In-brief: With CES going on in Las Vegas, The Security Ledger sat down with three experts from the firm Senrio to talk about the new generation of connected consumer electronics. How vulnerable are they to attack? What is the best way to address security and privacy concerns in them?
The Consumer Electronics Show is in its 50th year this year, and the Consumer Technology Association (CTA), CES’s organizers, are celebrating by taking a walk down memory lane. Vintage photos of everything from turntables and VHS tapes to brick sized cell phones are on display. The message: “we’ve come a long way, baby!”
But have we? No doubt, the products on display at this year’s CES are an order of magnitude more sophisticated and powerful than those displayed even a decade ago – let alone at the dawn of the digital age in the 1970s and 80s. But behind the features and (at times) polished veneer, problems lurk. Internet connectivity and “smart” features rely on wholesale data harvesting and analysis from device owners. They pose serious risks to the security and privacy concerns that experts agree will not be easy to resolve. Too often, security pros agree, new, connected devices fail to protect the privacy of consumer data or ship with weak security features that are easy to circumvent, or software vulnerabilities that can be exploited by hackers living across the globe.
That was the message from the U.S. Federal Trade Commission (FTC) this week when it announced a lawsuit against D-Link, a major supplier of home routers and IP enabled surveillance cameras. The suit alleges the company’s products, including broadband routers and home surveillance cameras, endanger the privacy and safety of US consumers. D-Link, the FTC charged, was making false claims when it said that its products featured “advanced network security” and were “easy to secure.” D-Link, which announced a new generation of home routers and cameras at CES, has called the charges baseless and said it will fight the FTC in court.
How insecure are products like broadband routers and smart surveillance cameras? The Security Ledger sat down with three experts from the firm SENRIO to discuss the matter: Stephen A. Ridley, the Founder and Chief Technology Officer; Jamison Utter, Senrio’s Vice President of Field Operations and Margaret Carlton-Foss, the company’s Vice President of Research.
Senrio made headlines last year for research that discovered a serious and exploitable hole in a wide range of DLink cameras. In this podcast discussion, the three talk about the impact of the FTC’s action against D-Link, which Ridley and his colleagues see as a favorable development.
Today, security is little more than a cost center for companies developing new, connected products. Building in security features, like a hardware security model or more robust application security and identity management features, adds to the complexity of the development process and the time needed to complete a product. On the other side of the ledger, however, there is little to compel smart device makers from expending that time and effort.
“(The FTC) is changing the cost benefit ration of having security in products,” said Ridley. “Up to now, there has been no reason to have any security, so the stuff you’ve seen was more altruistic in nature.” The FTC’s suit against D-Link will give vendors pause, he said. “They have to ask: do we spend x on security now if we can avoid paying x-squared in the cost of litigation and class action suits,” Ridley said.
Check out our whole conversation on SoundCloud below or download it on iTunes.