Putting teeth into enforcing Internet of Things security, but for how long?

The Internet of Things (IoT) has a bad rap these days. As billions of devices, like DVRs and webcams, ship to consumers worldwide, no government or industry organization has any real power to ensure that the devices have proper security and an upgrade path to patch flaws. That’s not new in the computer and consumer electronics worlds. But the IoT makes hackable devices in fixed locations attached to high-speed broadband an incredibly desirable target for security agencies and criminal gangs to use as armies of bots.

While some IoT devices are expensive, like a $200 Nest camera, those are outliers. The vast majority of gear being shipped is already deep in a race to the bottom. The makers of cheap hardware don’t typically put security at the top of their priority list, nor have much compulsion to offer software upgrades for security indefinitely—or even at all.

So what can shift that balance, making consumer privacy and Internet security valuable to makers? Putting teeth into the consequences of failure to meet a basic bar. In some segments of the electronics industry, trade groups have this power through certification and sometimes through encryption. If you want to sell a device that’s labeled Wi-Fi (without having your products blocked and you being sued), you have to pay for testing and to use the Wi-Fi trademarks. Sell it with that label and mark and without approval, and you can wind up sued, have your imports blocked, and find retailers refusing to sell your product.

The IoT has no such group that’s providing branding and certification. This leaves all the biting to government agencies. In the U.S., Federal Trade Commission (FTC) can’t act ahead of harm. Despite having released best-practices guidelines and pursued some limited complaints and threats of action, it cannot force any maker in the U.S. or any that exports its products to sell in America to comply to any standards before it identifies a consumer wrong.

But the FTC can take action. That’s what happened on January 6 to D-Link, a Taiwanese firm with a long history of making networking equipment, and more recently a broad array of devices that fit the IoT rubric. The FTC’s action is welcome—based on its allegations, which remain to be proven in court or through a settlement—but under a Trump administration, it’s unclear whether we’ll see anything similar happen.

Deliberate overpromising

The FTC lacks the power to sue over features. Its enforcement efforts have to do with whether promises to consumers were fulfilled—that is, fraud and deception. (Safety issues relating to injury or property damage, such as the recall of Samsung’s Note7, are handled by the Consumer Product Safety Commission, though the FTC can get involved if they allege fraud as well.)

D-Link

The FTC alleges that D-Link had a number of security flaws that defy industry standard practices and sense, while advertising its products as “easy to secure” and “advanced network security.” D-Link issued a statement, posted on its website, that says the charges are “unwarranted and baseless,” and notes, “The FTC does not allege any breach of any product sold by D-Link Systems.”

That latter item will be a sticking point if this goes to trial. While this columnist is not a lawyer, the FTC routinely proceeds against companies that advertise what they do not deliver without having to prove a specific harm besides a consumer paying for a product. If D-Link had never advertised security features in any fashion, the FTC would have more limited ability to respond.

For consumers, the most important aspect is that almost nothing the FTC alleges D-Link did or failed to do could be fixed by better education or configuration options. For instance, the FTC says D-Link left a private key used for code signing was left on a public website for six months. That meant any party that obtained the key could cryptographically sign an update destined for a D-Link product that examined the signature before installing it.

I write about security and privacy issues constantly, and a regular bit of feedback from veteran tech users is a wagging of the finger at people who don’t learn enough about the products they use to secure them properly.

Many of the IoT failures documented to date, along with the D-Link charges, involve hard-coded behavior and settings that can’t be changed or don’t change even if the interface says they do. In other cases, it’s server-side stuff that only a manufacturer can fix, and a user would need packet-sniffing software and networking expertise to begin to suss out.

One hopes the FTC’s complaint, whatever its outcome, will put a finger on the scale of manufacturers that had given too little thought to security. But there’s a fly in the ointment: a change of administration.

An unregulated future?

It’s still too early to know what a Trump appointee’s view of the FTC’s role will be. Trump and the Republican Party have said many times that businesses are encumbered by too many regulations, and that markets sort out problems by causing companies to fail that don’t meet the needs of customers.

The IoT realm is a good counterexample. Given that there’s no regulation that covers security and privacy, consumers have had imperfect knowledge and there has been no countervailing consequence that made less well-made IoT products sell less well. So many companies manufacture IoT products and most are imported. Amazon, Alibaba, and other online retailers let manufacturers sell directly without vetting or rejecting products unless they’re reported for illegality or dysfunction.

In that space, the FTC mends a broken market. In a new administration, this may still be seen as meddling, but we don’t know. It’s possible that in these areas that lack specific regulation, the administration will advocate for consumers in just this fashion.

The D-Link complaint could be the last of this sort we see in a long while, or the first in a long line. We’ll find out soon.