10:30 AM
Pat Osborne
Pat Osborne
Connect Directly
E-Mail vvv

IoT Product Safety: If It Appears Too Good to Be True, It Probably Is

Proposed new connected-product repair laws will provide hackers with more tools to make our lives less secure.

There are times when you see or read something for the first time and it makes sense. But later, after you have had some time to think about it, the idea or proposal might not be as straightforward as you originally thought. This is where I am on connected-product repair legislation that has been introduced in more than 17 states.

At first blush, the proposed bills seem to make sense, both for consumers and for small businesses catering to embedded systems or personal electronics. The bills want to provide consumers with opportunities to have their Internet-connected products fixed. To do so, the bills seeks to mandate that original equipment manufacturers (OEMs) share all source code, operating system, and security schematic information to any product owner.

Wait, what?

While looking at the proposed legislation, I started thinking about products and systems with embedded software. There is much more to today's connected products than physical parts. For many people, all of their personal and banking data are on their smartphones. Our contacts, emails, texts, pictures, and other information is contained on our phones. Many devices have our biometric information as well. How does this data get protected?

The proposed legislation in many states requires the OEM to provide the operating system, security, and other patches, to anyone. But access to the operating system and other microcode could also allow malware to be introduced into the system without the owner knowing. Some legislation goes further, allowing for the reset of security-related electronic functions — such as passwords, fingerprints, and encrypted data — that could circumvent protections the owner may already have in place. This could lead to sensitive data being exposed or lost due to mishandling.

Requirements for OEMs to provide remote diagnostics, with the ability for setting controls and location identification of the device, can also be used by hackers to wreak havoc.

For example, universal access to the settings make it possible for hackers to add their own fingerprint, face image, or iris scan to any smartphone, thus allowing access to:

  • Wallet or other payment apps on the device;
  • Location settings for tracking;
  • Geotagging to allow location tracking even if it had been turned off by the smartphone owner;
  • Backup storage location changes; and
  • Mobile hotspot information along with the location information to track an individual and then connect to a smartphone without the user's knowledge.

If a company has a bring-your-own-device policy and an employee uses a device that has been altered, hackers will have an open door to corporate networks and the ability to steal employee Social Security numbers, trade secrets, and critical customer data. This applies to any Internet of Things (IoT) device, printer, camera, or wireless access point (WAP) that was repaired by a malicious independent repair person.

We know that in the world of the IoT, we are only as strong as the weakest link. In the past, if someone stole your radio, your phone, your car, or your company-issued laptop, the damage was minimal, and the result was mostly a nuisance. But today the ramifications of a security breach are monumental and can put companies out of business. For the IoT to fulfill its promise, the secure and private sharing of treasure troves of data must be built into the foundation of all products. As a result, policymakers need to ensure that all technology legislation, at its core, is focused on security and privacy protections.

When people have a coat altered or a purse repaired, they will first empty all the contents out, especially their ID, credit cards, checkbook, and other private information. Yet all of this data is stored on many Internet-connected products. And now, some legislators are proposing laws that could substantially increase access to this sensitive and valuable information.

At its face, it may appear that these repair bills will protect consumers. But, in reality, such bills may provide hackers with the tools they need to make our lives even less secure.

Related Content:


Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Pat Osborne is a Certified Information Systems Security Professional (CISSP) with over 30 years in the IT field. He is the principal - executive consultant at Outhaul Consulting, LLC, and a cybersecurity advisor for the Security Innovation Center. He has experience in ... View Full Bio
Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
User Rank: Apprentice
3/12/2018 | 11:47:00 PM
Seriously? The misinformation is strong with this one.
Wow, there is a lot of misinformation, confusion, and good old fashioned "Fear, Uncertainty, and Doubt" (FUD) in this article.  It almost reads like a paid piece from a hardware manfuacturer.

I'm a little amazed that someone would write such a weak and unsubstatianted article in a time when Linux has become the foundation of most mobile and many IoT devices.  When every Android smartphone has it's base operating system source code available for anyone, your argument needs a lot more than vague hints and bad analogies to be reasonable.

The simple fact is that IoT devices are in such a horrible and sad state with regards to security that it's hard to imagine how it could get much worse.  Mandating that information is available for people and communities to attempt to improve or fix issues at least leads to options.

I want to write more, but it's just hard to even take this article seriously.
User Rank: Apprentice
3/17/2018 | 3:08:08 PM
Pending Review
This comment is waiting for review by our moderators.
Who Does What in Cybersecurity at the C-Level
Steve Zurier, Freelance Writer,  3/16/2018
New 'Mac-A-Mal' Tool Automates Mac Malware Hunting & Analysis
Kelly Jackson Higgins, Executive Editor at Dark Reading,  3/14/2018
IoT Product Safety: If It Appears Too Good to Be True, It Probably Is
Pat Osborne, Principal - Executive Consultant at Outhaul Consulting, LLC, & Cybersecurity Advisor for the Security Innovation Center,  3/12/2018
Register for Dark Reading Newsletters
White Papers
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.