10:30 AM
Pat Osborne
Pat Osborne
Connect Directly
E-Mail vvv

IoT Product Safety: If It Appears Too Good to Be True, It Probably Is

Proposed new connected-product repair laws will provide hackers with more tools to make our lives less secure.

There are times when you see or read something for the first time and it makes sense. But later, after you have had some time to think about it, the idea or proposal might not be as straightforward as you originally thought. This is where I am on connected-product repair legislation that has been introduced in more than 17 states.

At first blush, the proposed bills seem to make sense, both for consumers and for small businesses catering to embedded systems or personal electronics. The bills want to provide consumers with opportunities to have their Internet-connected products fixed. To do so, the bills seeks to mandate that original equipment manufacturers (OEMs) share all source code, operating system, and security schematic information to any product owner.

Wait, what?

While looking at the proposed legislation, I started thinking about products and systems with embedded software. There is much more to today's connected products than physical parts. For many people, all of their personal and banking data are on their smartphones. Our contacts, emails, texts, pictures, and other information is contained on our phones. Many devices have our biometric information as well. How does this data get protected?

The proposed legislation in many states requires the OEM to provide the operating system, security, and other patches, to anyone. But access to the operating system and other microcode could also allow malware to be introduced into the system without the owner knowing. Some legislation goes further, allowing for the reset of security-related electronic functions — such as passwords, fingerprints, and encrypted data — that could circumvent protections the owner may already have in place. This could lead to sensitive data being exposed or lost due to mishandling.

Requirements for OEMs to provide remote diagnostics, with the ability for setting controls and location identification of the device, can also be used by hackers to wreak havoc.

For example, universal access to the settings make it possible for hackers to add their own fingerprint, face image, or iris scan to any smartphone, thus allowing access to:

  • Wallet or other payment apps on the device;
  • Location settings for tracking;
  • Geotagging to allow location tracking even if it had been turned off by the smartphone owner;
  • Backup storage location changes; and
  • Mobile hotspot information along with the location information to track an individual and then connect to a smartphone without the user's knowledge.

If a company has a bring-your-own-device policy and an employee uses a device that has been altered, hackers will have an open door to corporate networks and the ability to steal employee Social Security numbers, trade secrets, and critical customer data. This applies to any Internet of Things (IoT) device, printer, camera, or wireless access point (WAP) that was repaired by a malicious independent repair person.

We know that in the world of the IoT, we are only as strong as the weakest link. In the past, if someone stole your radio, your phone, your car, or your company-issued laptop, the damage was minimal, and the result was mostly a nuisance. But today the ramifications of a security breach are monumental and can put companies out of business. For the IoT to fulfill its promise, the secure and private sharing of treasure troves of data must be built into the foundation of all products. As a result, policymakers need to ensure that all technology legislation, at its core, is focused on security and privacy protections.

When people have a coat altered or a purse repaired, they will first empty all the contents out, especially their ID, credit cards, checkbook, and other private information. Yet all of this data is stored on many Internet-connected products. And now, some legislators are proposing laws that could substantially increase access to this sensitive and valuable information.

At its face, it may appear that these repair bills will protect consumers. But, in reality, such bills may provide hackers with the tools they need to make our lives even less secure.

Related Content:


Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Pat Osborne is a Certified Information Systems Security Professional (CISSP) with over 30 years in the IT field. He is the principal - executive consultant at Outhaul Consulting, LLC, and a cybersecurity advisor for the Security Innovation Center. He has experience in ... View Full Bio
Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
User Rank: Apprentice
3/12/2018 | 11:47:00 PM
Seriously? The misinformation is strong with this one.
Wow, there is a lot of misinformation, confusion, and good old fashioned "Fear, Uncertainty, and Doubt" (FUD) in this article.  It almost reads like a paid piece from a hardware manfuacturer.

I'm a little amazed that someone would write such a weak and unsubstatianted article in a time when Linux has become the foundation of most mobile and many IoT devices.  When every Android smartphone has it's base operating system source code available for anyone, your argument needs a lot more than vague hints and bad analogies to be reasonable.

