Public Hearing on IoT Risks

The US Consumer Product Safety Commission is holding hearings on IoT risks:

The U.S. Consumer Product Safety Commission (CPSC, Commission, or we) will conduct a public hearing to receive information from all interested parties about potential safety issues and hazards associated with internet-connected consumer products. The information received from the public hearing will be used to inform future Commission risk management work. The Commission also requests written comments.

Maybe I should send them my book manuscript.

Posted on April 3, 2018 at 6:22 AM • 21 Comments

Comments

stineApril 3, 2018 7:00 AM

Only if you never want to get paid for it. Also, what are the chances that more than a handful of officials would read it and understand the implications?

You should probably add that hearing to your schedule.

Mace MonetaApril 3, 2018 7:59 AM

When you buy a Chromebook or smartphone, the device is intended to work with cloud services. However, by design, much of the functionality can be used without Internet access.

IoT should be the same, giving the user the option of LoT (LAN of Things) basic operation. Some manufacturers actively support this, even providing device support for user / open source replacement firmware (e.g., Itead Sonoff).

The problem for consumers is that they can't tell what will or won't work offline, and no end-user configuration option to stay LAN-only is available.

All my devices (~65) work without Internet connectivity, so it's possible. Right now, that's in the hobbyist realm, not the typical consumer realm. If CPSC wants to do something useful, they'd mandate LoT as required functionality. But they won't.

neillApril 3, 2018 8:48 AM

if AT&T gets their way with that ONAP project we won't need to spent much time on IoT security RE DDoS - that would be taken care of by intelligent routing ... hopefully that thru software-defined-networking 'builtin'

now talking privacy (webcams) that's another story ... if ATT has the master key ... all bets are off

David RudlingApril 3, 2018 11:04 AM

The acting chairman's term of office expires October this year. The new chair will be appointed by POTUS. There is the real possibility that this commission will go the way of the EPA in regard to the wishes of big business being promoted and the protection of the citizen being relegated. Big business will not want to fund the kind of research and development or accept the kind of disruption to existing production needed to avoid the worst outcome. So expect the worst - with or without Bruce's excellent input to the debate. Although not a US citizen myself the decisions of this US commission will set the global course so forgive me if I offer these comments on a domestic US matter.

Bauke Jan DoumaApril 3, 2018 11:16 AM

“The United States and its population are increasingly exposed to substantial harm and an erosion of security from individuals and small groups of motivated actors, leveraging the conflu­ence of hyperconnectivity, fear, and increased vulner­ability to sow disorder and uncertainty. This intensely disorienting and dislocating form of resistance to author­ity arrives via physical, virtual, and psychological vio­lence and can create effects that appear substantially out of proportion to the origin and physical size or scale of the proximate hazard or threat.”

From: At Our Own Peril: DoD Risk Assessment in a Post-Primacy World

"resistance to author­ity" ...

MApril 3, 2018 11:18 AM

@Mace Moneta Is it hard to ask the manufacturer "will it continue work if my Internet connection is down or the company servers are not reachable?" I've done that a number of times and often walked away afterwards.

AJWMApril 3, 2018 11:36 AM

"resistance to author­ity" ...

Yes. Since political power derives from consent of the governed, it's very concerning that government is increasingly resisting and even ignoring our authority.

Fred PApril 3, 2018 12:32 PM

I'm going to have difficulty with this one, due to the jurisdiction of the CPSC; on the request for comment ( https://www.federalregister.gov/documents/2018/03/27/2018-06067/the-internet-of-things-and-consumer-product-hazards ) , it states:

"The consumer hazards that could conceivably be created by IoT devices include: Fire, burn, shock, tripping or falling, laceration, contusion, and chemical exposure. We do not consider personal data security and privacy issues that may be related to IoT devices to be consumer product hazards that CPSC would address." (emphasis mine)

Pretty much all I can think of are contusion issues for robots that I've worked on; hypothetically, an unexpected movement of such a device could cause contusions. That said, I'm unclear that my testimony would be unique or useful enough to bother submitting.

