Manufacturers of wireless devices used for Internet of Things (IoT) applications should take heed of new Trump Administration proposals aimed at reducing the cybersecurity threats from botnets and other automated and distributed attacks.

Following a year of public and internal discussions and inquiry, the Department of Commerce and Department of Homeland Security (DHS) recently issued a Final Report on the topic, “A Report to the President on Enhancing the Resilience of the Internet and Communications Ecosystem Against Botnets and Other Automated, Distributed Threats.” The Report arises from the cybersecurity Executive Order issued by President Trump in May 2017, which required Commerce and DHS to lead a process to determine appropriate action to “dramatically reduc[e] threats perpetrated by automated and distributed attacks (e.g., botnets).” Continue Reading Trump Administration Botnet Report Will Impact IoT Device Makers – Things You Should Know

The U.S. Federal Trade Commission (“FTC”) has filed a lawsuit against device manufacturer D-Link for allegedly deceiving the marketplace about the security of its products and, in turn, unfairly placing customer privacy at risk.

Overview

Taiwan-based manufacturers D-Link Corporation and D-Link Systems, Inc. (collectively, “D-Link”) design a variety of home network devices, such as routers, IP cameras, and baby monitors. Devices such as these are susceptible to hacking when they are connected to each other and to the internet (in what is often referred to as the “Internet of Things” or “IoT”), and weak security measures therefore pose a significant security concern. Judging from D-Link’s advertisements for its products, the company is certainly aware of these risks. D-Link boasted that its routers are safe locked from hackers thanks to “Advanced Network Security,” its baby monitors and cameras assure a “Secure Connection” to protect the livestream view of a sleeping child, and promises of an “easy” and “safe” network appear repeatedly during the set up process for a D-Link device with an online interface. As the FTC explains in its lawsuit, claims like those made by D-Link are not only misleading but also dangerous.

Despite an apparent awareness of consumers’ cybersecurity concerns, the FTC alleges that D-Link neglected to build common security measures into the devices it sells. The allegations are startling: mobile app credentials were stored unsecured in plain text on consumer devices; a private company key code was accidentally made viewable online for six months; hard-coded login credentials in camera software left video feeds vulnerable to unauthorized viewers. And that’s just the beginning. More details are listed in the FTC’s complaint filed in a U.S. District Court in California on January 5, 2017. These lapses, and D-Link’s deceptive advertising, prompted the FTC to charge the company with a violation of Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. §45.

As of January 10th, D-Link has denied the allegations outlined in the complaint and has retained the Cause of Action Institute as counsel to defend against the action.

The growing IoT problem

In recent years, the FTC has tried to keep pace with mounting concerns over the IoT industry by filing a handful of complaints focused on consumer protection. For example, it went after the company TRENDnet after the firm’s faulty software allowed hundreds of personal security cameras to be hacked. It also filed an action against computer parts manufacturer ASUS after its cloud services were compromised and the personal information of thousands of consumers was posted online. These isolated mistakes add up; when millions of unsecured and seemingly innocuous Wi-Fi-enabled devices join the global network, they can serve as a massive launchpad for crippling cyber-attacks like the one that overwhelmed internet traffic operator Dyn and shut down several major websites in October 2016. The efforts of the FTC are aimed at mitigating such attacks and encouraging technology developers to invest effort and resources in order to secure their IoT devices before they hit the marketplace.

Search for solutions

Both the FTC and the National Institute of Standards and Technology (NIST) have released reports offering guidelines and technical standards for building reliable security into the framework of new systems and devices. As we wrote about recently, the Obama administration had also left the Trump administration an extensive report on cybersecurity recommendations. Achieving these standards will require a combination of regular agency enforcement and greater market demand for safe, secure devices. In the meantime, some digital vigilantes are working to stop cyber-attacks before they start. Netgear, for instance, has launched a “bug bounty program” offering cash rewards of $150-$15,000 for eager hackers to track and report security gaps in its devices, applications, and APIS. Indeed, incentivizing solutions rather than quietly overlooking mistakes, and searching for loopholes in our laws, will make a substantial difference in safeguarding the IoT landscape.

