Roger Clarke's Web-Site© Xamax Consultancy Pty Ltd, 1995-2024 |
||||||
HOME | eBusiness |
Information Infrastructure |
Dataveillance & Privacy |
Identity Matters | Other Topics | |
What's New |
Waltzing Matilda | Advanced Site-Search |
Version of 16 October 2020
Published in ANZCompuLJ 9, 93 (2021) 31-36
Kayleen Manwaring & Roger Clarke **
© Xamax Consultancy Pty Ltd, 2020
Available under an AEShareNet licence or a Creative Commons licence.
This document is at http://rogerclarke.com/II/IoTCJ.html
Security flaws in Internet of Things1 (`IoT') devices are acknowledged to be common. Security vulnerabilities have been found in Internet-connected toys, televisions, security cameras, door locks, medical devices, fitness trackers, baby monitors, cars and even guns.2 Hackers can use these vulnerabilities to take remote control of
devices, steal or change data, or spy on users.3 These activities can cause physical, psychological and economic harm, not just to the consumers who own these devices, but also to others who are connected to them.
The Australian Department of Home Affairs and the Australian Signals Directorate (`ASD') held a period of consultation from November 2019 to March 2020 on potential regulation of consumer IoT devices and received feedback from `critical infrastructure providers, cyber security companies, government bodies, domestic and international consumers and not-for-profit advocacy groups'.4 As a result, the Federal Government has released a voluntary `Code of Practice: Securing the Internet of Things for Consumers' (`Australian Code').5 Compliance is `encouraged but optional'.6 However, as the Australian Code is not mandatory, chances of compliance are low. The existence of a Code may even lend weight to the erroneous assumption that products allowed to be sold are secure by default.7 Even industry representatives have criticised the Code for `lack[ing] an implementation and compliance framework'.8
As foreshadowed by scholars investigating precursor technologies such as mobile and pervasive computing,9 it is now clear that many IoT devices designed for consumers are less secure than other information infrastructure, such as desktop computers.10 In 2017, researchers completed a research project investigating security vulnerabilities in consumer IoT devices funded by the consumer advocacy group Australian Communications Consumer Action Network (`ACCAN'). In this study, all 20 consumer IoT devices tested contained a security flaw, and many had potentially serious problems. These devices included a camera, a motion sensor, a smoke alarm, a sleep alarm, a weighing scale, an air quality monitor, a light bulb, power switches, a talking doll, a photo frame, a printer, a controller, a voice assistant, a smart TV and smart speakers.11
Factors leading to poor security outcomes for IoT devices include:
These security issues in IoT devices can give rise to significant consumer
and community harm. People can be subject to unwanted surveillance and
harassment18 in the home, not only by malicious strangers but also
by intimate partners.19 Personal information can be exposed to the
world20 at large. Physical harm can arise
from device failure or
malfunction21 caused by hackers, and malicious remote control of
inherently dangerous connected objects (such as cars).22
Consumers do not need to own, possess or be in proximity to devices to be harmed by them. Many IoT devices can be used in what is known as a `distributed denial of service' attack. In these attacks, large numbers of devices are hijacked and used to `flood' other Internet services with malicious traffic in order to make those services unusable.23 During these attacks, the entity that owns the device is usually unaware that their compromised devices are participating in the attack. The increase in people working from home during the COVID-19 pandemic may also enable the hijackers to start inside poorly-secured home networks, and apply the employee's privileges to get inside their employer's networks, further expanding the threats.24 Convergence of consumer and enterprise IoT such as medical devices and smart energy meters has also been identified as an additional risk.25
The foundations of security must be established by the manufacturer of the device, but end users must also play their part. In late 2019, remote hackers were accused of yelling racial slurs at a child and at adults in separate incidents, via the speakers in Amazon-owned Ring security cameras. Amazon blamed the security breach on consumers reusing the same passwords on multiple services. Once hackers cracked the password for one of those services, they had access to all the others as well.26
The Australian Code is based in large part on another voluntary Code of Practice, the United Kingdom government's 2018 Code of Practice for consumer IoT security27 (`UK Code'). Like the UK Code, the Australian Code is directed towards industry. The ASD's Australian Cyber Security Centre has also issued guidance for consumers28 (as well as additional Guidance for Manufacturers.)29
Again like the UK Code, the Australian Code is based on 13 principles. Additionally, the government has recommended that providers prioritise Principles 1, 2 and 3 (`priority principles'), due to the belief that implementation of these three principles `will bring the largest security benefits in the short term'.30
The 13 principles are set out in Table 1. Additionally, the Australian Code follows the UK Code in recognising that IoT devices are hybrids of software, hardware, and physical object, and are also dependent on additional services.31 Unsurprisingly, the different businesses responsible for the different components have varying capacities to implement cyber security measures. Consequently, for each Principle, the Codes specify the entity or entities in the provider network32 to which the Principle primarily relates. However, this does not allocate responsibility or liability to any particular provider.
