In early January 2017, the Federal Trade Commission (FTC) filed a complaint against D-Link Corporation, a Taiwan-based computer networking equipment manufacturer, for alleged inadequate security measures. The FTC stated in its complaint that these security lapses left D-Link’s wireless routers and cameras vulnerable to hackers, putting consumers’ privacy at risk. The FTC also targeted ASUS, a computer hardware manufacturer, and TRENDnet, a networking and surveillance solution provider, in the complaint. These companies promote the security of their products and solutions; however, they allegedly failed to address easily preventable security flaws. The day before the complaint was filed, the FTC announced it was challenging the public to develop a tool that would address security vulnerabilities that are caused by out-of-date software in IoT devices. While the private sector often views government as the problem, the FTC’s actions in this arena show the role that the government can play in addressing IoT security concerns, although that role is not clearly defined.
Registered users can unlock up to five pieces of premium content each month.
Log in or register to unlock this Insight.
Fighting Relaxed Security
|
NEWS
|
In early January 2017, the Federal Trade Commission (FTC) filed a complaint against D-Link Corporation, a Taiwan-based computer networking equipment manufacturer, for alleged inadequate security measures. The FTC stated in its complaint that these security lapses left D-Link’s wireless routers and cameras vulnerable to hackers, putting consumers’ privacy at risk. The FTC also targeted ASUS, a computer hardware manufacturer, and TRENDnet, a networking and surveillance solution provider, in the complaint. These companies promote the security of their products and solutions; however, they allegedly failed to address easily preventable security flaws. The day before the complaint was filed, the FTC announced it was challenging the public to develop a tool that would address security vulnerabilities that are caused by out-of-date software in IoT devices. While the private sector often views government as the problem, the FTC’s actions in this arena show the role that the government can play in addressing IoT security concerns, although that role is not clearly defined.
Government is Not Always the Solution
|
IMPACT
|
The FTC complaint stems from the Mirai botnet attack in October 2016, which targeted connected home devices such as routers and cameras. The complaint against D-Link cited that the company failed to take the proper steps to address security flaws that were known and easily preventable, including:
-
“hard-coded” login credentials integrated into D-Link camera software—such as the username “guest” and the password “guest”—that could allow unauthorized access to the cameras’ live feed;
-
a software flaw known as “command injection” that could enable remote attackers to take control of consumers’ routers by sending them unauthorized commands over the Internet;
-
the mishandling of a private key code used to sign into D-Link software, as it was openly available on a public website for six months;
-
leaving users’ login credentials for D-Link’s mobile app unsecured in clear, readable text on their mobile devices, even though there is free software available to secure the information.
D-Link responded stating that the FTC did not point out any specific case of the company’s product being breached in the U.S., and that it incorporates “a robust range of procedures to address potential security issues” in its devices. D-Link is not backing down, so the complaint is viewed by the industry as a warning shot.
The FTC also announced the IoT Home Inspector Challenge, which asked contestants to develop a tool that would address these security vulnerabilities. However, this challenge will do little to address IoT security problems in connected products, nor will it raise the proper levels of consumer awareness about these security vulnerabilities.
"A Fundamental Market Failure"
|
COMMENTARY
|
IoT security is not a new problem. For years, developers, manufacturers, and consumers cared more about the features and cost of the device over the security of said devices. This resulted in “a fundamental market failure” according to Bruce Schneier, CTO of Resilient Systems, who testified before the House Committee on Energy and Commerce in November 2016. So far, though, solutions from both the public and the private sector did not result in substantial market-wide improvements. Market-based solutions so far have done little to address these security concerns, while blanket government regulation could hinder growth in the wider IoT market.
Instead of issuing blanket regulations, organizations from the executive branch of the government, like the FTC, FBI, and DHS, instead resorted to issuing warnings and advisories directed at manufacturers or consumers, while directly issuing complaints against specific companies. The legislative branches of the government avoided issuing legislations, instead opting to create an IoT working group comprised of public officials taking in the considerations of private sector stakeholders to ensure that any future policy help to promote the growth of IoT. The working group released a whitepaper at the end of 2016, which did little to assuage any fears over cybersecurity and privacy concerns. The group “grappled with whether or not a solution should rely on industry established standards, agency recommendations, legislation, or a combination of all the above,” while emphasizing “that consumers need to do their part to protect data by securing devices through good cyber hygiene practices.” Consumers are at risk but are not taking proper precautions to protect themselves. Device manufacturers are also not taking precautions to protect themselves. While the private sector often does not want government to be the solution, in the case of IoT, it may ultimately be the solution that the market needs.
