Scrutiny Of IoT Device Makers Continues With NY AG Safetech Settlement
The New York Attorney General’s Office announced last month it reached a settlement with Safetech Products LLC over the sale of insecure wireless doors and padlocks, the first time a state AG has taken legal action against a wireless security company for failing to implement adequate security in its Internet of Things devices. The settlement is a reminder for companies that make IoT devices to think carefully about security when designing those devices.
The settlement stems from Utah-based Safetech’s claims that its Bluetooth-enabled doors and padlocks would allow users to protect personal belongings inside the home by turning doors and closets into secure areas. In August 2016, a group of independent security researchers reported the locks transmitted passwords between the locks and the user’s smartphone without encryption, creating the potential that the passwords could be intercepted and the locks undone. The researchers also reported the locks had weak default passwords that weren’t secure and could be easily discovered.
The settlement requires that Safetech encrypt all passwords and other security credentials, as well as prompt users to change the default password upon the initial setup of wireless communication. It also agreed to establish a written security program reasonably designed to: 1) address security risks related to the development and management of new and existing devices that use security information, and 2) protect the privacy, security, confidentiality and integrity of security information, including:
- The designation of an employee or employees to coordinate and be accountable for the security program;
- The identification of material internal and external risks to (1) the security of the devices that could result in unauthorized access to or unauthorized modification of the device and (2) the privacy, security, confidentiality and integrity of security information;
- The risk assessments must include consideration of risks in each area of relevant operation, including, but not limited to: (1) employee training and management, including secure engineering and defensive programming; (2) product design, development and research; (3) secure software design, development and testing; (4) review, assessment, and response to third party security vulnerability reports, and (5) prevention, detection, and response to attacks, intrusions or systems failures;
- The design and implementation of reasonable safeguards to control the risks identified through risk assessment;
- Regular testing or monitoring of the effectiveness of the safeguards’ key controls, systems, and procedures including reasonable and appropriate security testing techniques such as vulnerability and penetration testing, security architecture reviews and code reviews;
- The development and use of reasonable steps to select and retain service providers (if any are hired) capable of maintaining security practices consistent with the agreement, and requiring service providers by contract to implement and maintain appropriate safeguards consistent with the agreement; and
- The evaluation and adjustment of Safetech’s security program in light of the results of the testing and monitoring required by the agreement.
The settlement mirrors similar enforcement actions taken the Federal Trade Commission in recent months. For example, in January the FTC announced it filed a lawsuit against D-Link, the maker of computer networking equipment and other connected devices, in California federal court. It alleged the company made deceptive claims about the security of its products and put consumers’ privacy at risk. Regulators are becoming increasingly active in the IoT space and have demonstrated a willingness to bring actions against companies they feel are not taking adequate measures to protect consumers. IoT device manufacturers need to keep in mind regulators’ recommendations, the security claims the manufacturers make and think hard about the security they implement.