Principle | Relevant Provider Network Entity (as specified in the Code) |
PRIORITY PRINCIPLES | |
1. No duplicated default or weak passwords | Device Manufacturers |
2. Implement a vulnerability disclosure policy IoT Service Providers | Device Manufacturers IoT Service Providers Mobile Application Developers
|
3. Keep software securely updated | Device Manufacturers IoT Service Providers Mobile Application Developers
|
OTHER PRINCIPLES | |
4. Securely store credentials | Device Manufacturers IoT Service Providers Mobile Application Developers |
5. Ensure that personal data is protected | Device Manufacturers IoT Service Providers Mobile Application Developers Retailers |
6. Minimise exposed attack surfaces | Device Manufacturers IoT Service Providers |
7. Ensure communication security | Device Manufacturers IoT Service Providers Mobile Application Developers |
8. Ensure software integrity | Device Manufacturers |
9. Make systems resilient to outages | Device Manufacturers IoT Service Providers |
10. Monitor system telemetry data | Device Manufacturers IoT Service Providers |
11. Make it easy for consumers to delete personal data | Device Manufacturers IoT Service Providers Mobile Application Developers |
12. Make installation and maintenance of devices easy | Device Manufacturers IoT Service Providers Mobile Application Developers |
13. Validate input data | Device Manufacturers IoT Service Providers Mobile Application Developers |
Various overseas governments and international bodies have published 'good cyber security practice' documents for the IoT. These include:
and the standards bodies:
However, all of these `good practice' documents are merely educational. They contain no substantive incentive to drive industry change, particularly where significant cost is involved. The Australian Government has framed the introduction of the Australian Code as `encouragement' and a `signal' to Australian industry that IoT security must be improved.37 However, the efficacy of this approach must be doubted. Encouragement, even by the government, means little in an environment where directors are expected (and even legally required)38 to make decisions in the best interests of their shareholders.
Signals to the market might have better chances of success. Singapore has also just announced a voluntary code for labelling cyber security standards on IoT products.39 Industry advocates in Australia have suggested similar approaches to help address some of the shortcomings of the Australian Code. For example, the IoT Alliance Australia has suggested an industry-based accreditation scheme, with independent assessors and a security mark.40 However, such schemes primarily protect industry against regulation, and do little to protect the public against harm arising from technology.
California has already introduced binding legislation, first operational in early 2020, that provides a specific enforceable requirement on cyber security in consumer `connected devices'. The Californian law requires manufacturers to equip these devices with `reasonable security feature[s] ... designed to protect the device and any information contained therein from unauthorised access, destruction, use, modification or disclosure'.41 The law in Oregon42 is substantially similar.
US federal laws also prohibit inappropriate cyber security practices to the extent they constitute `unfair ... acts or practices in or affecting commerce'.43 The most well- known actions brought by the US regulator, the Federal Trade Commission (FTC), relating to IoT devices were directed against D-Link (2019) and TRENDnet (2014), who both marketed insecure Internet-connected home security cameras. Both cases were settled on terms that required the defendants to implement comprehensive security programs.44
The US laws are far less specific about good cyber security practices than the Australian Code, but they have the advantage of being enforceable against those who fail to implement good practice.
The voluntary UK Code has been a failure, with the UK government concluding that `change has not been swift enough, with poor security still commonplace'.45 In a project running through 2020, the UK has been developing mandatory security obligations.46
Voluntary codes have been recognised as inadequate. An accreditation scheme with visible labelling, such as a security mark, might have some chance of signalling quality standards to the market, but the right conditions do not exist for market forces to ensure compliance.47 Despite that, the Australian government ignored the submissions of entities such as ACCAN that security obligations should be mandatory.
Considerable risk exists of significant physical, economic and emotional harm, so mandatory obligations to produce secure devices and maintain their security against evolving threats are needed as a matter of priority. The government has already acknowledged that `most consumers aren't best placed to protect themselves'.48 Australian consumers are habitual early adopters49 of new gadgets, so the country cannot afford to lag behind. The Government's argument that this is `an important first step' is weak, and contradicts its additional perspective that `[g]lobal alignment is important'. We are already well behind our international associates such as the UK and US and `the Code may already be obsolete relative to the standards of Australia's intelligence partners'.50
Drafting laws that work with today's technologies, and tomorrow's as well, is challenging. Rules that quickly become obsolete fail to provide the intended protection, and may slow down innovation. These types of considerations may well have been in the government's mind when it decided to make the Code voluntary rather than mandatory. But we argue that this is an abrogation of the government's obligations to protect consumers and others from serious harm, as it is likely to do little to change current practice.