VinnyGApril 3, 2018 1:44 PM

@Mace Moneta @M re disconnected function - I ran across reference to a product/system named Particle Mesh a few months back, and thought it seemed promising for linking automated controllers without requiring a use of the cellular network. Since I don't have a current requirement, I did not contact the company for confirmation that this system can be permanently disconnected from outside networks and remain fully functional:
https://www.particle.io/mesh/

VinnyGApril 3, 2018 1:46 PM

Following my own advice :) I have no relationship in Particle Mesh, and my only interest to date in that product is academic.

CassandraApril 4, 2018 3:23 AM

Strict liability for the manufacturer/importer of devices for the entire lifetime of the device, unless the device can have a user-signed firmware installed by the user, in which case the liability moves to the purchaser of the device, but only when when non-original firmware is installed. Purchaser can move liability by purchasing services from a third-party to keep firmware updated, or do it themselves.

Hidden back-doors move liability back to the manufacturer/importer.

This is basic application of the principle of 'whoever controls the actions of a device is liable for those actions'.

Most people who own their own homes or cars understand the need to maintain them. The same is true for IoT equipment, and this needs to be learned as well. There will always be scofflaws, but most engage professionals to do any necessary maintenance work, and some do it themselves, often to an exemplary standard.

One of the aspects of being a professional maintainer of something is that practitioners will (or maybe should) have professional liability insurance. In many jurisdictions, for example, your fire insurance is only valid so long as only licensed electricians have worked on your domestic electrical system, and you have the paperwork to prove it. Other jurisdictions take the view that most DIY practitioners are competent and the risk/reward calculations are that allowing people to work on their own installations is of net benefit overall (I take the latter view). The distinction between amateur and professional work is the usual test of whether you are paid to do it, so you can still help your friends and neighbours, so long as you do not get paid in ways recognised by tax administrations.

The test of whether you are making responsible use of IoT equipment would probably be along the lines of 'not unreasonably preventing the manufacturer from pushing an update' and 'ensuring any updates you apply are reasonably timely, and known vulnerabilities are addressed within a reasonable period of time'. Reasonable is a weasel word often used in contracts, and lawyers and judges are well-experienced in its interpretation.

I think key things to understand about IoT security are that there is no single panacea, and that established principles of liability, contract law, and public regulation can be used to greatly improve the current situation. There is also no reason to assume that IoT security requires complex technical solutions requiring locked-down firmware - use of user-applied firmware and FLOSS need not be banned.

Cassandra

65535April 4, 2018 6:14 AM


@ VinnyG

“I did not contact the company for confirmation that this system can be permanently disconnected from outside networks and remain fully functional”

That is a good question and should be asked about most IoT dvices.

@ Cassandra

“Strict liability for the manufacturer/importer of devices for the entire lifetime of the device, unless the device can have a user-signed firmware installed by the user, in which case the liability moves to the purchaser of the device, but only when when non-original firmware is installed.”

I hesitate to turn this into a long term “Lawyer’s annuity act but I have to agree with the thrust of what you are advocating.

I say:

1] Disclose all undocumented functions or front facing hardcoded Passwords.
2] Ensure there is a mechanisms to keep IoT from becoming a part of a bot net with DDOS attack capability.
3] Disclose any and all privacy killing situations to consumers before purchase.
4] Discloses all 4th amendment conflict by using any/all IoT devices

I will think of more questions about IoT device soon.

To the people in the know:

Do people get to write papers on IoT device and have them entered into the public record?

That sounds good for wheel chair bound people who cannot attend.

“The hearing will be in the Hearing Room, 4th Floor of the Bethesda Towers Building, 4330 East-West Highway, Bethesda, MD 20814. Requests to make oral presentations, and texts of oral presentations, should be captioned: “The Internet of Things and Consumer Products Hazards,” and sent by email to cpsc-os cpscov, or mailed or delivered to the Office of the Secretary, Consumer Product Safety Commission, 4330 East-West Highway, Bethesda, MD 20814, no later than 5 p.m. on May 2, 2018.”- US Consumer Product Safety Commission

https://www.federalregister.gov/documents/2018/03/27/2018-06067/the-internet-of-things-and-consumer-product-hazards

HarryApril 4, 2018 8:14 AM

@Cassandra: "The distinction between amateur and professional work is the usual test of whether you are paid to do it, so you can still help your friends and neighbours, so long as you do not get paid in ways recognised by tax administrations."