 

The growing scale of cybersecurity concerns is prompting action from government leadership on the federal level. Before the Thanksgiving recess, the House’s Committee on Energy and Commerce got in on the act when two of its subcommittees–the Communications and Technology Subcommittee, chaired by Rep. Greg Walden (R-OR), and the Commerce, Manufacturing, and Trade Subcommittee, chaired by Rep. Michael C. Burgess, M.D. (R-TX)–held a joint hearing to investigate and consider the role of Internet-enabled devices (collectively referred to as the “Internet of Things,” or “IoT”) in high-profile online attacks.  Continue Reading House Energy & Commerce Committee Holds Hearing on Security of the Internet of Things

Smart machines connected to the internet have become ubiquitous in our daily lives. They make up the Internet of Things (“IoT”), a vast web of interconnected iPhones and Fitbits, tablets and cameras, even baby monitors and implantable medical devices, and all are designed to improve and enrich our lives.  The IoT is growing in scale and complexity every day, and so too are the dangers to consumers, businesses, and our country’s technical infrastructure that the IoT creates.

After four years of research and collaboration with stakeholders, the National Institute of Standards and Technology (“NIST”) recently released its final version of Special Publication 800-160 to provide much-needed guidance for securing IoT devices and systems throughout their entire life cycle.  We offer this quick introduction and encourage you and your organization to get acquainted with the report.   Continue Reading NIST Issues Internet of Things (IoT) Guidance

Even president-elect Donald Trump has been the victim of a data breach. Several times actually. The payment card system for his Trump Hotel Collection was infected by malware in May 2014 and 70,000 credit card numbers were compromised by the time the hack was discovered several months later.  The hotel chain paid a penalty to the State of New York for its handling of that incident.  The hotel chain also experienced at least two additional breaches during this past year affecting various properties. From a business perspective, Mr. Trump certainly understands the high costs of cybersecurity in dollars and distraction. But from the Oval Office, it is far less clear what the Trump Administration might do to secure our country’s digital infrastructure and prosecute cybercriminals. Equally uncertain are Mr. Trump’s views on privacy rights and how his presidency might affect federal protections for personal information and cross-border transfers of data. We do not have a crystal ball, but offer some thoughts. Continue Reading The Cyber President? What To Expect From the Trump Administration On Cybersecurity And Privacy

 

Over the last week, details have become available to explain how an attack against a well-known domain name service (DNS) provider occurred.  What about the potential legal risks?  We will attempt to provide insights into mitigating the legal risks for the various companies involved, including the companies that may have unwittingly provided the mechanism through which the attacks were conducted.

The Mechanics of The Recent Distributed Denial of Service Attacks 

Recently, Dyn, a Manchester, New Hampshire-based provider of domain name services, experienced service outages as a result of what appeared to be well coordinated attack.  Dyn provides domain name services used to direct users to a website after typing in a human readable domain name, for example, google.com.  On October 21st, 2016, many websites including:  Twitter, Netflix, Spotify, Airbnb, Reddit, Etsy, SoundCloud and The New York Times, were reported inaccessible by users.  Dyn was attacked using a vector that is often referred to as a Distributed Denial of Service  (DDoS) attack. A DDoS attack essentially involves sending a resource, such as a publically facing website too many communication requests at one time such that the service is denied to legitimate would-be users of the resource.

The term distributed comes from the nature in which the attack is usually conducted.  An attacker does not usually possess a single resource with the necessary bandwidth or communication “pipe” to overwhelm providers such as Dyn.  Instead, the attacker creates a network of smaller resources, distributed throughout a network such as the Internet, and directs the network of devices to attack the chosen target.  In the recent attack, the perpetrators appear to have used, at least in part, a network of consumer devices from the Internet of Things (IoT), a term used to describe so-called “smart” devices that can communicate with each other.  Attackers exploited an open vector within these devices such that they were able to control them and utilize them as part of a DDoS attack network to direct unwanted traffic to Dyn.

Identification of Cyber Security Attack Risk 

A given cyber security attack will have different effects on the ability of an entity to function based on the aspects of the infrastructure being targeted.  Identifying cyber security risk involves two parts.  First, the entity needs to understand how the various components that make up its information technology infrastructure function in relation to each other to provide services to the entity itself and other external actors.  Second, an evaluation of the exposed aspects of the components needs to be conducted, keeping in mind how the components function as a whole.

For example, with Dyn, a certain portion of the architecture that played a role in providing domain name services was likely exposed in a publically facing manner.  A known risk of such public facing exposure is a DDoS attack.

The devices that were harnessed to provide the malicious DDoS traffic, appear to have contained components that were publically addressable via an identified mechanism through the Internet.  Furthermore, the devices were susceptible to accepting malicious instructions causing undesired operation, in this case, their unwitting use as part of a bot net for a DDoS attack on Dyn.