A robust `co-regulatory approach'51 should involve collaboration among government, industry and the community to produce binding rules. Descriptions of co-regulatory approaches often concentrate only on industry and government stakeholders,52 but this omits a vital component. Strong community involvement53 is also vital to its success. The public consultation process engaged in by the Australian government, which included consumers and third sector advocacy agencies, would constitute a useful first step in this process. However, the next part of the approach should not be `let's leave it up to industry', but rather a process which enables these rules to be quickly amended as experience is gained, and conditions and technology change. To induce compliance, however, this accelerated process cannot operate well without the imposition of formal sanctions54 and an empowered and resourced regulator.55
Government guidance on security is welcome. However, manufacturers need a sufficiently strong mix of incentives and legal obligations to ensure they deliver what society needs. International experience has shown that a merely voluntary Code of Practice cannot achieve the objectives of consumer safety and security.
1 For a useful explanation see Richard Mortier, `Explainer: the
Internet of Things' The Conversation (2 August 2013)
<https://theconversation.com/explainer-the-internet-of-things-16542>
7 United Kingdom Government, Proposals for regulating consumer
smart product cyber security - call for views (Policy paper, 1 October
2020) (`UK Call for Views')
23 Tim Stevens, `Internet of Things: when objects threaten national
security' The Conversation (online, 29 May 2018)
<https://theconversation.com/internet-of-things-when-objects-threaten-nationa-security-96962>
25 Burton (n 8), quoting Lani Refiti, IoTSec Australia.
30 Australian Code, 1.
33UK Code (n 27).
37 Australian Government, Australia's Cyber Security Strategy
2020 (6 August 2020)
https://www.homeaffairs.gov.au/cyber-security-subsite/files/cyber-security-stratgy-2020.pdf,
32.
43 The US Court of Appeals confirmed this interpretation of 15 USC
[[currency]][[currency]] 41-58 in Federal Trade Commission v Wyndham
Worldwide Corporation [2015], No 14-3514, F 3d (Aug 24, 2015).
45 UK Call for Views (n 7).
48 Consultation Summary (n 4) 3.
54 Clarke, `Internet Privacy Concerns Confirm the Case for
Intervention' (n 51) 64-5.
55 Clarke, `Regulatory Frameworks for AI' (n 53) 406-7.
This article is a substantially more developed version of a short opinion
piece by the authors: 'Are your devices spying on you? Australia's very small
step to make the Internet of Things safer' The Conversation (online,
11 September 2020), at
https://theconversation.com/are-your-devices-spying-on-you-australias-very-small-step-to-make-the-internet-of-things-safer-145554,
mirrored at
http://www.rogerclarke.com/II/IoTC.html
Kayleen Manwaring is a
Senior
Lecturer at the University of New South Wales, and a researcher at the
Allens
Hub for Technology, Law and Innovation and the
Centre
for Law, Markets & Regulation.
Roger Clarke is Principal of
Xamax
Consultancy Pty Ltd, Canberra. He is also a Visiting Professor associated
with the
Allens
Hub for Technology, Law and Innovation in
UNSW
Law., and a Visiting Professor in the
Research
School of Computer Science at the
Australian
National University.
Created: 16 October 2020 -
Last Amended: 17 October 2020
by Roger Clarke
- Site Last Verified: 15 February 2009
3 Ibid.
4 Australian Government
Department of Home Affairs, Draft Code of Practice: Securing the Internet
of Things for Consumers - Summary of Public Consultation November 2019 - March
2020 (2020)
<https://www.homeaffairs.gov.au/reports-and-pubs/files/consultation-summary.pf>
(`Consultation Summary').
5 Commonwealth of Australia,
Code of Practice: Securing the Internet of Things for Consumers
(2020), available at
https://www.homeaffairs.gov.au/reports-and-pubs/files/code-of-practice.pdf
(`Australian Code').
6 Commonwealth of Australia (n 5), 2.
8 Tom Burton, 'Internet of
things sets the cat among the pigeons', Australian Financial Review
(online, 12 October 2020)
<https://www.afr.com/technology/internet-of-things-sets-the-cat-among-the-pigons-20201001-p5612g>
quoting Frank Zeichner, CEO IoT Alliance Australia and Adam Beck, Smart Cities
Council.
