FTC Chairwoman: Internet of Things has Security Concerns (CDSA)

By Chris Tribbey

In a Jan. 6 presentation at the International Consumer Electronics Show in Las Vegas, Edith Ramirez, chairwoman with the Federal Trade Commission (FTC), offered both praise for this emerging world of the Internet of Things (IoT), and caution that all these connected devices come with privacy concerns.

From bracelets that allow consumers to check email to light bulbs controlled via smartphone, more than 25 billion connected devices will be in consumer hands in 2015, according to the Consumer Electronics Association.

“We have … been warned that 2015 will be the year we start hearing about smart-home hacking,” she said. “These predictions highlight the complexity of the IoT: it has the potential to provide enormous benefits for consumers, but it also has significant privacy and security implications.

“The IoT could improve global health, modernize city infrastructures, and spur global economic growth. To be sure, these potential benefits are immense, but so too are the potential risks. Connected devices [share] vast amounts of consumer data, some of it highly personal, thereby creating a number of privacy risks.”

Ramirez stressed that consumer trust is key when it comes to connected consumer electronics, but ubiquitous data collection, unexpected uses of consumer data and heightened security risks all need to be accounted for. She said consumer electronics companies need to increase transparency about the data they collect and what they use it for. All these Internet-connected devices leave behind a digital trail about everything from finances to personal health, allowing companies to digitally monitor what would otherwise be private activities.

“Your smart TV and tablet may track whether you watch the history channel or reality television, but will your TV-viewing habits be shared with prospective employers or universities?” she asked. “Will they be shared with data brokers … will this information be used to paint a picture of you that you will not see but that others will – people who might make decisions about whether you are shown ads for organic food or junk food … ?

But it was security worries that most concerned Ramirez: with this influx of connected devices: inadequate security has long compromised computers and mobile devices, and IoT devices are just as vulnerable — if not more so — she said. More devices means more entry points open to attack, and the companies behind all these new devices haven’t spent the time needed to protect their devices from security breaches.

For the entire concept of IoT, to keep consumers’ trust consumer electronics companies need to build security into their devices from the outset, she said: security risk assessment needs to be part of the design process, security measures need to be tested before launch, vulnerabilities need to be patched as soon as they’re discovered, and top-down security training for employees is paramount.

“Some observers have argued that precisely because the IoT is in its early stages, we should wait to see how it evolves before addressing privacy and security issues,” Ramirez said. “But I believe we have an important opportunity to ensure that new technologies with the potential to provide enormous benefits develop in a way that also protects consumer information.”

For a majority of these devices, a wireless Internet connection will be needed, and according to research from technology vulnerability testing company Independent Security Evaluators (ISE), there’s long been widespread security problems with the use of wireless routers.

Nearly every router tested in ISE’s studies “had critical security vulnerabilities that could be exploited by a remote adversary, resulting in router compromise and unauthorized remote control,” the company’s research reads.