Ken Munro, Founder & Partner, Pen Test Partners
Old legislation is currently the only defense we have against the privacy infringements of the IoT. Courts are having to resort to the Consumer Protection Act 1987, advertising law and anti-surveillance laws established following the Second World War to fight back against the poor security practices of manufacturers. Legislation simply hasn’t been able to keep pace with the level of technological innovation and as a result, cases are being bent to fit existing laws.
The Federal Network Agency (Bundesnetzagentur) successfully banned the internet-connected dolly, ‘My Friend Cayla’, in Germany earlier this year under the ‘Missbrauch von Sendeanlagen’ telecoms mandate that prohibits concealed transmitting devices: a law that was brought in following abusive surveillance by the state in Nazi Germany and East Germany. In the US, the Electronic Privacy Information Center quickly followed suit, filing a complaint with the FCC under the Children’s Online Privacy Protection Act against the doll while The Norwegian Consumer Council and The European Consumer Organisation (BEUC) also challenged the ethical legality of it and the iQue robot, also made by Genesis Toys.
These cases serve to illustrate that it’s not possible to issue a blanket sale ban. Authorities are having to take on one device at a time because legislation is geo-specific. As more and more toys come onto the market, how can the authorities hope to test them all? How enforceable is the legislation? Vivid, which distributes Cayla and i-Que across Europe, is already planning to challenge the ban.
"Self-regulation clearly hasn’t worked, which is why we are now seeing governments start to take action"
Meanwhile, the Federal Trade Commission has had its work cut out taking IoT device manufacturers to task, suing D-Link Corporation, ASUS, TrendNET and Revolv. ASUS agreed to settle on the understanding they’d provide product support for a minimum of 20 years. When it came to bringing the D-Link case, the FTC had to resort to questioning claims on the company website, essentially making this a dispute over advertising rhetoric. Clearly the authorities need IoT-specific legislation.
The FTC has championed the consumer cause in the courtroom and produced guidelines for IoT security and privacy protection back in 2015. At the time, it stopped short of calling for regulation, stating this would be ‘premature’ as the general consensus was that self-regulation would be better to avoid stilting the development of a nascent industry. However, that was then. Self-regulation clearly hasn’t worked, which is why we are now seeing governments start to take action.
In the US, the Senate bill ‘The Internet of Things Cyber Security Improvement Act 2017’ is laying the ground rules for IoT device security. Although the legislation will only apply to government agency suppliers and affiliates, it could well establish a benchmark for device manufacture that will influence commercial production.
The Bill states that devices must:
• Not have hardware, software or firmware vulnerabilities that are listed in the NIST vulnerability database or similar
• Not use deprecated network and encryption protocols
• Not have fixed or hard coded credentials for remote admin, updates or communication
• Be able to receive authenticated
and trusted software updates from
the manufacturer
• Disclose newly-found vulnerabilities to the customer
• Have future update support and offer timely repair for newly-found vulnerabilities
It’s a good starting point but OWASP have a sound set of guidelines for IoT security and the organization also offers a more relevant vulnerability database for generic application security flaws than NIST. By referencing OWASP, the legislation wouldn’t need to take issue with products on a per issue basis. For example, SQL injection in a custom written app simply wouldn’t feature in NIST, but would be covered by OWASP. Using such global standards could therefore be the way forward.
Moves towards regulation may yet be thwarted by opposing user ownership movements. The draft Right to Repair bill, which aims to extend product longevity by enabling products to be more easily repaired and even self-repaired by users, could make it far harder to secure firmware, with tamperproof and obfuscation techniques viewed as obstacles to effective repair. That could throw a spanner in the works when it comes to IoT security specifications.
In the absence of regulation, we’re reliant on movement on the ground and consumers rejecting and even boycotting goods, as suggested by the FBI in its recent guidelines on IoT toys – but there needs to be more carrot and stick. Carrot in the form of kitemarks and accreditations awarded to those manufacturers who do take security seriously, and stick in the form of more punitive legislation because self-regulation only gets us so far.
The industry is now mature enough, and indeed would benefit from, regulation. The question is what form will that take and how will we enforce it? Device manufacturers want to comply with best practice to win market share, but for that to be economically viable, they need universal criteria and that means one law to bind them all.
Mike Gillespie, Managing Director & Co-Founder, Advent IM Ltd
When it comes to the IoT, I would argue that not only is regulation not needed, it is not possible. Regulation only works if there is also an effective enforcement process, but regulation has failed in so many areas of security already. It is more important that we have proper cultural engagement from manufacturers, suppliers and end users.
The truth about the IoT is that trying to achieve it through regulation is unlikely to be the answer and it is clear that trying to regulate it could, in fact, prove to be like herding cats. It doesn’t need to be regulated but it certainly does need to be better controlled.
In order to achieve genuine regulation we would need global cooperation. That would mean a common approach by businesses large and small, governments and public bodies; every entity using internet protocol (IP) equipment as well as individuals with web-enabled kettles and jumpers etc., to be singing from the same hymn sheet.
Given how long it has taken for the EU to produce the General Data Protection Regulation (GDPR), I think the chances of achieving a globally cooperative approach to IoT is magical thinking. Why? As I said earlier, regulation requires enforcement, so where would that come from in the case of IoT? Standards, however, I do get…
"We don’t need new security standards, maybe what we need to do is to enhance safety standards to include IoT"
Thinking about the birth of the internet and standards, our current internet − the IP system we use today − is built upon a thing called ‘RFC1918’ (Request for Comment). Address allocation for private internets drove the standard that became the transmission command protocol (TCP) IP networks standard we use today. The reason we have an internet is because IP protocol was standardized, so we now have a global system of IP network addresses. This is a good example of standardization where everyone follows the same standard. It broadly works for everyone and people know what to expect. Regulation is not the same because regulation implies enforcement and there is no ‘body’ as yet that can enforce regulation.
We know that regulation doesn’t always work in other, different areas of security either. For instance, even though we have information security legislation like data protection, it is rarely willingly adopted and despite wide-ranging enforcement notices from the Information Commissioner’s Office (ICO), the number of businesses truly compliant with the Data Protection Act is minimal. Unless they are voluntarily adopted and considered to be the cultural norm – effectively a global adoption of a standard – then you are fighting an uphill battle. More importantly, if you don’t have a global standard, then you have nothing to regulate anyway.
What we need is a global acceptance that security in the IoT is as important as functionality. Culturally, we need developers and manufacturers, and possibly installers, to fully understand and appreciate the need for good security and have the skills to provide good security, at the of supply. At the moment, IoT is driven by the desire to innovate on the part of developers and functional need on behalf of the buyers. Is it all genuine appetite? Neither developer nor buyer appear to be building-in security so there is no push or pull to better practice or design.
With safety, we have international and national standards, such as with electrical goods. These standards can lead to substandard goods frequently being seized in order to protect consumers. However, we have no similar standard for security, for security equipment or equipment that is going to be used in an IP environment, despite the fact that some of this equipment may actually touch our physical lives and activities. Safety and security, in so many devices, go hand in hand, as they affect our physical world. Think of an air conditioning system, door entry system, heating system or video surveillance system, all of these have major physical touchpoints in our lives and could impact our physical safety. If I can remotely access your kettle or your air conditioning estate, and I affect its safety as a result of poor security, then this is really a safety issue. So maybe, we don’t need new security standards, maybe what we need to do is to enhance safety standards to include IoT.