Monthly Archives: January 2014

We’re gonna need a bigger boat — FTC ruling on (at least one) IoT device

Leave a reply

biggerboatI missed this when it came out in last fall, but it is a step in the right direction.  An IoT manufacturer has settled with the FTC  for “failure to reasonably secure IP cameras against unauthorized access” for their cloud-connected IoT video camera.  According to the complaint, the FTC went after the manufacturer, TrendView, for several issues with its SecurView cameras to include:

  • transmitted user login credentials in the clear
  • user credentials stored in the clear
  • vendor failed to implement a process to actively monitor security vulnerability reports from third-party researchers
  • lack of security architecture review
  • lack of security review and testing during software development

The FTC alleged that these, among others, contributed to putting users at “significant risk.”

Also, according to this article at ReadWrite.com,  a security researcher figured out that one of the Internet domain names that the manufacturer had listed as a secure host for video streams was not registered!  The researcher, Craig Heffner, now with Tactical Network Solutions, was able to acquire that domain name. If desired, he could have then picked up all of the video streams from users pointing their devices to that domain.  Since the users were advised by the manufacturer to use that domain name, the users would have no idea that their data could have been streaming to someone else.

And the networked-based video surveillance business is booming.  Per the FTC complaint, IP (Internet Protocol) video camera sales were $6.3 million in 2010, $5.8 million in 2011, and $7.4 million in 2012.  Remember, this is just one company’s products.  There are many others and the number of manufacturers will continue to grow.

Without such challenges by an agency like the FTC, there is little to motivate manufacturers to supply products that have been developed with reasonable security oversight in the process.  That said, with tens of billions of IoT devices expected in the next few years, I don’t think that the FTC, as it stands, is going to be able to make a huge dent.  It seems to me that an entirely new way of viewing and enforcing privacy law is required and I don’t see that coming in the near future.

As Brody observed in the movie Jaws in 1975, “We’re gonna need a bigger boat.”