Lawmakers to FTC: Do Something about Internet of Things Security

The FTC is being urged to take a stronger stand on Internet of Things security in order to protect consumers.
The FTC is being urged to take a stronger stand on Internet of Things security in order to protect consumers.

In-brief: Two lawmakers on the U.S. House of Representatives’ Committee on Energy and Commerce are calling on the Federal Trade Commission to take steps to protect consumers from security issues linked to the Internet of Things.

Two lawmakers on the U.S. House of Representatives’ Committee on Energy and Commerce are calling on the Federal Trade Commission to take steps to protect consumers from security issues linked to the Internet of Things.

In a letter dated November 3 and published on the Committee’s web site, Representatives Frank Pallone (D-NJ) and Jan Schakowsky (D-IL) asked FTC Chairwoman Edith Ramirez to urge device manufacturers to “implement security measures” and “alert consumers to the security risks posed by continuing to use default passwords on (Internet of Things) devices.”

The letter was inspired by recent, large-scale denial of service attacks linked to a malicious computer network (“botnet”) called Mirai. As reported by The Security Ledger, Mirai relied on a global network of compromised devices such as closed circuit television cameras (CCTVs) and digital video recorders to launch attacks on web sites. An attack on the managed domain name systems (DNS) provider Dyn made it difficult to reach sites including Twitter and Spotify during an October attack.

The FTC hasn’t been silent on Internet of Things security. In a speech at the Consumer Electronics Show (CES) in 2015, Ramirez called on companies making IoT products to limit the data they collect and destroy it when it is no longer needed. Companies exploring the Internet of Things market should appoint a security lead to manage privacy and security issues during product development. And IoT product companies should clearly explain to consumers when their data is being sold to marketing firms or used in ways they may not expect, Ramirez recommended. A subsequent report from the FTC urged U.S. businesses to take steps to protect consumers’ privacy and security as Internet-connected devices that are part of the “Internet of Things” gain mainstream adoption.

The FTC under Ramirez has been among the most aggressive federal agencies in addressing the security and privacy challenges of the IoT. In addition to sponsoring conferences to discuss the impact of connected devices, the agency has put its foot forward to enforce laws about the collection and sharing of geolocation information. It has also issued fines to companies that fail to properly secure their technology, resulting in harm to consumers.

Still, Reps Pallone and Schakowsky cite the Mirai botnet attacks as well as statistics about the expected growth of the Internet of Things to make the case for more direct FTC involvement to protect the public.

“While the FTC’s past warnings are commendable, they are insufficient in the current environment,” the two write. “It is time for the FTC to strongly reinforce to both consumers and device manufacturers the need to adopt strong security measures.”

Consumers, the two wrote, “need to be aware of the risks posed by their IoT devices, and the FTC serves a critical role in offering that warning.” As the only federal agency with jurisdiction over consumer protection across the economy, the FTC has “an obligation to offer security warnings and to make information on changing passwords easily accessible to consumers,” the letter reads.

But the focus on passwords may be short-sighted, as we’ve noted. Flaws in connected devices that make up the Internet of Things go far beyond the weak password protections that are the subject of the letter to Ramirez.

“Some standards are needed and I am not sure that patches and passwords really solve the problem,” wrote Chip Block of the firm Evolver in an email, arguing that the focus is too narrowly on the circumstances of the Mirai attack. “I don’t see the guy who has a camera on the top of his auto repair store really worrying about updating software and changing passwords.”

Standards that require devices to identify themselves on networks and an industry-wide focus on quality and reliability are needed, Block said. He cited the role that Underwriters Lab had in making consumers comfortable that electrical devices were not dangerous. “A UL type activity really needs to established so consumers know they are buying devices that meet the standards,” Block wrote.