Sarah Gregory
Executive Editor
Loyola University Chicago School of Law, JD 2018
The internet of things (IoT) holds promise for new ways to interact with and leverage technology; however, ever-expanding connectivity brings increased vulnerability. Addressing security and privacy issues is necessary for the continued growth of the IoT—and, as the U.S. Federal Trade Commission’s case against D-Link Corporation demonstrates, one of vital interest to regulatory lawmaking bodies as well.
Security and Privacy of the IoT
The allure of the IoT is unmistakable: a world where physical devices are seamlessly integrated into information networks, monitoring real life in real time, communicating with one another, and being managed via internet-based services. An IoT world grows increasingly realized—the technological sector has spent the past few years extending its capability beyond computers and smartphones to cars, kitchen appliances, and even heart monitors. Some experts estimate there will be upwards of 34 billion connected devices by 2020.
However, there have already been significant challenges to IoT security—2016 saw a spate of DDoS botnet attacks, targeting IoT devices in particular. Internet-connected appliances are often built without security in mind, and the particular malware behind the 2016 attacks was created to search for unsecured devices, or those still using their default password.
Malicious code infecting routers—then utilizing them to access and infect larger networks—is nothing new. However, the potential for taking and directing control of IoT devices remains omnipresent. In addition, we currently live in an age of ransomware, where a remote attacker demanding payment can hold personal data hostage. Holding the connected, physical world hostage in a similar manner seems increasingly likely. Just recently, two researchers from Pen Test Partners, a security firm based in the U.K., showed they could lock down a ‘smart’ thermostat with ransomware.
IoT ransomware attacks are unlikely to touch the average consumer, at least in the near future. Most individuals simply don’t have the kind of IoT technology that would make such a line of attack profitable. (The Pen Test Partners experiment took place at the IoT Village at Def Con, the annual hacker convention, where router hacking contests are regularly part of the program.) Yet as IoT technology spreads to more off-the-shelf devices and becomes increasingly integrated into modern life, the odds of major security breaches increases. The Pen Test Partners’ experiment and the botnet attacks of 2016 show just how much of a danger this poses to consumers—and how undefended the world of IoT remains.
The FTC and D-Link
Regulators are not ignorant of the threat unsecured IoT technology poses. Over the last several years, the Federal Trade Commission (FTC) has led the way in regulating the privacy and security of consumer devices in the United States. The last major challenge to the FTC’s jurisdiction over security of consumer information was settled by a 2015 settlement between the FTC and Wyndham Worldwide. The case concerned over three data breaches at Wyndham hotels, resulting in 600,000 customer records being released. The Third Circuit ruled that under the ‘unfair and deceptive practices’ prohibition, the FTC did have jurisdiction to pursue Wyndham on its allegedly deficient cybersecurity.
Running alongside its regulation of consumer privacy more generally, the FTC has taken a particular interest in IoT. In September 2013, the FTC alleged that TRENDnet, a marketer of video cameras for home security and baby monitoring, and its “lax security practices exposed the private lives of hundreds of consumers to public viewing on the internet.” In February 2016, the FTC also settled a case against ASUSTek Computer. Hackers could allegedly exploit security bugs in their routers’ control panels to change security settings—such as passwords—without the consumer’s knowledge.
However, more recently, the FTC filed suit against Taiwan-based D-Link, a hardware manufacturer that allegedly failed to properly secure its wireless routers and IoT cameras. In its complaint, filed in January 2017, the FTC alleged that D-Link’s security failures allowed unauthorized access to cameras’ live feeds and left its routers vulnerable to hacking. The case has generated substantial interest from the tech sector—especially given D-Link’s pushback, and insistence the case is “politicized government overreach.” In their response, they alleged the FTC lacked any evidence of consumer injury and was therefore unable to bring suit.
Yet at the hearing for D-Link’s Motion to Dismiss, Judge James Donato seemed unconvinced. Under Section Five of the Federal Trade Commission Act, a company is properly liable for selling a product that “is likely to harm.” Donato seemed to reason that because the commission’s job is to prevent consumer protection issues, lacking harm did not limit the FTC’s action. “You don’t have to wait for the house to burn down for the FTC to run in and say the fire alarms don’t work,” Donato said. If upheld, this could indicate a significant expansion in the FTC’s power when it comes to regulating consumer security, and IoT security in particular.
However, it’s difficult to predict how FTC regulation of IoT technology will proceed—like much else in Washington right now, things are changing. The FTC is currently undergoing a change in leadership from chair Edith Ramirez to Maureen Ohlhausen, the lone dissenting vote and now acting chair. Acting chair Ohlhausen has stated that she sees the FTC’s authority as limited to those instances where concrete harm was experienced by the consumer. Given these dueling theories of liability, the future of IoT regulation is murky.
Looking Ahead to the Future of the IoT
No one foresees the breakneck pace of IoT development slowing. However, as the future of regulation remains uncertain, companies working in the IoT sphere must take initiative to ensure their products are secure. This includes avoiding default passwords, instating encryption where appropriate, and planning for regular updates to security measures, rather than simply rolling out a new model each year. The IoT holds incredible promise for new ways to interact with and leverage smart devices—but only where it is protected by equally smart security measures.