For the various websites affected, including Twitter, Netflix, Spotify, Airbnb, Reddit, Etsy, SoundCloud and The New York Times, most likely components of their information architecture that dealt with processing DNS information were rendered unable to function, probably at least in part because their DNS provider ceased to operate.

Proactive Mitigation of Cyber Security Risk 

Effective mitigation of cyber security risk will involve understanding how the obligations of the entity to others, such as its customers, as well as the obligations of those that provide services to the entity, interact with the cyber security risks identified via the previous section’s methods.  This process is greatly facilitated by experienced counsel that have dealt with these issues before.

For example, Dyn faced a risk of being unable to provide effective DNS services to its customers, which if identified in advance could have been accounted for via a provision in the Service Level Agreement (SLA) terms in the relevant agreement.  Upon agreeing to these terms, potential customers could either choose to accept the business risk of downtime, perhaps mitigating the risk via insurance, or have sought a suitable agreement with another vendor, whereby the vendor would provide a failover mechanism should the primary vendor, here Dyn, became unavailable.

Companies with other business models such as those that sold the Internet of Things devices that were harnessed as part of the DDoS attack against Dyn face their own risks, including complying with regulations and using ordinary care in the creation, testing, and selling, of these devices.  In some situations, it may be possible for such device manufactures to transfer the risk to their customers via a contractual provision.  In many cases, insurance is likely to also play a major risk mitigation role.  Future litigation will likely give us greater insight to the standard of case such device manufactures owe their customers as well as third parties.

It is easy to see networks all around us. The printers at the office, your child’s videogame, the food ordering app on your phone, the fitness band or smart watch on your wrist, the electricity grid for your city, the self-driving cars being tested on our roads, all rely at least in part on networked solutions.  The ubiquity of networks is already staggering and the pace of research and development in this area is poised to increase for years to come.  As the things in our world get smarter and the network of these smart things grows larger, a little-known agency in the U.S. Department of Commerce, the National Institute of Standards and Technology (“NIST” or “Agency”), decided it was time that stakeholders smartened up about the way they discuss networks, connected “smart” things, and the privacy and security challenges associated with them.  Continue Reading Let’s talk about Networks of Things, baby. Let’s talk about you and me.

Facebook does it.  Google does it.  It’s everywhere in the mobile ad ecosystem.  And your smartphone does it more often than you know, according to a study released on Monday by Carnegie Mellon.

Now, Federal authorities have turned their attention to cross-device and cross-service tracking of consumers over the last several days and weeks. Speaking at a Federal Communications Bar Association and American Bar Association joint event on March 25, Federal Communications Commission Enforcement Bureau Chief Travis LeBlanc expressed his privacy concerns with Triple-Play providers of Internet, video, and voice services aggregating customer data collected from across all three services. This came just a day after reports that Google would be testing a new model for television advertising in markets where it sells both Google Fiber Internet and television service. Also on March 24, the House Commerce, Manufacturing and Trade Subcommittee held a hearing on the Internet of Things that included questions about how personal information could be protected when collected and shared by connected devices. Continue Reading Cross-Device Tracking: The New World

Today is Data Privacy Day, and as you might expect, we have a few bits and bytes for you.

Use the Opportunity 

Data Privacy Day is another opportunity to push out a note to employees regarding their own privacy and security — and how that can help the company.   Emails with articles and reminders are helpful.   Here are some that might be interesting to your company:

Happy Data Privacy Day – Now Lock Your Cellphone

Celebrate Data Privacy Day

8 Ways to Celebrate Data Privacy Day Securely

And finally – International Privacy Day – Protect Your Digital Footprint

The concept reinforces corporate privacy programs, while encouraging employees to take steps to protect their personal data.

The Federal Trade Commission Issues IoT (Internet of Things) Report

Following up on its November 2013 workshop on the Internet of Things, the Federal Trade Commission (“FTC”) has released a staff report on privacy and security in the context of the Internet of Things (“IoT”), “Internet of Things: Privacy & Security in a Connected World” along with a document that summarizes the best practices for businesses contained in the Report.  The primary focus of the Report is the application of four of the Fair Information Practice Principles (“FIPPs”) to the IoT – data security, data minimization, notice, and choice.

