‘Internet of Things’ experts worry about collision between digital, physical worlds

15 February 2017. By Mike Swift.

As the Internet increasingly collides with the world of physical things in the form of connected cars, cameras and billions of other programmable household devices, regulators and lawmakers need to learn how to create hybrid rules that protect not just consumers’ privacy and data security, but also their physical safety.

That was the consensus of a group of “Internet of Things” experts Wednesday at one of the world’s largest digital security conferences* in San Francisco, the same city where the US Federal Trade Commission is also litigating a ground-breaking IoT case against D-Link, which makes wireless routers and Internet-connected cameras.

“It’s too late to talk about ‘regulation,’ or ‘no regulation.’ I think that ship has sailed,” said Bruce Schneier, the chief technology officer of IBM Resilient, the company’s cybersecurity arm. “Now we’re talking about smarter regulation versus stupider regulation.”

The most likely early source of those IoT rules is the California legislature; state lawmakers recently told MLex that they plan to consider IoT privacy and security issues in the legislative session that started last month.

“I don’t have a whole lot of confidence in this Congress” to be able to pass federal IoT security rules, said Craig Spiezle, president of the Online Trust Alliance, a group that has completed a set of privacy and data security self-regulatory principles for IoT devices. “I think that California might be the leading light that will lead to some stuff, and define requirements.”

The D-Link case is not the only one that underscores the growing regulatory interest in IoT privacy or security. The FTC and the State of New Jersey last week reached a settlement in which Vizio will pay $2.2 million to settle allegations that it deceived consumers by installing software on its Internet-connected televisions that collected and shared data with third parties about what consumers watched without their knowledge or consent.

Wednesday’s IoT session was attended by officials from the US Federal Communications Commission who quizzed Spiezle on the sidelines afterward about whether there is a role for Internet service providers in safeguarding IoT devices. That regulatory interest underscores how the landscape has changed since hackers harnessed millions of IoT devices to launch a cyberattack that temporarily took down Netflix, Twitter, Airbnb and other popular online services in October.

That attack by the Mirai botnet may prove to be a seminal event, because it demonstrated how hackers could harness billions of IoT devices with poor security to disrupt the public Internet. Increasingly, it is being recognized by technologists that unsecured IoT devices can also pose a physical threat to their owners.

Imagine, Spiezle said Wednesday, an attack in which hackers seized control of millions of devices, rapidly cycling them on and off so they generated enough heat to catch fire. Fires could simultaneously erupt in hundreds of homes, in hundreds of cities. “It would be an act of terrorism,” Spiezle said.

“We have to realize this is an urgent problem. We are shipping stuff now that will live in in our environment for a very long time,” said Olaf Kolkman, the chief Internet technology officer for the Internet Society. “At some point, somebody will get killed — and then we’ll have that presidential tweet.”

D-Link is challenging in US District Court whether the FTC has the authority to allege that the company’s lax security created the threat of future harm to consumers in violation of Section 5 of the FTC Act.

Unlike previous IoT enforcement actions, D-Link and its US subsidiary, D-Link Systems, had not suffered a security breach prior to the FTC suit. Because no consumers were actually harmed, D-Link says the FTC suit must be thrown out.

But in a court filing Tuesday arguing that it does have authority to bring an enforcement action before an actual security breach, the FTC detailed the potential risks to consumers from D-Link’s allegedly lax security.

“Using a compromised router, attackers could obtain consumers’ tax returns or other files stored on the router’s attached storage device,” the FTC told US District Judge James Donato. “DLS’s cameras, which are offered for home security or for consumers to monitor their children, were vulnerable to attackers, who could use them to monitor consumers’ whereabouts, target them for theft or other criminal acts, or observe and record their personal activities and conversations or those of their young children. These risks are real.”

One problem with the Internet of Things, Schneier said Wednesday, is that technology is advancing so quickly that regulators and the law can’t hope to keep up.

“A lot of us [in Silicon Valley] have been libertarians forever. Our response to regulation has always been, ‘none of the above,’ ” Schneier said. “That will no longer be the answer when the Internet crashes into the physical world, and life and property are lost.”

*RSA Conference 2017, San Francisco, California, Feb. 13-17, 2017.

Receive MLex Editor's Picks in Your Inbox

Complete this form to receive emails from MLex with selected highlights from our global coverage of regulatory risk and opportunity, as well as upcoming events, special reports and exclusive interviews.