Creating a Consumer Secure Market Place

Do you know how secure your smart TV is? What about your phone? Is Siri constantly listening and recording waiting to hear “Hey Siri”? What is it doing with that information? What about your baby monitor? In 2018 NPR reported a South Carolina mother’s baby monitor had been hacked. She thought it was her husband checking in on the baby. When she got onto her account she noticed that the camera had panned over to the location where she nursed the baby. This isn’t the first or last account of baby monitors being hacked. Are there any systems in place to help consumer’s know the difference between an insecure baby monitor and a secure one? I’m going to talk about IoT devices, technology market, current measures for security, and how it can improve.

If you are not familiar with the term IoT stands for Internet of Things. These are devices that aren’t exactly computers, but have computer like devices embedded in them. An example is like a smart TV, smart fridge, smart light bulbs, Alexa devices, baby monitors, raspberry pi, and other internet connected devices. These devices can be vulnerable to unintended sharing of information, breeches, malware, and weak or outdated software. Consumers don’t know what to details to take into account and understand better. The consumptions of IoT devices has only been more prevalent, as we integrate it into our society.

Currently in the technology market, there are not many ways for consumers to verify that a product has been properly tested for its security. There have been many IoT (Internet of Things) products that have been hacked. I went to Amazon to look at the most popular baby monitors, which provides limited data on security:

The only information on security, was this:

The problem with security information is that it doesn’t go into specifics. Its too vague. For example: Which version of AES 128-bit encryption is it? If it’s TLS_RSA_WITH_AES_128_CBC_SHA256, then it is unsecured. Is it using TLS 1.0? TLS 1.1? Because those have been insecure since 1999. Has this product been tested for its security? What are the vulnerabilities that I should watch out for? How can I remediate those vulnerabilities? Most consumers don’t have the knowledge to understand the security concerns. They may not have the capacity to understand it.

The reason most companies don’t provide this information is because of something that is known in economics as a “lemon market.” In Bruce Schneier’s book “Click Here to Kill Everybody,” Bruce writes:

“The problem of IoT devices will get even more complicated as devices – and the interconnections between them – become more complex. The lack of information combined with the complexity of the systems is disempowering to consumers, and almost certainly lulls them into thinking that devices are more secure than they are.”

Bruce Schneier “Click Here to Kill Everybody”

Schneier goes on to say that the vagueness leads to the sale of the product, but does not provide actual insight to the consumer that will reassure them of the device’s security, update framework, or guidelines for security breaches.

The truth of the matter for any IoT and non-IoT devices, is that it has vulnerabilities. Everything has vulnerabilities. It’s like playing a consistently updating game of Rock-Paper-Scissors, everything that can be played can be subdued by playing something else. The question consumers and companies have to ask themselves, “Is it worth the risk?”

There is some good news. In 2019 a bill named “S.734 – IoT Cybersecurity Improvement Act of 2019” was submitted, amended and is still awaiting for approval. However it has been updated since 2019 and it is now “H.R.1668 – Internet of Things Cybersecurity Improvement Act of 2020” which became a law on December 4th, 2020. It states that the law is “To establish minimum security standards for Internet of Things devices owned
or controlled by the Federal Government, and for other purposes.” While this isn’t for consumers or for companies, it is a step in the right direction.

The thing that needs to be established in the United States is a method to make sure companies test, track and rate the security of its devices. It should be similar to the safety regulations that is put on for vehicles, car seats, energy efficiency products, and food/medicines approved by the FDA. It should be a department that helps organizations test and report on the efficiency, ease of use, risk tolerance, technology used, vulnerabilities, and how to remediate those vulnerabilities. Then the acceptance of risk can be clearly communicated with the consumer. If the consumer decides the risks are worth using the device, then they have full knowledge (maybe not full understand) of what they have agreed to purchase. The understanding of technology should not just fall on the consumer to understand but also the organization to explain. It does take the two parties to agree and understand what they are selling and buying. This is why its important for an organization to make that information readily available, rated, and accurate.

Most consumers in US society don’t even understand what they are purchasing. Many buy IoT products for ease, enjoyment, necessity, or out of ignorance. It is important to have a standardized methods for verifying the security and having the understanding of what vulnerabilities come with such a device. To be clear regulations and standards wouldn’t solve all the problems. .. it may even cause more problems if not managed properly. But delaying or sitting idle while technology continues to advance with no accountability on the information shouldn’t continue. We can’t just have “the devil in the details” anymore. Organizations need to bring those details to light for the consumer, otherwise we will continue to have an easily hackable nation of ignorance.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: