10
Protecting Consumers from Software Update Risks
Ruth Yodaiken, Federal Trade Commission
Ruth Yodaiken is a senior attorney in the Bureau of Consumer Protection at the Federal Trade Commission (FTC), the agency that protects consumers from unfair or deceptive business practices across all industries. In her talk, Yodaiken described the FTC’s approach to consumer protections in the Internet of Things (IoT) sector, including software update challenges. She specified that she was speaking at the workshop for herself and not on behalf of the FTC.
The FTC has two primary methods of ensuring that consumers are treated fairly: law enforcement and policy. The agency takes a comprehensive view of unfair or deceptive business practices, such as misleading claims or outright fraud, that could open up consumers to risk, before considering crafting new policies or taking legal action.
The FTC is active in the technology industry in general, including the IoT landscape, said Yodaiken. But, the agency has not issued any blanket rules or requirements for security or update protocols in IoT devices. Rather, it has focused on the context that a particular business is operating in, recognizing that different devices and different ecosystems require very different update approaches.
Yodaiken said the main questions driving the FTC’s work are the following: What are the benefits to the consumer? What is the risk of harm to the consumer? Can that risk be lessened? and Is a business taking reasonable measures to do that? In the IoT industry,
the main challenge, she said, is that “a consumer very often has no idea what is going on with their devices, [or] if their devices are compromised.”
Yodaiken noted that companies are responsible for taking reasonable measures to protect consumers from security risks, and if they don’t, the FTC can step in. In 2013, for example, the FTC alleged that TRENDnet’s baby monitors and video cameras lacked adequate security protections, leaving consumers vulnerable to privacy breaches. The FTC alleged that the company failed to encrypt credentials, provide adequate security training to its employees, or conduct vulnerability testing. TRENDnet settled the highly publicized case, but unfortunately, Yodaiken said, the FTC continues to see many of the same issues in today’s consumer products.
WORKING WITH BUSINESSES
In addition to its legal work, a big part of the FTC’s work is to educate businesses and consumers about security issues. Taking a close look at IoT devices, for example, the agency found that different businesses have different definitions of “basic security.” Some companies were extremely experienced and engaged in security issues, yet they still struggled to address vulnerabilities and deploy software updates in IoT devices, often for many of the reasons being discussed at the workshop. Other companies might have a less experienced security team or focus on product features at the expense of security. Other companies might not even consider security a priority. “All of these pieces become parts of the ecosystem and obviously create problems,” Yodaiken said.
The FTC encourages developers to design software with security in mind and plan for updates.
When those problems occur, software updates are, of course, a key remedy. By initiating conversations about security and providing educational materials, the FTC encourages developers to design software with security in mind and plan for updates.
In the discussion, Richard Danzig, Johns Hopkins University Applied Physics Laboratory, asked whether the FTC was considering using insurance companies to compel businesses to better secure their software products. Yodaiken replied that the FTC has had some internal discussions about incentives, but noted that the National Telecommunications and Information Administration’s Multi-Stakeholder Process on
Software Updates has a subgroup focusing on economic incentives that might be another appropriate forum for further discussing such an approach.
EDUCATING CONSUMERS
Educating consumers is also a key piece of the puzzle. As an example, to combat phishing and malware hacking, the FTC has tried to educate people not to download unfamiliar e-mail attachments, Yodaiken said. The IoT space poses some unique types of challenges. While the FTC does not want to shift the responsibility for security to the consumers, the agency is grappling with how to help consumers better understand the risks inherent to IoT devices. “There are a lot of consumers who don’t understand that their devices are connected to anything, they don’t really understand how the magic works once they’ve set it up,” Yodaiken said. Without this basic understanding, it’s difficult to convey the importance of keeping up with software updates.
Some companies prioritize security and deploy updates seamlessly behind the scenes, but unfortunately this is not always the case. A witness at a recent House Subcommittee on Energy cybersecurity hearing described some IoT devices as having “consumer-grade” security, by which he meant poor security. “That’s not how it should be,” Yodaiken said.
Asking consumers to keep up with security updates while also warning them of phishing and malware attacks—clearly both important factors for enhancing security—can sow confusion. Some companies are not in frequent contact with their customers, and so a user might receive a message about an update from an unfamiliar source. How could we expect the user to evaluate and trust that message in order to determine which notifications are valid and which could be dangerous?
Another problem is the “update fatigue” that can result when a user is constantly bombarded by update notifications, leading them to take notifications less seriously or avoid spending the time needed to install them and perhaps the need to reboot. The risk of dissuading users from installing updates rises when updates wind up changing device settings. “You like things the way they are, and the device seems to work anyway, so why would you do the update?” Yodaiken summarized.
In the discussion, Eric Grosse, an independent consultant, suggested that one opportunity for better educating consumers is for the FTC to counter common security myths or unhelpful advice that is often shared, such as “never click on a link in an e-mail.” Yodaiken agreed that dispelling myths could be a useful approach to complement consumer guidance.
TOWARD A NEW APPROACH
Yodaiken described a competition the FTC is holding as part of its efforts to empower users to access needed updates and protect their security, the IoT Home Inspector Challenge. The competition is designed to spur the creation of a centralized tool for consumers that enables them to better understand the workings—and vulnerabilities—of IoT devices in their homes. The exact form such a tool would take is unknown, and the FTC is open to all ideas, but the crux is that the tool would free the consumer from complicated detective work and help people protect themselves against IoT-based vulnerabilities and breaches.
Of course, to avoid creating “a gift for hackers,” security is a foremost concern of the tool’s structure. “We don’t want to create a conduit or a list of all the devices you have with vulnerabilities,” Yodaiken emphasized.
There are many questions that such a tool would need to address, such as the following: What devices are in a home? What are their software components? What should be their software components (e.g., are they running the latest versions)?, and How are updates facilitated?
The basic goal is to find a way to empower consumers to identify the vulnerabilities they have and take the steps necessary to mitigate them. While the contest is focused on software updates to IoT devices, she said, submissions may also address other security challenges, such as the use of default passwords, privacy issues, or updating of separate components.
In the discussion, Danzig asked about whether the Underwriters Laboratories (UL) project might offer another mechanism for this type of consumer empowerment. Yodaiken replied that the FTC is aware of UL and its effort to review and rate consumer software products. That is promising for the future, Yodaiken agreed, but the FTC is focused more on consumers who have already purchased devices and are struggling with them right now.