9 Mahadev Satyanarayanan, 'Fundamental challenges in
mobile computing' (Pt ACM) (1996) Principles of distributed computing:
Proceedings of the fifteenth annual ACM symposium 1, 1; Mahadev
Satyanarayanan, 'Pervasive computing: vision and challenges' (2001) 8(4)
IEEE Personal Communications 10, 10; Frank Adelstein et al,
Fundamentals of mobile and pervasive computing (McGraw-Hill, 2005) 5;
Stefan Poslad, Ubiquitous computing: smart devices, environment and
interaction (John Wiley & Sons Ltd, 2009).
10 Kayleen
Manwaring, 'Kickstarting reconnection: an approach to legal problems arising
from emerging technologies' (2017) 22(1) Deakin Law Review 51,
63-68.
11 Vijay Sivaraman, Hassan Habibi Gharakheili and Clinton
Fernandes, Inside job: Security and privacy threats for smart-home IoT
devices (Report, Australian Communications Consumer Action Network, 2017)
(`Inside Job')
12 Katie Boeckl and others,
Considerations for Managing Internet of Things (IoT) Cybersecurity and
Privacy Risks (National Institute of Standards and Technology Internal
Report 8228 (Draft), September 2018) 7-8.
13 Scott R Peppet,
'Regulating the Internet of Things: First Steps Toward Managing Discrimination,
Privacy, Security & Consent' (2014) 93(1) Texas Law Review 85,
94.
14 Karen Rose, Scott Eldridge and Lyman Chapin, The
Internet of Things: An Overview. Understanding the Issues and Challenges of a
More Connected World (Internet Society, October 2015) 21; American Bar
Association Section of Science & Technology Law, Submission to the
National Telecommunications and Information Administration, US Dept of
Commerce, in response to Docket No. 160331306-6306-01: The Benefits,
Challenges, and Potential Roles for the Government in Fostering the Advancement
of the Internet of Things (2016) 11.
15 Boeckl (n 12)
9.
16 Ibid; William J. Buchanan, Shancang Li and Rameez Asif,
Lightweight cryptography methods (Taylor & Francis, 2017) vol 1.,
187.
17 Inside Job (n 11).
18 Donna Lu,
`How Abusers Are Exploiting Smart Home Devices' Vice (online, 17
October 2019)
<https://www.vice.com/en_au/article/d3akpk/smart-home-technology-stalking-harssment>
19
Nellie Bowles, `Thermostats, Locks and Lights: Digital Tools of Domestic
Abuse' The New York Times (online, 23 June 2018)
<www.nytimes.com/2018/06/23/technology/smart-home-devices-domestic-abuse.htmlgt;
20
David Sun, `Singapore home cams hacked and stolen footage sold on
pornographic sites' The New Paper (online, 12 October 2020)
<https://www.tnp.sg/news/singapore/hackers-hawk-explicit-videos-taken-spore-hme-cams>
21
Phys.org, `Security flaw could have let hackers turn on smart ovens' (26
October 2017)
<https://phys.org/news/2017-10-flaw-hackers-smart-ovens.html>
22
Andy Greenberg, `Hackers Remotely Kill a Jeep on the Highway - With Me in
It' Wired (online, 21 July 2015)
<www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/>
24
Brian Buntz, `Cybersecurity Crisis Management During the Coronavirus
Pandemic' IoT World Today (online, 24 March 2020)
<https://www.iotworldtoday.com/2020/03/24/cybersecurity-crisis-management-durng-the-
coronavirus-pandemic/>
26
Neil Vigdor, 'Somebody's Watching: Hackers Breach Ring Home Security
Cameras', The New York Times (online, 15 December 2019)
<https://www.nytimes.com/2019/12/15/us/Hacked-ring-home-security-cameras.htmlgt;
27
United Kingdom Government, Code of Practice for consumer IoT security
(14 October 2018), available at
https://www.gov.uk/government/publications/code-of-practice-for-consumer-iot-secrity/code-of-practice-for-
consumer-iot-security (`UK Code').
28 Australian Cyber
Security Centre, Internet of Things devices (Web page)
<https://www.cyber.gov.au/acsc/view-
all-content/advice/internet-things-devices>
29 Australian
Cyber Security Centre, IoT Code of Practice: Guidance for Manufacturers
(Web page)
<https://www.cyber.gov.au/acsc/view-all-content/publications/iot-code-practic-guidance-manufacturers>
31 Manwaring,
'Emerging information technologies: challenges for consumers' (n 2)
283.
