The Federal Trade Commission has sent comments to the Department of Commerce, outlining a list of concerns about the security and privacy of connected and embedded devices, saying that while many IoT devices have tangible benefits for consumers, “these devices also create new opportunities for unauthorized persons to exploit vulnerabilities”.
In a long response to a request for comment on IoT benefits and problems by the National Telecommunications and Information Administration, a unit of Commerce, FTC staff members said that there are many benefits offered by IoT devices. The comments cite smart meters, connected cars, and connected health care devices as examples of devices that bring many convenience and other benefits for users. However, the FTC says all of these advances bring with them attendant privacy and security risks.
One of the key security problems that researchers have cited with IoT devices is the impracticality of updating them when vulnerabilities are discovered. Installing new firmware on light bulbs or refrigerators is not something most consumers are used to, and many manufacturers haven’t contemplated those processes either. The FTC said the lack of available updates is a serious problem for consumers and businesses alike.
“Although similar risks exist with traditional computers and computer networks, they may be heightened in the IoT, in part because many IoT chips are inexpensive and disposable, and many IoT devices are quickly replaceable with newer versions. As a result, businesses may not have an incentive to support software updates for the full useful life of these devices, potentially leaving consumers with vulnerable devices. Moreover, it may be difficult or impossible to apply updates to certain devices,” the FTC comments say.
“IoT devices are capable of collecting, transmitting, and sharing highly sensitive information.”
The lack of security patches is a major issue for connected devices, as many of them are left easily accessible online and can be found by attackers. Researchers in recent years have demonstrated any number of attacks against connected medical devices, home monitoring equipment, and industrial control systems. Many of these devices come with hard-coded passwords or credentials that can be discovered quite easily, and if the device is connected to a larger home or business network, can give an attacker an easy foothold for further attacks.
“First, on IoT devices, as with desktop or laptop computers, a lack of security can enable intruders to access and misuse personal information collected or stored on a device. As IoT devices offer new opportunities for consumers to monitor their daily activities, access content, and interact with the world, these devices also create new opportunities for unauthorized persons to exploit vulnerabilities that can facilitate identity theft or fraud,” the FTC said.
The commission staff also cites bugs in medical devices or connected vehicles as potential risks to physical safety for users. Researchers Charlie Miller and Chris Valasek have shown this to be a reality already, with their work on security issues with connected cars.
In addition to the security problems with IoT devices, the FTC expressed concerns about the privacy issues they raise, as well. Many connected devices collect information about their usage, environments, and users, which is then used by vendors for any number of purposes.
“In one FTC analysis, staff found the presence of numerous third parties in apps connected to IoT health and fitness wearable devices. A number of those third parties collected data such as persistent device identifiers, workout routines, eating habits, length of walking stride, medical search histories, zip code, gender, and geolocation,” the FTC comments say.
“As this analysis demonstrates, IoT devices are capable of collecting, transmitting, and sharing highly sensitive information about consumers’ bodies and habits. These privacy implications may increase if consumers’ health routines, dietary habits, and medical searches are combined with offline sources and across devices.”
That data collection–some of which is done without users’ real knowledge of its purposes–is one of the main concerns that privacy advocates and security researchers have raised with IoT devices. The FTC staff said the IoT presents vendors and data aggregators with a prime opportunity.
“The massive volume of granular data collected by IoT devices enables those with access to the data to perform analyses that would not be possible with less rich data sets,” the comments say.
The FTC staff also includes a number of best practices for security and privacy with IoT devices, such as building security into devices from the outset, oversight of downstream vendor contracts on data collection and privacy, and data minimization practices.