Terrell McSweeny is a commissioner at the Federal Trade Commission
It’s time to insure there is a clear set of ground rules for the security of Internet-connected products — before our homes get filled with exploitable devices.
My kitchen of the future will be smart. My refrigerator will be able to tell me what I need from the store — and maybe even order it. I will be able to turn on my coffeepot when I switch on my bedside lamp in the morning and preheat my oven as I head home. My counter will helpfully suggest recipe options when I place ingredients on it. My lights will gradually adjust depending on the time of day.
These innovations — and much more — will be possible because our appliances will connect to the Internet and each other, and our homes will be filled with sensors.
The shorthand moniker that describes this evolution of household products — light bulbs, toasters, etc. — into Wi-Fi enabled, cloud-connected devices is the “Internet of Things,” or IoT. Today, the Federal Trade Commission released a report identifying some of the opportunities and complications presented by the expanding IoT universe.
There is one area where an ounce of prevention will be worth a pound of cure: Security.
Security — or the lack of it — will largely determine the success or failure of widespread adoption of Internet-connected devices. As the Future of Privacy Forum has noted, “Inadequate security presents the greatest risk of actual consumer harm in the Internet of Things.”
Troublingly, the FTC report finds a wide range of security practices in IoT products. Some companies have already adopted relatively mature security frameworks, while others have not.
It is unlikely that insecure appliances will become targets just for the data they contain. Why would someone take the time and effort to hack my refrigerator only to figure out that I need to buy milk?
The real risks are threefold. First, a compromised device may not work properly. A bit of malware or a virus might cause my refrigerator to turn off. At a minimum, this could be an inconvenience. However, the danger posed by an attack could escalate swiftly from a mere nuisance to a serious safety risk or even a life-threatening situation, depending on the device. A hacked connected insulin pump might send incorrect data or fail to dispense properly, potentially causing grave physical harm. Or a family’s home security system may be turned off by an intruder.
Second, a vulnerability in one of the devices in my kitchen of the future — let’s say my coffee pot — might provide a gateway to my entire home network and all the data stored on it, including sensitive financial and medical information.
Finally, poorly secured connected devices could be launching points for attacks, such as Distributed Denial of Service actions or breaches into other networks — causing serious consequences far beyond the originally compromised “thing.”
The number of Internet-connected devices that may be vulnerable to attackers is increasing exponentially. The possibility of many devices — such as thousands of connected meters, cars or kitchen appliances — simultaneously suffering from the same attack could threaten public health and safety.
Vulnerable IoT products may also undermine public trust in adopting these new technologies. In fact, a recent poll found that only 22 percent of consumers believe that the benefits of smart devices outweigh privacy and security concerns.
To mitigate security risks, the FTC recommends that IoT device manufacturers incorporate security into the design of connected products. Properly implemented, security by design requires manufacturers to consider security throughout the entirety of a product’s lifecycle.
This means, for example, incorporating security practices into the culture of a corporation, bringing security expertise into the design phase of a product, working with vendors who prioritize it, and establishing breach protocols that can be implemented when flaws are discovered or attacks occur. Specific security measures required may depend on a number of factors, including the sensitivity of the information collected by a device and the costs of remedying security vulnerabilities.
For some manufacturers — particularly those that previously never needed to consider security in product design — properly securing connected consumer products will require changes in how they bring products to the marketplace and manage them once there. The FTC report, along with the NIST cyber security framework, provides useful guidance for security best practices. But it is unclear whether sufficient incentives exist for IoT product manufacturers to voluntarily adopt best practices.
We are on the cusp of a rapid expansion of the IoT. Many of the products in my kitchen of the future are available today. Now is the time to insure there is a clear set of ground rules for the security of these products — before the marketplace and our homes fill with exploitable devices. Congress should pass comprehensive data security legislation establishing the basic requirements for how to notify consumers when breaches occur and creating a technology-neutral security framework that will provide clarity to consumers and innovators.