32 In this paper, we use the term `provider network' instead
of `supply chain'. In this context, connections between providers are more
likely to be distributed rather than linear. Ibid., fn 16.
34 NIST, `NIST
Cybersecurity for IoT Program' (Web page)
<https://www.nist.gov/programs-projects/nist-
cybersecurity-iot-program>
35 ETSI, ETSI TS 103 645 V1.1.1
(2019-02) Technical Specification CYBER; Cyber Security for Consumer Internet
of Things
<https://www.etsi.org/deliver/etsi_ts/103600_103699/103645/01.01.01_60/t_103645v010101p.pdf>
36
IETF, Manufacturer Usage Description Specification RFC 8520
(last updated 20 January 2020)
<https://datatracker.ietf.org/doc/rfc8520/>
38 Corporations Act 2001 (Cth) s 181(1)(a);
Mills v Mills (1938) 60 CLR 150; Westpac Banking Corporation v The
Bell Group Ltd (in liq) (No 3) (2012) 44 WAR 1; [2012] WASCA 157;
Ngurli v McCann (1953) 90 CLR 425, 438; Kinsela v Russell Kinsela
Pty Ltd (in liq) (1986) 4 NSWLR 722, 730.
39 Cyber Security
Agency of Singapore, Cybersecurity Labelling Scheme (CLS)
<https://www.csa.gov.sg/programmes/cybersecurity-labelling/about-cls>br>40
Burton (n 8) citing Frank Zeichner, IoT Alliance Australia.
41
Cal Civil Code [[currency]] 1798.91.04(a)
42 Or Rev Stat
[[currency]] 646A.813
44
Federal Trade Commission, `D-Link Agrees to Make Security Enhancements to
Settle FTC Litigation' (Press Release, 2 July 2019)
<https://www.ftc.gov/news-events/press-releases/2019/07/d-link-agrees-make-seurity-
enhancements-settle-ftc-litigation>; Federal Trade Commission, `Marketer of
Internet-Connected Home Security Video Cameras Settles FTC Charges It Failed to
Protect Consumers' Privacy' (Press Release, 4 September 2013)
<https://www.ftc.gov/news-events/press-releases/2013/09/marketer-internet-conected-home-security-video-
cameras-settles>
46 United Kingdom
Government, Consultation outcome: Consultation on regulatory proposals on
consumer IoT security (last updated 3 February 2020)
<https://www.gov.uk/government/consultations/consultation-on-
regulatory-proposals-on-consumer-iot-security>
47 Roger
Clarke, 'The prospects of easier security for small organisations and
consumers' (2015) 31(4) Computer Law and Security Review 538, 543-547.
49 Peter
Dinham, 'Smartphones dominate the Òdigital experienceÓ research
reveals', IT Wire, 25 February 2020
<https://www.itwire.com/market/smartphones-dominate-the-%E2%80%98digital-expeience%E2%80%99-
research-reveals.html>
50 Melissa Fai, Jen Bradley and Mitch
Bennett, 'The `Security of Things' - Government releases Voluntary IoT Code of
Practice' (Digital Domain, 9 September 2020)
<https://www.gtlaw.com.au/insights/security-things-government-
releases-voluntary-iot-code-practice>
51 Roger Clarke,
'Internet privacy concerns confirm the case for intervention' (1999) 42(2)
Communications of the ACM 60, 63-4.
52 Australian
Communications and Media Authority, Optimal Conditions for Effective Self-
and Co-regulatory Arrangements (Occasional Paper, June 2015) 10-11;
Department of Prime Minister and Cabinet, The Australian Government Guide
to Regulation (March 2014) 28.
53 Roger Clarke, 'Regulatory
Alternatives for AI' (2019) 35(4) Computer Law & Security Review
398, 406-7.
Acknowledgements
Author
Affiliations
Personalia
Photographs
Presentations
Videos
Access
Statistics
The content and infrastructure for these community service pages are provided by Roger Clarke through his consultancy company, Xamax.
From the site's beginnings in August 1994 until February 2009, the infrastructure was provided by the Australian National University. During that time, the site accumulated close to 30 million hits. It passed 75 million in late 2024.
Sponsored by
the Gallery,
Bunhybee Grasslands,
the extended Clarke Family,
Knights of the Spatchcock
and
their drummer
Xamax Consultancy Pty Ltd
ACN: 002 360 456
78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 6916
This document is at www.rogerclarke.com/II/IoTCJ.html
Mail to Webmaster -
© Xamax Consultancy Pty Ltd, 1995-2024 -
Privacy Policy