Disregard of Security Update Support in IoT Unlikely to Last Long
IoT devices, historically insecure by design, have become a common target for cybercriminals seeking entry to the home network. Without defined security standards for smart things, consumers are clueless of the risk they take when buying a vulnerable gadget, and is unaware whether the vendor is committed to correcting security issues and the time length for delivering this support.
This is likely to change, as the US Commerce Department, through its National Telecommunications and Information Administration (NTIA), aims to develop guidance for IoT makers to inform customers about security update policies for their products. The Federal Trade Commission (FTC) has also offered input designed to clarify the message for consumers, recognizing security updates as an important defense against hackers.
NTIA’s draft document focuses on details regarding a device’s updatability, which IoT manufacturers should consider communicating to customers before or after purchase. The guidance refers to six specifications that should be conveyed to the end user regarding a product’s security update features: ability to receive updates, method for getting patches, notification of a new firmware release, support period, integrity of the update delivery system, and the impact on the device when updates are no longer delivered.
One FTC comment considers the device’s security support timeline, which the agency says should leave no doubt as to the minimum period, with clear specification of an end date or, if general duration is described (e.g. 30 months), inform when support has started.
“Without a start time, a consumer may buy a device expecting the full support period, even if the clock started much earlier,” explains the FTC response.
The agency also recommends vendors disclose what happens when a smart device becomes unsupported, whether it loses basic functionality or can continue working just like its “dumb” counterpart.
Additional FTC input on the update notification system stresses the need for manufacturers to adopt a standard method. Most consumers are unaware of new firmware releases unless they are made obvious. Where no automatic update mechanism exists, a solution proposed by the agency is to have consumers sign up for security notifications; this method could also be used to let the customer know in real-time that the support period is about to end.
Finally, the agency deems fruitless the description of how the device maker secures updates and the update process because ensuring a reasonably guarded procedure is a basic part of the operation, and explaining the safeguards brings no benefit to consumers. The FTC notes that “the more extraneous information consumers receive, the more likely they are to feel overburdened by choice and ignore critical information” and recommends excluding it.
These recommendations benefit the end user but they also spark competition among IoT makers. With this information on the package, the buyer can be driven to choose one smart gadget brand over another. The importance of security updates should not be neglected by IoT makers but, at the moment, it is mostly big names that have implemented a robust mechanism to ensure new versions for their devices.
Image credit: International Forum DesignFederal Trade Commission FTC IoT security update