Gauging Safety, Security of Connected Devices Is Tough

The Product Safety & Liability Reporter™ provides updates on significant developments and issues in product safety and liability litigation and regulation, plus analysis from top litigators. Get...

By Julie A. Steinberg

April 3 — With a growing number of new reports of hacks, how can buyers gauge the safety and security of their beloved connected consumer products, estimated to number 50 billion in four years' time?

Several organizations and researchers are working to heighten awareness about the integrity of connected devices—which today include everything from smartphones to smartcars to smart medical devices and ovens—by providing guidance for companies that make and sell these products.

They're also looking to give better information to the consumers who buy them.

Still, it's not easy for everyday customers to access the stockpile of new data that's being accumulated.

In 2014, Mark Stanislav and security researcher Zach Lanier launched the web site BuildItSecure.ly as a personal endeavor to help improve security in connected devices, also known as Internet of Things products.

Originally, BuildItSecure.ly targeted smaller, first-time makers of connected products, according to Stanislav, manager of security advisory services at the Boston research firm Rapid 7.

“However, over time, we've evolved the model and now have vendors across a range of sizes and levels of experience,” he told Bloomberg BNA.

“Rapid7 has professional relationships, independent of BuildItSecure.ly, with IoT vendors small and large who require more hands-on assistance with their information security programs and development of products,” Stanislav said.

Online Trust Alliance

Other groups have also become involved.

The non-profit Online Trust Alliance released March 2 its “IoT Trust Framework,” a list of 30 recommended technical criteria that companies can meet to build customer trust by addressing security, privacy and sustainability (long-term manufacturer support) issues in connected products such as home systems and wearable devices.

One criterion is that manufacturers disclose how long their security and patch support services extend beyond the product's warranty period. Another is that they disclose what product features won't work if internet connectivity becomes disabled or is stopped.

An OTA working group—made up of members that include Consumer Reports, major retailers, the Houston School District and the National Association of Realtors—collaborated to produce the criteria, Craig Spiezle, OTA's executive director and president, told Bloomberg BNA.

OTA is “trying to take a consumer-centric view,” he said. Ultimately, OTA's end-game is to have the criteria serve as a reference for developers and manufacturers as well as a resource for consumers and organizations that can use it to judge and compare products.

For example, Spiezle said, “A major retailer with over 1,000 stores in the U.S. today is using this checklist and some other attributes to evaluate the products that they are selling in the stores.

So, a product maker approaches a retailer “to pitch a new baby monitor and we have a great discussion about price point, returns and product packaging, typical questions in retail, but also now they are using this to say, ‘Help us understand your support duration after the warranty, how many years will you be providing patches.'”

Overall, the product makers have been supportive of the framework, but they haven't, in general, been public about how they plan to actually use the criteria, Spiezle said.

Checklists and Honor Roll

OTA also has published a “smart home checklist” and a “smart device purchase & setup checklist”, both of which are directed toward consumers and include suggestions for maximizing security and privacy.

For example, the smart device checklist advises creating a unique user name and password that doesn't identify one's family or the brand/model of the device, and says they should be changed frequently.

Although these documents are targeted toward consumers, Spiezle said, companies have repurposed the information to show what they are providing to prospective customers.

OTA also does benchmark reporting on the security of online and other companies, for example, through an honor roll program, Spiezle said.

Companies are graded on security, privacy and consumer protection practices.

For the past seven years, OTA has surveyed hundreds of consumer sites such as banking sites, online retailers and social media.

In 2015, for the first time, OTA included connected device makers—makers of home automation and wearables—as an honor roll category.

The top 50 makers of connected consumer products were surveyed and 10 made the list, including Nest and Nike.

OTA plans to release its 2016 Honor Roll Report in mid-June, he said.

‘I am the Cavalry.'

Also on the front line for providing such information is the volunteer group “I am the Cavalry” which focuses on automobiles, medical devices, home electronics and public infrastructure.

In 2014, the group published a five-star automotive safety framework meant to encourage car makers to shore up what it calls their “computers on wheels.”

The framework looks at five areas. These include safety by design, which looks at an automaker's publishing the extent to which it ensures that software is reasonably free of flaws; security updates; and segmentation and isolation—meaning are critical vehicle safety systems like braking separate from, and not affected by, weaknesses in, non-critical systems like infotainment.

A reported example of a lack of such separation is the alleged design flaw that allowed software developers—just to see if they could do it— to take control of a Jeep through its radio.

A would-be suit saying that alleged defect lowers car resale values is pending in the U.S. District Court for the Southern District of Illinois (Flynn v. FCA US LLC, S.D. Ill., No. 15-00855, opposition to dismissal 3/21/16) .

The suing car owners say a non-secured infotainment system was coupled with essential engine and safety controls.

“Most of what's included in the five-star revolves around, ‘Do you publish an attestation that you protect people by doing cybersecurity, or cybersafety in the design process?'” said Beau Woods.

Woods is a volunteer with I am the Cavalry and deputy director of the cyber statecraft initiative at the Atlantic Council, a global think tank.

“We kind of wrote it for manufacturers, but potentially to be used by individuals,” Woods told Bloomberg BNA.

