The growth of the Internet of Things has been predicted over the last few years and has led to a plethora of connected devices. Household devices have led the charge with smart thermostats, refrigerators, and washing machines. We have seen security devices like home security cameras and baby monitors, and health devices like insulin pumps and pacemakers. And we all know about wearables like fitness trackers and watches.
It’s hardly surprising to read that concerns about device security have been raised, often in the same breath as the announcements celebrating the new technology. The latest gadget to fall under scrutiny is Internet-connected baby monitors, with parents up in arms after discovering that the devices are easily hackable.
There’s been a number of reported cases of parents discovering hackers watching and talking to their children at night, and last week New York City Department of Consumer Affairs launched an investigation into the security of baby monitors, issuing subpoenas to four manufacturers of baby video monitors as part of an investigation into the security vulnerabilities of the devices. The Federal Trade Commission has followed suit with a page of warnings on their website.
However, reports of baby monitor hacking are not something new, with security issues being raised as early as 2013. News reports have pointed fingers at Shodan, a search engine launched in 2013 which can be used to find Internet of Things (IoT) connected devices around the world. Shodan scours the Web for devices which use Real Time Streaming Protocol (RTSP port 554) which are left open without basic password protection — or only the default password settings — in place, taking a photograph of what an be seen.
But historically, there are plenty of devices without cameras that are vulnerable to attack from the Toyota Prius to insulin pumps to wifi kettles, although admittedly some are hacked as demonstrations into the ability to do so rather than with malice, but it’s still sobering stuff.
Who’s responsible: manufacturer or consumer?
It’s not unreasonable to believe that a person who buys a connected device and utilizes it according to the manufacturer’s instructions has a right to privacy, security and a relatively hack-free existence. But this comes with the expectation that a consumer will update and install security patches. Bear in mind that most people don’t even read the terms and conditions when they download an app or install free wifi in a public space, let alone install a home security device or baby monitor.
The Federal Trade Commission (FTC) released a report into IoT privacy and security in early 2015 which detailed the issues and issues a series of recommendations for companies developing IoT devices. These included:
- build security into devices at the outset, rather than as an afterthought in the design process;
- when a security risk is identified, consider a “defense-in-depth” strategy whereby multiple layers of security may be used to defend against a particular risk;
- consider measures to keep unauthorized users from accessing a consumer’s device, data, or personal information stored on the network;
- monitor connected devices throughout their expected life cycle, and where feasible, provide security patches to cover known risks.
The last point is particularly interesting, with the onus on developers to monitor connected devices. How often and to what extent is not clear.
The report also suggested ways of educating consumers including video tutorials, affixing QR codes on devices, and providing choices at point-of-sale, within set-up wizards, or in a privacy dashboard.
It’s worth noting, however, that the report concerned data gathered through meetings 18 months prior to its release. Technology moves fast and recommendations, however commendable, may lack the required impetus to create industry change.
What is the legal precedent?
Several of these principles alluded in the FTC report are illustrated by the Commission’s first case involving an Internet-connected device. The FTC filed a complaint against security camera maker TrendNet for allegedly misrepresenting its software as “secure.” In its complaint, the Commission alleged, among other things, that the company transmitted user login credentials in clear text over the Internet, stored login credentials in clear text on users’ mobile devices, and failed to test consumers’ privacy settings to ensure that video feeds marked as “private” would in fact be private.
As a result of these alleged failures, hackers were able to access live feeds from consumers’ security cameras and conduct “unauthorized surveillance of infants sleeping in their cribs, young children playing, and adults engaging in typical daily activities.The complaint came after hackers breached TrendNet’s Web site and accessed videos from 700 users’ live-camera feeds — many of these videos were published on the Internet.
The case was settled with stipulations including requiring the company to obtain third-party assessments of its security programs every two years for the next 20 years. TrendNet were also required to notify customers about the security issues with the cameras and the availability of the software update to correct them, and to provide customers with free technical support for the next two years to assist them in updating or uninstalling their cameras.
Legislation to Protect Drivers from Auto Security and Privacy Vulnerabilities
In July 2015 Senator Ed Markey introduced the Security and Privacy in Your Car (SPY Car) Act, legislation that would direct NHTSA and the Federal Trade Commission to establish federal standards to secure our cars and protect drivers’ privacy. The SPY Car Act also establishes a rating system — or “cyber dashboard”— that informs consumers about how well the vehicle protects drivers’ security and privacy beyond those minimum standards. Some of the specifics:
- Requirement that all wireless access points in the car are protected against hacking attacks, evaluated using penetration testing;
- Requirement that all collected information is appropriately secured and encrypted to prevent unwanted access; and;
- Requirement that the manufacturer or third-party feature provider be able to detect, report and respond to real-time hacking events.
Security of IoT devices degrades rapidly. Whilst protection should be present in every stage of development, new vulnerabilities can easily appear and IoT devices that were once considered adequately secure may no longer be trusted. But security has always been a part of modern life, as has meeting the needs of consumers. Consumers won’t stay ignorant for long thanks to renewed media attention. Without regulation and consumer pressure to require companies to act, it is unlikely that technology companies will provide ‘term of life’ protection for consumers.