wired

IoT security state of play: can we learn from history?

Originally posted on Peerlyst on 24th August 2014 In mid-2014 as Peerlyst gets off the ground, one of the biggest challenges facing the security profession is how to secure the Internet of Things. The phenomenon that’s automating everything from artificial dust motes to container ships is about to move into explosive growth mode, if that isn’t already the case. It’s great news for entrepreneurs and the global economy, but for security types this gigantic silver cloud has a distinctly dark lining. That’s because the IoT, with 40 billion devices projected to have IP addresses by 2020, is exponentially growing our attack surface. At the same time, the general level of IoT security is somewhere on a scale between embarrassing and zero. Exceptions apply, of course; the topic is now on the agenda at RSA, Black Hat, and DEF CON, and even the biggest security vendors are starting to pay attention. That’s all positive – but in terms of actual, tested and auditable security controls for IoT systems which are either implemented or on the planning horizon – we’re really looking at very little.

If we take off our white hats for a second and peer into the mysterious world of business, it’s not too hard to see why things are this way. Unless you’re someone with a keen, security-focused mind (which I expect that you are since you’re reading this), it’s more likely than not that as someone who’s bringing cutting-edge products to market, you don’t give a high priority to security until the day you get hit. That’s just human nature, and it’s also history. Think about how the mobile commerce security landscape evolved: technology first, then hypothetical threats, then credible threats, then security response. Or desktop-based e-commerce before that. The same exact thing happened.

To cite just one current example of history repeating, industrial control systems were never designed to be put on the Internet. As stand-alone systems, they were at least secure by obscurity. When they started being merged into the cyber universe, the driver was business efficiency – enterprise users’ ability to monitor their factory’s hydraulic pumps from the comfort of their own bedrooms. Nobody, including Iranian nuclear engineers, gave a thought to threats like Stuxnet, son of Stuxnet, and grandson of Stuxnet. But I bet you that now, Iran has one of the best SCADA security programs on the planet. That’s just how it always goes.

With that in mind, here’s how I think security of the IoT will play out:

Phase 1 (the past 4-5 years): IoT products and systems are brought to market with minimal security built in. All eyes (except for the keen, security focused ones) are on innovation, financial upside, and the wow factor. An incident happens here and there, but hey, cyber attacks only happen to other people. It’s quickly forgotten and Industry goes back to building the dream.

Phase 2 (where we are today): IoT deployments pick up steam. More security experts point out the risk. Researchers find exploits and show them off at DEF CON. Specialized security products are introduced, and standards groups start to form. But they’re mostly preaching to the choir, and we still haven’t seen any catastrophic cyber event in the IoT world.

Phase 3 (the next few years): IoT is now mainstream, and the inevitable wakeup call happens. Great-grandson of Stuxnet (wielded by great-grandson of Al Qaeda) takes out a power plant, derails a high-speed train, or makes some chemical factory explode. This will happen in Europe, North America, or some other developed part of the world. Now Industry wants security, and it wants it now. If you’re a security professional and have invested in acquiring skills related to IoT protection (SCADA/ICS and sensor network security, real time threat intelligence, etc.), this is when you’ll find yourself … busy.

Phase 4: “Security” will step up to the situation, and at some point it might reach equilibrium and we’ll have a “secure enough” IoT. Or, it might not and we’ll continue living in a world of perpetual cat and mouse like we are today with retailer data breaches. I don’t want to try to predict that far ahead (but please feel free to do so yourself in the Comments, if you have a take on it).

My point is, as Sting once put it, history will teach us nothing.

The drone downers: taste of things to come

The day after I blogged about how people are going to be out there shooting down down drones before long, Motherboard published a piece about a new ad campaign for a shotgun suppressor, marketed by Utah company SilencerCo. The campaign features none other than Johnny Dronehunter, Defender of Privacy, as it's main protagonist. While fictitious, the fact that SilencerCo chose to use this theme is a revealing reflection of American attitudes about privacy, and the perceived threat that emerging surveillance technology poses to the same. Here's the video trailer featuring Johnny:


Motherboard had reported earlier on Gnat Warfare, an Arizona company that lets people shoot at drones on a roving gun range, for $4,000 a pop. More expensive than clay pigeon shooting, but looks like more fun.

In addition to good old fashioned gun violence, there will also be cyber attacks directed against drones, like the one that Iran claimed it used to down a US surveillance UAV in 2011. The US asserted that the cyber attribution was a bluff, but who really knows? In any case ,operators of surveillance drones (may they use them wisely) will need to protect them against both physical and cyber threats.  Actually, it doesn't really matter what benevolent or nefarious purpose the drone is being used for, or whether the operators are military or civilian. They'll still be dealing with the same basic set of threats. Journalists, amateur photographers, and would all do well to give this due consideration.

(via Motherboard)

Autonomous taser drones. EMP drones.

A Texas company, Chaotic Moon, has come up with a self-piloting drone that can deliver taser attacks. It's aptly named Cupid. Future versions of this technology, which the company is said to already be working on, will pack pepper spray and EMP guns. I can imagine all kinds of other onboard weapons on these things: lasers, gatling guns, poison darts, tear gas, etc.


I think a lot of small drones are going to get shot down, especially the weaponized ones. Folks targeted by stunner drones aren't exactly going to welcome them with open arms. Drones will need ways to protect themselves, otherwise people are just going to take them out, wholesale. So I think they'll eventually have self-defense capabilities, either built-in or in the form of separate robots (or humans) that provide backup. No idea what that will look like ... maybe onboard motion detectors along with facial recognition and a predictive algorithm that senses when someone is pointing a weapon at the drone, and pre-emptively zaps them.