Not to take away from your overall gist, but there are several things wrong with this one sentence.

1) In jurisdictions requiring licensing, you can't "help your friends and neighbors" if you're not licensed. The requirement is that work is done by a licenced person, not that it's done professionally.

2) Getting paid is not the right definition of amateur/professional; the right definition is whether you are licenced. I could pay my Navy Electronics Tech friend to rewire my place; but since he is not licenced in my state, the work would be illegal. Doesn't matter that my friend was certified by the US Navy to work on billion dollar systems, what controls is state regulation.

3) "... not get paid in ways recognized by tax administrations." There are no payments that aren't recognzied by the tax authorty. Any and all compensation for work - be it money, exchange of services, or dinner out - is income. In practice, much of this goes unrecorded or the tax authority turns a blind eye ... but that doesn't change the fact that you're recommending tax evasion.

CassandraApril 4, 2018 8:37 AM

@Harry

Thanks for the reply.

Your criticism is correct for jurisdictions that require licensing, but not all do.
Similarly, the professional/amateur status need not depend on licensing. Finally, tax administrations vary in their treatment of services 'in kind'. I do not recommend overly onerous regulation, but then, I'm not a bureaucrat. For 'the Land of the Free', U.S. State and Federal regulations sometimes appear surprisingly onerous to those who come from other jurisdictions.

@65535 - Thanks for entering into the spirit of the discussion.

C.

Stephen GardnerApril 4, 2018 3:17 PM

The most important reason why any IoT device would need to "phone home" and talk to the servers of the manufacturer is best summed up in a paraphrase of a famous video game: "All your data are belong to us". It's just that simple and although there are a million specious reasons that clever people can come up with other than data collection on you I don't believe any of them. Yes, I recognize that voice recognition has to be processed back at the ranch (which is why I don't use it--think about it for a minute--even things you say to your spouse are going up there if you are in earshot of the device) and phone based navigation needs to access maps but most IoT stuff really doesn't need to access anyone's server. But they do because you are the product.

Fred PApril 4, 2018 3:54 PM

@65535 - "Do people get to write papers on IoT device and have them entered into the public record?"

From https://www.federalregister.gov/documents/2018/03/27/2018-06067/the-internet-of-things-and-consumer-product-hazards emphasis mine:

"You may submit written comments, identified by Docket No. CPSC-2018-0007, by any of the following methods:

Electronic Submissions: Submit electronic comments to the Federal eRulemaking Portal at: www.regulations.gov. Follow the instructions for submitting comments. The Commission does not accept comments submitted by electronic mail (email), except through www.regulations.gov. The Commission encourages you to submit electronic comments by using the Federal eRulemaking Portal, as described above.

Written Submissions: Submit written submissions by mail/hand delivery/courier to: Office of the Secretary, Consumer Product Safety Commission, Room 820, 4330 East-West Highway, Bethesda, MD 20814; telephone (301) 504-7923.

Instructions: All submissions received must include the agency name and docket number for this notice. All comments received may be posted without change, including any personal identifiers, contact information, or other personal information provided, to: www.regulations.gov. Do not submit confidential business information, trade secret information, or other sensitive or protected information that you do not want to be available to the public. If furnished at all, such information should be submitted in writing."

echoApril 4, 2018 9:47 PM

I'm sure the UK government (or branch of government) commissioned a report looking into this topic. I can't for the life of me discover this anywhere behind the wall of marketing and obfuscative passing the buck and last but not least writing women out as if we didn't exist.

Evaluation Scoping Study for the IoT UK Research and Innovation Programme(2015-2018)
https://www.gov.uk/government/publications/evaluation-scoping-study-for-the-iot-uk-research-and-innovation-programme2015-2018

Promoting investment and innovation in the Internet of Things
https://www.ofcom.org.uk/consultations-and-statements/category-1/iot

The history of Internet of Things (IoT)
https://innovateuk.blog.gov.uk/2017/07/03/the-history-of-internet-of-things-iot/

65535April 5, 2018 10:27 AM

+1 for Fred P’s proper way to summiting your ideas into the Federal Record.

Good job!

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.