Can the FTC save the IoT?

Nobody in the IT industry would argue that the Internet of Things (IoT) is becoming more secure. Pretty much the opposite.

But not for lack of effort. There have been multiple, ongoing initiatives over the past decade, both public and private. There have been dire warnings, publication of various standards and best practices, technology improvements, legislation to encourage threat information sharing and exhortations from government agencies, congressional committees, security firms and conference speakers.

Unfortunately, none of them has worked very well so far.

In spite of some of the best minds and technology improvements in the world focused on it, most of the IoT’s billions and billions of connected devices remain catastrophically insecure, lacking what experts call the most basic “security hygiene.” The flaws include hard-coded credentials, simple and default user names and passwords and the lack of any way to patch or update exploitable vulnerabilities.

Why else would Taiwan-based D-Link and it’s US partner D-Link Systems be a target of a recent lawsuit by the Federal Trade Commission (FTC) that alleges basic security flaws like that in its routers and Internet cameras?

Why else would one of the major themes of the upcoming RSA conference be focused on the issue?

So, perhaps the way to kick start what everybody but criminals, terrorists and tyrannical regimes says they want is the old-fashioned way: An aggressive increase in lawsuits against developers and makers of the billions of devices that comprise the IoT. The threat of crippling sanctions, fines or liability damages are usually enough to get the attention of the C-suite.

Certainly there is a need for something that will at least tip the security balance in favor of the good guys.

Last fall’s Distributed Denial of Service (DDoS) attack on Internet Domain Name Service (DNS) provider Dyn was just the most high-profile recent example – a stark illustration of how easily a botnet of IoT devices could be enlisted to take down something as crucial as a portion of the internet backbone.

That and many other attacks have prompted some recent high-profile calls for more aggressive government involvement in regulating the IoT. Last November, Bruce Schneier, CTO of Resilient Systems (recently acquired by IBM); Kevin Fu, CEO of Virta Labs and a professor at the University of Michigan; and Dale Drew, CSO of Level3 Communications, an internet backbone provider, told the House Committee on Energy and Commerce about why that the private sector won’t solve the problem. Schneier called it, “a fundamental market failure.”

Sen. Mark Warner (D-Va.) sent a letter, after the Dyn attack, to the FTC, Federal Communications Commission (FCC) and a division of Homeland Security, asking if it would be possible to keep insecure devices off the internet by denying them IP addresses.

But the regulatory approach remains controversial – privacy and civil rights organizations say government involvement will inevitably lead to online government surveillance even more insidious than it is now.

Zach Lanier, director of research at Cylance, said having government involved in the internet more than it already is, “would be a threat both to Net Neutrality and the free market simultaneously.”

So, why not more lawsuits, using government regulations that already exist? The FTC has steadily developed a track record of success in bringing actions against companies for security failures, ranging from a breach of the Wyndham Hotel chain, to TRENDNet over flaws in its security cameras, to computer hardware maker ASUSTek over flaws in its routers and cloud services.

Those cases all ended in consent agreements that looked mild on the surface, since they didn’t involve any fines or liability.

In most cases, the agreements simply required the company to, “establish and maintain a comprehensive security program subject to independent audits for the next 20 years.”

But they did establish FTC authority and oversight, which is seen by many experts as a powerful tool.

Cigital CTO Gary McGraw, in a September 2015 blog post on the company website, wrote that the FTC's 170 settlement agreements since 1997, “are functionally equivalent to a body of common law … (and) about as close to ‘rules’ as you might want … Their rulings are effectively the law of the land for businesses that deal with personal information.”

FTC relies on legal prohibition

In most cases, the FTC relies on the legal prohibition of, “unfair or deceptive acts …” to bring actions against IoT device vendors – they are accused of the “deception” of promising security but not delivering it.

Over time, the FTC has also moved from invoking not just company promises, but also “reasonable” consumer security expectations.

The agency’s most recent complaint, against D-Link uses that template – “the failure to take reasonable steps to secure the routers and internet-protocol cameras they designed for, marketed and sold to United States consumers.”

