National Academies Press: OpenBook

Software Update as a Mechanism for Resilience and Security: Proceedings of a Workshop (2017)

Chapter: 10 Protecting Consumers from Software Update Risks

« Previous: 9 The NIST Perspective on Software Updates
Suggested Citation:"10 Protecting Consumers from Software Update Risks." National Academies of Sciences, Engineering, and Medicine. 2017. Software Update as a Mechanism for Resilience and Security: Proceedings of a Workshop. Washington, DC: The National Academies Press. doi: 10.17226/24833.
×

10


Protecting Consumers from Software Update Risks

Ruth Yodaiken, Federal Trade Commission

Ruth Yodaiken is a senior attorney in the Bureau of Consumer Protection at the Federal Trade Commission (FTC), the agency that protects consumers from unfair or deceptive business practices across all industries. In her talk, Yodaiken described the FTC’s approach to consumer protections in the Internet of Things (IoT) sector, including software update challenges. She specified that she was speaking at the workshop for herself and not on behalf of the FTC.

The FTC has two primary methods of ensuring that consumers are treated fairly: law enforcement and policy. The agency takes a comprehensive view of unfair or deceptive business practices, such as misleading claims or outright fraud, that could open up consumers to risk, before considering crafting new policies or taking legal action.

The FTC is active in the technology industry in general, including the IoT landscape, said Yodaiken. But, the agency has not issued any blanket rules or requirements for security or update protocols in IoT devices. Rather, it has focused on the context that a particular business is operating in, recognizing that different devices and different ecosystems require very different update approaches.

Yodaiken said the main questions driving the FTC’s work are the following: What are the benefits to the consumer? What is the risk of harm to the consumer? Can that risk be lessened? and Is a business taking reasonable measures to do that? In the IoT industry,

Suggested Citation:"10 Protecting Consumers from Software Update Risks." National Academies of Sciences, Engineering, and Medicine. 2017. Software Update as a Mechanism for Resilience and Security: Proceedings of a Workshop. Washington, DC: The National Academies Press. doi: 10.17226/24833.
×

the main challenge, she said, is that “a consumer very often has no idea what is going on with their devices, [or] if their devices are compromised.”

Yodaiken noted that companies are responsible for taking reasonable measures to protect consumers from security risks, and if they don’t, the FTC can step in. In 2013, for example, the FTC alleged that TRENDnet’s baby monitors and video cameras lacked adequate security protections, leaving consumers vulnerable to privacy breaches. The FTC alleged that the company failed to encrypt credentials, provide adequate security training to its employees, or conduct vulnerability testing. TRENDnet settled the highly publicized case, but unfortunately, Yodaiken said, the FTC continues to see many of the same issues in today’s consumer products.

WORKING WITH BUSINESSES

In addition to its legal work, a big part of the FTC’s work is to educate businesses and consumers about security issues. Taking a close look at IoT devices, for example, the agency found that different businesses have different definitions of “basic security.” Some companies were extremely experienced and engaged in security issues, yet they still struggled to address vulnerabilities and deploy software updates in IoT devices, often for many of the reasons being discussed at the workshop. Other companies might have a less experienced security team or focus on product features at the expense of security. Other companies might not even consider security a priority. “All of these pieces become parts of the ecosystem and obviously create problems,” Yodaiken said.

The FTC encourages developers to design software with security in mind and plan for updates.

When those problems occur, software updates are, of course, a key remedy. By initiating conversations about security and providing educational materials, the FTC encourages developers to design software with security in mind and plan for updates.

In the discussion, Richard Danzig, Johns Hopkins University Applied Physics Laboratory, asked whether the FTC was considering using insurance companies to compel businesses to better secure their software products. Yodaiken replied that the FTC has had some internal discussions about incentives, but noted that the National Telecommunications and Information Administration’s Multi-Stakeholder Process on

Suggested Citation:"10 Protecting Consumers from Software Update Risks." National Academies of Sciences, Engineering, and Medicine. 2017. Software Update as a Mechanism for Resilience and Security: Proceedings of a Workshop. Washington, DC: The National Academies Press. doi: 10.17226/24833.
×

Software Updates has a subgroup focusing on economic incentives that might be another appropriate forum for further discussing such an approach.

EDUCATING CONSUMERS

Educating consumers is also a key piece of the puzzle. As an example, to combat phishing and malware hacking, the FTC has tried to educate people not to download unfamiliar e-mail attachments, Yodaiken said. The IoT space poses some unique types of challenges. While the FTC does not want to shift the responsibility for security to the consumers, the agency is grappling with how to help consumers better understand the risks inherent to IoT devices. “There are a lot of consumers who don’t understand that their devices are connected to anything, they don’t really understand how the magic works once they’ve set it up,” Yodaiken said. Without this basic understanding, it’s difficult to convey the importance of keeping up with software updates.

Some companies prioritize security and deploy updates seamlessly behind the scenes, but unfortunately this is not always the case. A witness at a recent House Subcommittee on Energy cybersecurity hearing described some IoT devices as having “consumer-grade” security, by which he meant poor security. “That’s not how it should be,” Yodaiken said.

Asking consumers to keep up with security updates while also warning them of phishing and malware attacks—clearly both important factors for enhancing security—can sow confusion. Some companies are not in frequent contact with their customers, and so a user might receive a message about an update from an unfamiliar source. How could we expect the user to evaluate and trust that message in order to determine which notifications are valid and which could be dangerous?