“We have been hoping that somebody would pick it up and do a five-star analysis of all the different vehicles for some model year. As of yet, noone has done it. We are considering doing it ourselves and publishing it,” he said.

Medical Devices

In January, I am the Cavalry released its so-called Hippocratic Oath for connected medical devices.

“The original oath was a symbolic attestation that ‘I'll act in the best interest of my patient,'  ” Woods said.

As medical care is increasingly reliant on devices, “it makes sense that every one in that chain of care delivery, whether mechanical, electronic, or flesh and blood, carries that same symbolic spirit,” he said.

The oath includes measures such as cyber safety by design and third-party collaboration which invites the reporting and disclosing, in good faith, of potential safety or security issues.

Consumer Devices Tougher Project

The group is working on a five-star framework for consumer devices, Woods said, but “It's tough trying to encapsulate all of consumer IoT in one framework of any type.”

Part of the challenge in creating such a system is that consumer products are many and varied, Woods said. And, “In consumer IoT, there isn't as strong a safety pull as in some other areas.”

But a lot of the automotive five-star criteria can translate well into the connected devices area, Woods said.

For example, he said, how well does a company “take help from willing allies who report flaws in good faith—that's something that would be published on your website, so somebody could go to the site and see how we take reports of vulnerabilities, here's commitment to the buying public.”

“We are fundamentally interested” in the security of connected products generally, Woods said. But the group turned first to areas “where the connected tech comes into contact with human life and human safety issues,” he said.

I am the Cavalry looks out for the average consumer, Woods said, and its metrics tend toward “things that are verifiable independently, without having a technical regime,” he said.

Research Projects

In addition to providing more information about connected devices, security researchers also are bringing hack-related product flaws to light.

Stanislav, for example, discovered vulnerabilities in two children's products, one of which fell into his lap—a connected stuffed toy bear in the Fisher-Price Smart Toy line that a friend gave him as a baby gift.

“I wasn't going to have my new daughter play with a toy I wasn't sure of,” he told Bloomberg BNA.

Parents control the animal remotely through a mobile app, Stanislav said—they can tell it to play a song to encourage brushing teeth, for example.

Stanistav said anyone with the right technical skills could hack into the toy and direct it to play different games. That alone would be scary to parents.

But raising even more of a concern, he said, is that as part of the registration process for the product, parents were asked to put in their child's name and date of birth.

That meant a hacker could gain access to pieces of personal identifying information and perhaps combine it with other personal information later, in malicious ways, he said.

Manufacturer Fisher-Price fixed the issues, he said.

“That's the process we want. We want them to understand why this is a risk,” Stanislav said.

Many Products, Little Time

But Stanislav said there are many thousands of connected device products, and a researcher can only look at the potential vulnerabilities of a couple a year.

“The time it takes to fully dive into a research project varies, but the combination of time to research, report, and work with the vendor [product maker] and then retest, takes up a great deal of time,” he said.

“There’s also, historically, been the possibility of legal action from vendors when you find and disclose flaws to them or publicly, which is a very stressful reality for researchers,” he said.

The 1998 Digital Millennium Copyright Act strengthened the legal protection of intellectual property rights in the wake of emerging new information communication technologies.

But some said the copyright law was chilling research that could uncover risks embedded in consumer products. An exemption approved in 2015 and effective Oct. 28, 2016, will give researchers some ability to conduct good-faith security research without worrying that they will infringe copyright protection.

“This is one of the reasons the Digital Millennium Copyright Act exemption that will go into effect this year is so important—it's one less worry we as researchers have to perform research,” Stanislav said.

Harley Geiger, director of public policy for Rapid 7, said, “We're seeing at least from some, a growing recognition of the independent value of security research to society.”

The new exemption is one manifestation of this shift in mind-set, he told Bloomberg BNA.

Information Not Always Easy to Find

But it's not easy for consumers to assess what they can't see.

And connected products also raise product liability concerns, attorneys say .

Manufacturers differ on the amount of information they think they need to publish to reassure the buying public that they are keeping their products and, in turn, their users safe and secure, Woods said.

There isn't a great level of understanding “about how to translate some of the things we think we want to achieve from a goals perspective to a technical manual, or playbook, and then translate it back into the non-technical, goals-based language to say, ‘Here's how we achieve those things,' he said.

Stanislav added, “I think in general, trying to provide detailed information security guidance to the average consumer is quite difficult.

“Whether it's from the OTA or the FTC (Federal Trade Commission), actually reaching the every-day consumer is a hard task to achieve and many surely never see information that could otherwise help inform them,” Stanislav said.

To contact the reporter on this story: Julie A. Steinberg in Washington at jsteinberg@bna.com

To contact the editor responsible for this story: Steven Patrick at spatrick@bna.com

For More Information

The OTA IoT Trust Framework is at http://src.bna.com/dz9.

The OTA Smart Device Checklist is at http://src.bna.com/dAc.

The OTA Smart Home checklist is at http://src.bna.com/dAd.

The Honor Roll 2015 Report is at http://src.bna.com/dDF.

The Five-Star Auto Rating is at http://src.bna.com/dDP.

The Hippocratic Oath is at http://src.bna.com/dMP