In other words, consumers have a right to expect – whether there is an explicit promise or not – that their device can’t be used to do malicious things such as spy on them, steal their identity or become part of a botnet used to attack other targets, including the internet backbone.

The FTC declined to comment on whether it intends to ramp up its enforcement actions. A spokeswoman would only point to the agency website, which says that the FTC has the, “authority to seek relief for consumers, including injunctions and restitution, and in some instances to seek civil penalties from wrongdoers.”

But several IoT experts said that while FTC complaints are a valuable tool, they would not be a magic bullet any more than various “best practice” standards or other initiatives have.

Dan Geer, CISO of In-Q-Tel, who has written and spoken widely on vulnerabilities in the IoT, said he thinks even though information sharing is “a messy topic,” it has to exist at some level for real progress to happen. He and Richard Danzig, senior adviser to the Johns Hopkins University Applied Physics Lab, recently argued in an IEEE Security & Privacy article that there should be no "silent failures" – that those who are breached should share useful information about it.

“If we are to learn from failure we have to know about it – not allow it to be silent,” Geer said.

Of course, there is widespread resistance to that, since companies fear brand damage and the possible exposure of intellectual property if they are too transparent about breaches. But Geer said the industry needs to find a way to do it. “I don’t see how we make progress if we can't keep score, and the score I'm thinking of is pretty simple: How often were you attacked where there was at least some measure of success?” he said.

Daniel Castro, vice president of the Information Technology and Innovation Foundation (ITIF) said he believes the route to better IoT security has to include both effective consequences for bad security and better rewards for good security.

He doesn’t object in principle to the enforcement actions by the FTC. But he said the “reasonable security” standard is too vague, yet if it gets too specific and detailed, it might stifle innovation.

“If people are looking just to put a proof of concept out there, they might not do it if they have to spend too much time and money on security,” he said. “Plenty of people would say that’s just too much. You can’t do it one-size-fits-all.”

He agreed that consumers have a right to expect connected devices to be “safe.” But he said consumer awareness is not yet at the level that would affect the market.

“One question is, how do you make it so the consumer considers" security in deciding what to buy, he said. “Right now, there is still no incentive for making it a priority.”

Jim Rapoza, senior research analyst and editorial director at the Aberdeen Group, is one expert who thinks consumer awareness is growing. “Even now, if you look for some devices that have been implicated in security issues – such as some nanny cams and home security devices – you can quickly see from reviews on retail websites that there are issues,” he said.

Castro agreed that should be a goal. “Consumers won’t necessarily look at the details,” he said, but if you get industry to standardize how they do security disclosure, then you might see something like a green, yellow or red label, where the industry lets consumers know about those that are underperforming their peers.”

Lanier also agreed that consumer awareness and the “vetting” of products to rate their security – something like “a Consumer Reports-style rating system,” would make it easier for consumers to make informed choices, and therefore put market pressure on the industry.

He said he would not like to see “the prototypical ‘seatbelt law’-style requirements, but we’re beginning to run out of options.”

That is where Geer comes down as well. In another article, this one co-authored with Poul-Henning Kamp of Den Andensidste Viking, USA, titled "Inviting More Heartbleed," he noted that software is one of the very few industries that remains essentially unregulated.

In other industries, problems eventually cause carnage, and, “at some point, the carnage crosses a pain threshold and regulation sets in: high-rise buildings got fire escapes, domestic electricity got insulated wires, trains got deadman switches, cars got seatbelts, medicine got clinical testing, and Freon got banned.”

So, when the damage from IoT flaws reaches some level of pain, “we see it as a foregone conclusion that sooner or later society will regulate the software industry,” he and Kamp wrote.

That regulation, they wrote, will likely take the form of product liability, which has as its formula, “if you make money selling something, then you better do it well, or you will be held responsible for the trouble it causes.”

Or, as Geer put it to CSO, “you either give your users the ability to inspect and turn off what they don't want or you, the provider, own the outcome.”

Which sounds like a lot more lawsuits, and not just from the FTC.