FTC to IoT Device Makers: Keep Your Security Promises to Consumers
The Federal Trade Commission (FTC) said it would go after internet-facing device makers making false or misleading security safety claims if the Consumer Product Safety Commission (CPSC) insisted that manufacturers publicly disclose their security standards.
“In the context of [internet of things(IoT)] security…companies should maintain a reasonable security program and keep the promises they make to consumers concerning the security of their devices,” the FTC said. Statements on websites, retail packaging and on the device itself or the user interface “would improve transparency and provide consumers with information to better evaluate the safety and security of their IoT products,” the regulatory agency said in a CPSC comments filing.
And, such disclosures would enable the FTC to “provide an enforcement backstop” to make sure developers stuck to their promises. While the bureau shied away from directly calling for the CPSC to introduce new security regulations, “to the extent the CPSC considers such regulation, we suggest that any such approach be technology-neutral and sufficiently flexible so that it does not become obsolete as technology changes.”
Responding to the CPSC’s document issued in late March requesting public comment on existing IoT safety standards, how to prevent hazards related to IoT devices, and the role of government in the effort to promote IoT safety, the FTC essentially advocated for tighter security oversight.
We have a fresh example of what the FTC is talking about. Cisco Talos researchers recently reported an IoT botnet called VPNFilter that was injecting malware on more than 500,000 consumer routers and network attached storage hardware from Linksys, Netgear, MikroTik, TP-Link and Qnap. The discovery prompted an FBI alert urging consumers to reboot their devices.
It’s a tricky road to navigate. The FTC readily admits that requiring IoT devices to have “perfect security” would hamper product development. At the same time, however, without assurance that their devices are safe, consumers may shy away from diving deeper into the market for devices such as connected locks, burglar alarms and cameras, the feds said.
“Companies that manufacture and sell IoT devices must take reasonable steps to secure them from unauthorized access,” the agency said. “Poorly-secured IoT devices create opportunities for attackers to assume device control, opening up risks that may include safety hazards.” Augmenting its call for device makers to “take reasonable steps to secure them from unauthorized access,” the FTC recommended improvements in three areas: (1) best practices for predicting and mitigating against security hazards; (2) the process for encouraging consumers to register for safety alerts and recall information; and, (3) the role of government in IoT security.
The push to protect consumers buying IoT devices from cyber attackers picked up some steam late last year when U.S. Senator Maggie Hassan (D-NH) called for government regulations to set security standards for connected devices to which providers must comply. Her position on securing the IoT is that not enough is being done by device makers to protect consumers.