The simple fact is that IoT devices are in such a horrible and sad state with regards to security that it's hard to imagine how it could get much worse.  Mandating that information is available for people and communities to attempt to improve or fix issues at least leads to options.

I want to write more, but it's just hard to even take this article seriously.
User Rank: Apprentice
3/17/2018 | 3:08:08 PM
IOT devices are insecure by design, not repair
Ugh. So much speculation and so few facts.  

First, anyone that has actuallty read the proposed legislation in 18 states would notice that the only information, firmware, parts, tools and diagnostics required are those ALREADY being provided to thousands of repair techs around the world. None of this information is secret, and most of it is arleady available illegally in asia.  Legislation is carefully targeted for the sole purpose of allowing legal competition for repair services at the choice of the owner. 

Even when the equipment being repaired is being used for a security function (such as a security camera), the application run on cpu within the camera is irrelevant to repair.   The camera either passes a signal correctly or it does not.  Someone has to repair the camera, and give it back to the owner.  Its the owner that cares about his or her security -- and its still the owner that gets to decide whom to trust for repair.  

If anyone has any doubts of the responsibility of the OEM to protect the security of the owner, just read the purchase contract closely,  Every contract always dislaims responsibility for how equipment is used and carefull limits their risk and potential damages in that contract.

As to actual cyber risk -- equipnent is either secure by design, or insecure.  Sadly, millions of IOT devices are being thrown into the marketplace with weak or absent security -- allowing botnets and other hacks to proliferate worldwide.  These devices are already up and running and attached to a network, unlike devices which are broken and offline.   Equipment under repair is among the most secure because its offline. 

Opponents to Right to Repair have gleefully suggested that consumers will lose personal data without any explaination of how that might happen.  We've yet to hear of anyone losing personal data as the result of an iPhone repair -- because Apple does an excellent job of security and encryption.  Apple has even stated publically that despite their source code being posted on the internet, personal security was never at risk. 

Happy to discuss any real examples of how repair as a business has made IOT devices less secure. 


Higher Education: 15 Books to Help Cybersecurity Pros Be Better
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Worst Password Blunders of 2018 Hit Organizations East and West
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
2019 Attacker Playbook
Ericka Chickowski, Contributing Writer, Dark Reading,  12/14/2018
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
The Year in Security 2018
This Dark Reading Tech Digest explores the biggest news stories of 2018 that shaped the cybersecurity landscape.
Flash Poll
[Sponsored Content] The State of Encryption and How to Improve It
[Sponsored Content] The State of Encryption and How to Improve It
Encryption and access controls are considered to be the ultimate safeguards to ensure the security and confidentiality of data, which is why they're mandated in so many compliance and regulatory standards. While the cybersecurity market boasts a wide variety of encryption technologies, many data breaches reveal that sensitive and personal data has often been left unencrypted and, therefore, vulnerable.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2018-12-19
Subsonic V6.1.5 allows internetRadioSettings.view streamUrl CSRF, with resultant SSRF.
PUBLISHED: 2018-12-19
An issue was discovered in PSPP 1.2.0. There is a heap-based buffer overflow at the function read_bytes_internal in utilities/pspp-dump-sav.c, which allows attackers to cause a denial of service (application crash) or possibly have unspecified other impact.
PUBLISHED: 2018-12-19
Cross Site Request Forgery (CSRF) in the two-factor-authentication plugin before 1.3.13 for WordPress allows remote attackers to disable 2FA via the tfa_enable_tfa parameter due to missing nonce validation.
PUBLISHED: 2018-12-19
RDF4J 2.4.2 allows Directory Traversal via ../ in an entry in a ZIP archive.
PUBLISHED: 2018-12-18
An open redirect was discovered in Symfony 2.7.x before 2.7.50, 2.8.x before 2.8.49, 3.x before 3.4.20, 4.0.x before 4.0.15, 4.1.x before 4.1.9 and 4.2.x before 4.2.1. By using backslashes in the `_failure_path` input field of login forms, an attacker can work around the redirection target restricti...