Another problem is the “update fatigue” that can result when a user is constantly bombarded by update notifications, leading them to take notifications less seriously or avoid spending the time needed to install them and perhaps the need to reboot. The risk of dissuading users from installing updates rises when updates wind up changing device settings. “You like things the way they are, and the device seems to work anyway, so why would you do the update?” Yodaiken summarized.

In the discussion, Eric Grosse, an independent consultant, suggested that one opportunity for better educating consumers is for the FTC to counter common security myths or unhelpful advice that is often shared, such as “never click on a link in an e-mail.” Yodaiken agreed that dispelling myths could be a useful approach to complement consumer guidance.

Suggested Citation:"10 Protecting Consumers from Software Update Risks." National Academies of Sciences, Engineering, and Medicine. 2017. Software Update as a Mechanism for Resilience and Security: Proceedings of a Workshop. Washington, DC: The National Academies Press. doi: 10.17226/24833.
×

TOWARD A NEW APPROACH

Yodaiken described a competition the FTC is holding as part of its efforts to empower users to access needed updates and protect their security, the IoT Home Inspector Challenge. The competition is designed to spur the creation of a centralized tool for consumers that enables them to better understand the workings—and vulnerabilities—of IoT devices in their homes. The exact form such a tool would take is unknown, and the FTC is open to all ideas, but the crux is that the tool would free the consumer from complicated detective work and help people protect themselves against IoT-based vulnerabilities and breaches.

Of course, to avoid creating “a gift for hackers,” security is a foremost concern of the tool’s structure. “We don’t want to create a conduit or a list of all the devices you have with vulnerabilities,” Yodaiken emphasized.

There are many questions that such a tool would need to address, such as the following: What devices are in a home? What are their software components? What should be their software components (e.g., are they running the latest versions)?, and How are updates facilitated?

The basic goal is to find a way to empower consumers to identify the vulnerabilities they have and take the steps necessary to mitigate them. While the contest is focused on software updates to IoT devices, she said, submissions may also address other security challenges, such as the use of default passwords, privacy issues, or updating of separate components.

In the discussion, Danzig asked about whether the Underwriters Laboratories (UL) project might offer another mechanism for this type of consumer empowerment. Yodaiken replied that the FTC is aware of UL and its effort to review and rate consumer software products. That is promising for the future, Yodaiken agreed, but the FTC is focused more on consumers who have already purchased devices and are struggling with them right now.

Suggested Citation:"10 Protecting Consumers from Software Update Risks." National Academies of Sciences, Engineering, and Medicine. 2017. Software Update as a Mechanism for Resilience and Security: Proceedings of a Workshop. Washington, DC: The National Academies Press. doi: 10.17226/24833.
×
Page 59
Suggested Citation:"10 Protecting Consumers from Software Update Risks." National Academies of Sciences, Engineering, and Medicine. 2017. Software Update as a Mechanism for Resilience and Security: Proceedings of a Workshop. Washington, DC: The National Academies Press. doi: 10.17226/24833.
×
Page 60
Suggested Citation:"10 Protecting Consumers from Software Update Risks." National Academies of Sciences, Engineering, and Medicine. 2017. Software Update as a Mechanism for Resilience and Security: Proceedings of a Workshop. Washington, DC: The National Academies Press. doi: 10.17226/24833.
×
Page 61
Suggested Citation:"10 Protecting Consumers from Software Update Risks." National Academies of Sciences, Engineering, and Medicine. 2017. Software Update as a Mechanism for Resilience and Security: Proceedings of a Workshop. Washington, DC: The National Academies Press. doi: 10.17226/24833.
×
Page 62
Next: 11 Discussion »
Software Update as a Mechanism for Resilience and Security: Proceedings of a Workshop Get This Book
×
Buy Paperback | $60.00 Buy Ebook | $48.99
MyNAP members save 10% online.
Login or Register to save!
Download Free PDF

Software update is an important mechanism by which security changes and improvements are made in software, and this seemingly simple concept encompasses a wide variety of practices, mechanisms, policies, and technologies. To explore the landscape further, the Forum on Cyber Resilience hosted a workshop featuring invited speakers from government, the private sector, and academia. This publication summarizes the presentations and discussions from the workshop.

  1. ×

    Welcome to OpenBook!

    You're looking at OpenBook, NAP.edu's online reading room since 1999. Based on feedback from you, our users, we've made some improvements that make it easier than ever to read thousands of publications on our website.

    Do you want to take a quick tour of the OpenBook's features?

    No Thanks Take a Tour »
  2. ×

    Show this book's table of contents, where you can jump to any chapter by name.

    « Back Next »
  3. ×

    ...or use these buttons to go back to the previous chapter or skip to the next one.

    « Back Next »
  4. ×

    Jump up to the previous page or down to the next one. Also, you can type in a page number and press Enter to go directly to that page in the book.

    « Back Next »
  5. ×

    Switch between the Original Pages, where you can read the report as it appeared in print, and Text Pages for the web version, where you can highlight and search the text.

    « Back Next »
  6. ×

    To search the entire text of this book, type in your search term here and press Enter.

    « Back Next »
  7. ×

    Share a link to this book page on your preferred social network or via email.

    « Back Next »
  8. ×

    View our suggested citation for this chapter.

    « Back Next »
  9. ×

    Ready to take your reading offline? Click here to buy this book in print or download it as a free PDF, if available.

    « Back Next »
Stay Connected!