The IoT includes both consumer-facing devices and devices intended for business uses. By the end of 2015, Cisco has estimated that there will be 25 billion connected devices, and by 2020, 50 billion.
While the IoT can offer enormous benefits to consumers, including in the areas of health care (connected medical devices), improved energy use (smart metres), and safer driving (sensors that can monitor dangerous road conditions, real-time vehicle diagnostics, driver alertness and health, enhanced navigation assistance, location-based services, weather and traffic information, and, eventually, self-driving cars), the IoT is not without risk.
There are myriad legal and business issues associated with IoT products and services, and security and privacy concerns remain paramount.
Speaking last month at the American Bar Association’s annual meeting on IoT issues, Stephen Teppler, Steven Wu, and Eric Hibbard noted many security challenges and risks associated with IoT. Security is not always baked into these devices at their inception.
Some devices contain beta software that is not finished. Devices that contain embedded software are either not easily upgraded, or easily upgraded and equally easily hacked. Manufacturers do not take into account end-of-life provisioning.
There is no transparency of testing, assuming any was done in the first place, nor is auditing possible. Testing is completely unregulated and faulty designs may not be caught prior to going to market.
Most significantly, there are no uniform standards that manufacturers can look to when designing these objects.
In January 2015, the U.S. Federal Trade Commission released a report entitled “Internet of Things: Privacy & Security in a Connected World” highlighting a variety of potential security risks associated with the IoT that could be exploited to harm consumers by:
• enabling unauthorized access and misuse of personal information;
• facilitating attacks on other systems; and
• creating risks to personal safety in addition to privacy risks that could flow from the collection of personal information, habits, locations, and physical conditions over time.
The FTC’s report contained a number of recommendations. Minimally, companies developing IoT products should implement reasonable security. Determining what constitutes “reasonable security” depends on factors such as the amount and sensitivity of data collected, the sensitivity of the device’s functionality, and the costs of remedying the security vulnerabilities.
From a best practices standpoint, companies should:
• Implement ‘security by design’ by building security into devices at the outset, rather than as an afterthought. This includes designing security into every stage of development, even in the design cycle. Companies should also test their security measures before launching their products as sometimes developers forget to close back doors.
• Ensure their personnel practices promote good security — including ensuring security is addressed at the appropriate level of responsibility within the organization (i.e., at the executive level). Companies should also be training their employees about good security practices.
• Ensure they retain service providers that are capable of maintaining reasonable security and provide reasonable oversight to ensure that those service providers do so (or face an FTC law-enforcement action).
• Implement for systems with significant risk a ‘defence-in-depth’ approach where security measures are considered at several levels. For example, it may not be sufficient to rely upon passwords for consumer Wi-Fi routers — companies have to take additional steps to encrypt information or otherwise secure it.
• Consider implementing reasonable access controls to limit the ability of an unauthorized person to access a consumer’s device, data, or even the consumer’s network — including employing strong authentication, restricting access privileges, etc.; and
• Continue to monitor products throughout the life cycle and, to the extent feasible, patch known vulnerabilities. Unfortunately, many IoT devices have limited life cycles, resulting in a risk that consumers will be left with obsolete devices that are vulnerable to critical, publicly known security or privacy bugs. Companies should carefully consider if they decide to limit the time during which they will provide security updates and should be forthright in their representations about providing ongoing security updates and software patches. Companies that provide ongoing support should notify consumers about security risks and updates.
The FTC noted the specific security measures that a company needs to implement will depend on a number of factors, including the sensitivity of information collected, whether they present physical security or safety risks (such as insulin pumps), or connect to other devices or networks in a manner that would more easily allow hackers to access.
These types of devices should be more robustly secured than devices that simply monitor “room temperatures, miles run, or calories ingested.”
From a security vulnerability perspective, it seems an especially bad time to drive a car. This is not surprising, given a recent report issued in February 2015 entitled “Tracking & Hacking: Security & Privacy Gaps Put American Drivers at Risk” generated by U.S. Senator Ed Markey following his detailed questioning of 16 major automakers.
Markey found nearly all vehicles on the road are vulnerable to hacking through at least one wireless entry point (including navigation, keyless entry, remote start, Bluetooth, and anti-theft features).
The Markey study (quoted in the excellent Canadian report “The Connected Car: Who is in the Driver’s Seat” by Philippa Lawson and published by the B.C. Freedom of Information and Privacy Association, noted (i) security measures to prevent remote access to vehicle electronics are inconsistent and haphazard across manufacturers; and (ii) while automakers have fully adopted wireless technologies like Bluetooth and wireless Internet access, they have not addressed the real possibilities of hacker infiltration into vehicle systems.”
Not surprisingly, in July, senators Markey and Richard Blumenthal introduced the ‘‘Security and privacy 5 in your car act of 2015’’ , new legislation designed to require cars in the U.S. to meet certain cybersecurity and privacy standards.
• requiring all entry points to the electronic systems of each motor vehicle manufactured for sale in the United States be equipped with reasonable measures to protect against hacking attacks;
• enhance the security of any collected driving data;
• any vehicle with an entry point must be equipped with capabilities to immediately detect, report, and stop attempts to intercept driving data or control the vehicle.
Additionally, cars will have to sport ‘cyber dashboards’ as a component of the label required to be affixed to each motor vehicle through an easy-to-understand, standardized graphic, about the extent to which the motor vehicle protects the cybersecurity and privacy of motor vehicle owners, lessees, drivers, and passengers
The FTC and Mackey reports look quite prescient given recent headlines relating to security flaws in manufactured devices over the past two months. Next month, I’ll look at some of these in more detail.