Ken Munro, partner at Pen Test Partners, explains what to do if you find flaws and security vulnerabilities in an IoT product – and if the industry then ignores your findings.
An occasional series of vendor perspectives on the world of connected business – because it’s all about making new connections and starting new conversations.
Disclosure of problems, faults, or security holes in connected devices can be a two-edged sword. On the one hand, it provides a product’s vendor with notice of a flaw and gives them the time to remedy it, but on the other, it means the vendor has to acknowledge there’s an issue and take action. That can be costly, both financially and in terms of the brand’s reputation.
Small wonder, then, that many vendors choose to ignore even the best intentions of researchers.
Google was one of the latest to do this recently. Google Home and Google Chromecast were found to leak location data through unauthorised network connections, revealing the user’s physical location. This was a clear security vulnerability, and yet Google’s response to the researcher who unearthed the problems was to claim that the leak constituted “intended behaviour” and, as a result, it wouldn’t be patching the problem.
It wasn’t until security researcher and investigative reporter Brian Krebs used the power of the press to expose the story that the tech giant back-pedalled and said it would issue a fix at the end of July.
Ignore or embrace?
What this tells us is that vendors often see it as acceptable to ignore, rather than embrace, disclosure. There are various motivations for this; from a complete lack of understanding of the problem or its possible effects, to the inability of the IoT industry to communicate internally, to those who adhere to the “keep shipping or we go bust” school of thought.
This presents a real dilemma and it’s a problem we routinely face when alerting the sector to vulnerabilities that researchers have uncovered.
Put simply: How to get a disinterested vendor to listen? As it turns out, the press is just one avenue; there are a myriad other ways of getting their attention.
First, consider who your allies are if you want to report your findings. There are CERT (Computer Emergency Readiness Team) organisations around the world that can help coordinate disclosure and get the attention of manufacturers. Filing a report with them sees a recognised body add weight to the report of any individual researcher.
Consumer groups can also help. In 2017, for example, attention was drawn to the hackable My Friend Cayla doll by the Norwegian Consumers Council as part of its #toyfail campaign.
The doll was eventually banned in Germany under a law that forbids the sale of concealed audio bugging devices and was subsequently withdrawn from sale in numerous other countries, too.
Legislation is a valuable tool and you don’t need to reside in a given country to alert the authorities there.
Playing by the rules
There are a number of other steps you can take. For example, check regulations by viewing Equipment Authorisation under Federal Communications Commission (FCC) rules to verify if vendors meet the initial criteria. Check that the chipsets and physical architecture match those tested. If they don’t, this might be a violation.
Explore the Ts and Cs, too. Is the vendor gathering more customer data than the terms and conditions state they are allowed to? We saw this in the recent We Vibe class action.
Documentation or advertising may also be deemed unfair and/or deceptive.
The Federal Trade Commission (FTC) complaints process is a useful channel through which to bring vendors to task. A recent example was the complaint against ASUS that resulted in the vendor being forced to “establish and maintain a comprehensive security programme, subject to independent audits for the next 20 years”.
In the UK, the equivalents are the Advertising Standards Authority and Trading Standards. This stood us in good stead when we alerted a vendor that, contrary to its claims, it had not encrypted all communications from its device using SSL.
Monitoring for data breaches can also be useful to alert the regulators. Sites such as https://breachalarm.com/ and https://haveibeenpwned.com/ can reveal if an IoT vendor has suffered a breach. On one occasion, we found the product we disclosed against had already been breached, with the vendor having lost more than 1,000 consumer records.
Another good avenue of approach is to contact stockists and retailers to alert them to a problem directly. For example, the publicity surrounding the recent CloudPets data security issue saw the toy withdrawn from sale temporarily a year ago and subsequently banned by Amazon and eBay in the UK, and Target and Walmart in the US last month, following further research. Retailers want to show that they are putting their customers’ security first.
There is still a dearth of regulation in the consumer IoT space, but there are numerous routes for applying pressure to IoT vendors while the lawmakers are playing catch-up. These steps may seem aggressive, but if the result is insecure IoT devices being taken off the market until they’re fixed, then it’s a process that can only benefit the industry.
There are exceptions of course, in the form of responsible vendors who recognise disclosure as a service, and even use it to vet future versions of a product before release.
Ideally, it would be great to see all IoT vendors, no matter how big or small, embrace disclosure in this way. If they can’t stretch to a bug bounty or full disclosure programme, there’s no excuse for not setting up a dedicated email address along the lines of [email protected]
Internet of Business says: This opinion piece has been provided by Pen Test Partners, and not by our independent editorial team.