At the 2017 edition of the Consumer Electronics Show (CES) a few thousand products that are all part of the mass consumerization of the Internet of Things (IoT) made their debut. Everything from toothbrushes that capture data that can be analyzed to determine brushing habits to cars that connect to the Microsoft Azure cloud were on display.
While all that hoopla was taking place in Las Vegas, however, the Federal Trade Commission (FTC) this week back in Washington took the opportunity to remind everyone just how vulnerable most of these consumer devices are from an IT security perspective.
First the FTC announced a contest in the form of an IoT challenge that offers a $25,000 for the best technical idea to keep consumer devices connected to the Internet secure. More significantly, however, a day later the FTC also signaled its intent to pressure manufacturers of these devices to make sure they are secure. The FTC has filed a complaint against D-Link alleging that the company’s wireless routers and Internet cameras lacked adequate security technologies to protect consumer privacy.
Specifically, the FTC alleges that D-Link:
- Hard-coded login credentials integrated into D-Link camera software — such as the username “guest” and the password “guest” — that could allow unauthorized access to the cameras’ live feed;
- Failed to address a software flaw known as “command injection” that could enable remote attackers to take control of consumers’ routers by sending them unauthorized commands over the Internet;
- Mishandled a private key code used to sign into D-Link software that left that code openly available on a public website for six months; and
- Left users’ login credentials for D-Link’s mobile app unsecured in clear, readable text on their mobile devices, even though there is free software available to secure the information.
D-Link has formally denied the FTC allegations and has pledged to defend itself in court. No matter how the actual case against D-Link turns out, IT security professionals should be heartened by the fact that there’s at least one regulatory agency in Washington taking note of the security issues associated with connecting consumer devices to the Internet. It was just a few short months ago when it was proven how easily many of these devices could be harnessed together to launch a crippling distributed denial of service (DDoS) attack. Rather than spending months if not years trying to pass new legislation it would appear the FTC has decided to pursue a court case against D-Link in a way that should service notice to other manufacturers of consumer products.
Given the razor thin margins many consumer product companies generate per device sold most of them will conclude that the cost of implementing a few security measures will be substantially less than trying to take on the FTC in court. In effect, the claims against D-Link will in effect set a new minimum IT security standard for devices connecting to the Internet.
That de facto standard doesn’t mean consumer devices connecting to the Internet are truly secure. But at the very least it will provide some meaningful guidance concerning the bare minimum of IT security that’s expected going forward.
Mike Vizard has covered IT for more than 25 years, and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet, and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb and Slashdot.Mike also blogs about emerging cloud technology for Intronis MSP Solutions by Barracuda.