Skip to main content

Regulation May Be Coming for IoT Security

by Dennis Fisher on Wednesday May 23, 2018

Contact Us
Free Demo

The Electronic Privacy Information Center (EPIC) urged the government's Consumer Product Safety Commission to regulate IoT products in a letter this week.

There are billions of devices connected to the Internet, with millions more coming online every day. That’s nice because the Internet is useful and even sometimes fun, but a huge majority of those devices have no business being connected and probably should be unplugged immediately.

The IoT devices that have proliferated in the last couple of years have become punching bags for both security researchers and attackers. It’s open season on Internet-enabled appliances, light bulbs, toys, watches, and anything else that has been hooked up to the network with little in any forethought. The lack of security and privacy protections built into these devices is also starting to draw attention from Capitol Hill and some advocacy groups are asking Congress to act before things get much worse.

The Electronic Privacy Information Center (EPIC), a research group, is one of those groups, saying that manufacturers and consumers don’t have any real reason to fix the security and privacy problems in IoT devices.

“These problems will not be solved by the market. Because poor IoT security is something that primarily affects other people, neither the manufacturers nor the owners of those devices have any incentive to fix weak security. Compromised devices still work fine, so most owners of devices that have been pulled into the “botnet of things” had no idea that their IP cameras, DVRs, and home routers are no longer under their own control,” EPIC wrote in a letter to members of the House Committee on Energy and Commerce, which held a hearing on IoT this week.

“Moreover, consumers rarely have adequate knowledge about the security of an IoT product when they are determining whether to purchase it. This information asymmetry makes it impossible for market forces to regulate the IoT effectively.”

Blog Post

Mirai IoT Botnet Co-Authors Plead Guilty

There are two main issues here: One, there’s no specific agency that has the authority and expertise to regulate IoT security. And two, many of these devices weren’t meant to be reachable over the Internet in the first place. The first issue may be the easier of the two to solve. Congress can grant regulatory authority to a specific agency, such as the Consumer Product Safety Commission, as EPIC suggests in its letter.

“The regulatory environment is currently too weak to protect American consumers. The FTC’s authority is insufficient to protect consumers. Unlike other federal agencies, the FTC has virtually no rulemaking authority; its ability to regulate is based on ex post facto enforcement actions. This means that the FTC cannot act until after consumers have already been harmed. It is incumbent upon the CPSC to regulate the privacy and security of IoT devices. Privacy and security are integral to consumer safety,” the letter says.

The second problem is more difficult. Thousands of manufacturers in dozens of countries produce IoT devices and there’s no overarching set of standards for security and privacy for those devices. It’s wishful thinking to believe that there will be one any time soon, either. People can’t even agree on whether Internet should be capitalized (it should), so settling on IoT security norms seems unlikely.
“Everything is connected to the network and I don’t know why that is or how it happened. None of us anticipated that,” said Joe Grand, a hardware security researcher and founder of Grand Idea Studio.

“The number of devices has exploded and our risks have just exploded.”

IoT attacks are bound to get better, and so far security and regulation haven’t been able to keep pace. Unless that changes soon, we could be in for a very rough ride.

Tags:  Security News

Recommended Resources

The Definitive Guide to Data Loss Prevention
The Definitive Guide to Data Loss Prevention

All the essential information you need about DLP in one eBook.

6 Cybersecurity Thought Leaders on Data Protection
6 Cybersecurity Thought Leaders on Data Protection

Expert views on the challenges of today & tomorrow.

Digital Guardian Technical Overview
Digital Guardian Technical Overview

The details on our platform architecture, how it works, and your deployment options.