The report begins by defining IoT for the FTC’s purposes as “‘things’ such as devices or sensors – other than computers, smartphones, or tablets – that connect, communicate or transmit information with or between each other through the Internet,” but limits this to devices that are sold to or used by consumers, rather than businesses, in line with the FTC’s consumer protection mandate.  Before discussing the best practices, the FTC goes on to delineate several benefits and risks of the IoT.  Among the benefits are (1) improvements to health care, such as insulin pumps and blood-pressure cuffs that allow people avoid trips to the doctor the tools to monitor their own vital signs from home; (2) more efficient energy use at home, through smart meters and home automation systems; and (3) safer roadways as connected cars can notify drivers of dangerous road conditions and offer real-time diagnostics of a vehicle.

The risks highlighted by the Report include, among others, (1) unauthorized access and misuse of personal information; (2) unexpected uses of personal information; (3) collection of unexpected types of information; (4) security vulnerabilities in IoT devices that could facilitate attacks on other systems; and (5) risks to physical safety, such as may arise from hacking an insulin pump.

In light of these risks, the FTC staff suggests a number of best practices based on four FIPPs. At the workshop from which this report was generated, all participants agreed on the importance of applying the data security principle.  However, participants disagreed concerning the suitability of applying the data minimization, notice, and choice principles to the IoT, arguing that minimization might limit potential opportunities for IoT devices, and notice and choice might not be practical depending on the device’s interface – for example, some do not have screens.  The FTC recognized these concerns but still proposed best practices based on these principles.

Recommendations

Data Security Best Practices:

  • Security by design.  This includes building in security from the outset and constantly reconsidering security at every stage of development. It also includes testing products thoroughly and conducting risk assessments throughout a product’s development
  • Personnel practices.  Responsibility for product security should rests at an appropriate level within the organization.  This could be a Chief Privacy Officer, but the higher-up the responsible part, the better off a product and company will be.
  • Oversee third party providers.  Companies should provide sufficient oversight of their service providers and require reasonable security by contract.
  • Defense-in-depth.  Security measures should be considered at each level at which data is collected stored, and transmitted, including a customer’s home Wi-Fi network over which the data collected will travel.  Sensitive data should be encrypted.
  • Reasonable access control.  Strong authentication and identity validation techniques will help to protect against unauthorized access to devices and customer data.

Data Minimization Best Practices:

  • Carefully consider data collected.  Companies should be fully cognizant of why some category of data is collected and how long that data should be stored.
  • Only collect necessary data.  Avoid collecting data that is not needed to serve the purpose for which a customer purchases the device. Establish a reasonable retention limit on data the device does collect.
  • Deidentify data where possible.  If deidentified data would be sufficient companies should only maintain such data in a deidentified form and work to prevent reidentification.

Notice and Choice Best Practices:  The FTC initially notes that the context in which data is collected may mean that notice and choice is not necessary. For example, when information is collected to support the specific purpose for which the device was purchased.

When notice or choice are necessary, the FTC offers several suggestions for how a company might give or obtain that, including (1) offer choice at point of sale; (2) direct customers to online tutorials; (3) print QR codes on the device that take customers to a website for notice and choice; provide choices during initial set-up; (4) provide icons to convey important privacy-relevant information, such a flashing light that appears when a device connects to the Internet; (5) provide notice through emails or texts when requested by consumers; and (6) make use of a user experience approach, such personalizing privacy preferences based on the choices a customer already made on another device.

Legislation.  The FTC staff recommends against IoT-specific legislation in the Report, citing the infancy of the industry and the potential for federal legislation to stifle innovation.  Instead, the FTC recommends technology-neutral privacy and data security legislation.  Without saying it explicitly, this appears to be a recommendation for something akin to the Consumer Privacy Bill of Rights recently proposed by the President, along with giving the FTC authority to enforce certain privacy protections, including notice and choice, even in the absence of a showing of deceptive or unfair acts or practices.

In the meantime, the FTC notes that it will continue to provide privacy and data security oversight of IoT as it has in other areas of privacy.  Specifically, the FTC would continue to enforce the FTC Act, the Children’s Online Privacy Protection Act, and other relevant statutes.  Other initiatives would include developing education materials, advocating on behalf of consumer privacy, and participating in multi-stakeholder groups to develop IoT guidelines for industry.

 

Written by Kristina Eastham

This marks the second week of National Cyber Security Awareness Month, and one focused on the Secure Development of IT Products, so it seems only appropriate to discuss security and The Internet of Things and a recent panel discussion on privacy and IoT.

Last week, privacy and security professionals gathered at CyberTech’s CyberFest 2014 in San Diego, which included a panel on IoT: War on Privacy. Continue Reading It’s 11:30 PM, do you know where your data is? Privacy & Connected Devices