The Senate’s IoT security bill won’t do much, but here’s what could make an impact

Let’s talk about toys. Technically, we’re going to talk about toys as a smarter path to thinking about regulating IoT device security, but I promise there will be teddy bears.

This week four Senators introduced a bipartisan bill to regulate the security of connected devices sold to the U.S. government. The bill received a lot of laudatory coverage in the media. CNN asked “Hackable door locks? Senators want to make smart gadgets more secure” while Slate said, “At Long Last, a Sensible Internet of Things Security Bill Has Been Introduced in the Senate.”

Did these reporters even read this bill? The press release that accompanies the bill? If they did, they’d probably be less impressed.

The bill aims to keep the government from buying connected devices that can’t be updated, have existing security vulnerabilities and that have hard-coded passwords. It also protects good-faith efforts by hackers to expose security vulnerabilities and ordered the Office of Management and Budget to develop both a disclosures policy for connected device vulnerabilities and a networking policy for securing “dumb” connected devices.

Like many, I’m glad our legislators are talking about IoT security, but this bill does nothing to protect consumers or enterprises. It also doesn’t go very far in its security measures. The best aspects of it are its effort to promote updates and protect ethical hacking.

So now let’s talk about toys. The hacking of several connected toys has prompted a few actions from federal agencies, actions which could actually make a bigger impact earlier on than a legislative effort. This summer the FTC updated its compliance rulesassociated with the the Children’s Online Privacy and Protection Act (COPPA) to clarify that connected toys that collect information about children under the age of 13 are also subject to the Act. From the FTC’s news release:

As technologies evolve, companies have new ways of collecting data, some of which may affect your obligations under COPPA. Just one example: voice-activated devices that collect personal information.

That has me wondering if data collected by my Amazon Echo from my 10-year-old daughter would become a problem for the retailer. The update also specifically calls out connected toys and “other products intended for children that collect personal information, like voice recordings or geolocation data.”

COPPA is a big deal because it is a law that is actually prosecuted and each individual violation can cost up to $20,000 for an offending company. If the FTC wasn’t signaling its seriousness, the FBI put out a notice about connected toys at the end of July.  The federal law enforcement agency warned parents that connected toys had the potential to violate their children’s privacy. The FBI also offered a list of actions a parent could take to determine if a connected toy was offering good security.

The list included things like common sense actions such as turning toys off when not in use and changing the device’s default password. But it also asked parents to check the security practices of these companies, such as asking how the toy company transfers data (is it encrypted?), where toy data is stored (does that firm have good cybersecurity?) and whether the toy is capable of receiving firmware updates over the air. The FBI also recommends reading the terms and conditions associated with the toy and the privacy policies.

I don’t know about others, but I can barely keep track of what type of batteries my daughter’s electronic toys need, much less remember to ask if they have AES-256 encryption (AKA bank-grade encryption).  These are good things to know, but this information is hard to get. I actually sent many of these questions to Fisher Price months ago after a reader asked me about the security of this baby monitor.

A Fisher Price spokeswoman responded to my questions with questions about how I would use the information rather than answering them. We then traded emails over the next few months, but she never responded to me on the security questions. I revisited the inquiry again this week and haven’t received a response yet.  Fisher-Price did provide some security data on the Aristotle website however:

Aristotle^™ was created with parents in mind. To provide digital safety, security and peace of mind, it features 256-bit, end-to-end video encryption and parental controls that help protect your family’s privacy. The COPPA (Children’s Online Privacy Protection Act) compliant App safeguards your information and data.

That doesn’t address all of the questions, such as where the data is held, and that isn’t something we may ever know. If it’s tough for a journalist to get this information, I’m not sure how a parent is going to do this. And this is where the Senate could really signal an understanding of IoT security and a willingness to solve some of the challenges with products on the market today. I’d like to see some kind of labeling around what constitutes a well-built IoT device from a security perspective, and then see that made available in an easy to understand format.

The average consumer doesn’t know what AES-256 encryption is, but if the government put out a requirement that toys use that when transmitting data from the toy to the home’s router and then from the router to the cloud, the toy could get some sort of label saying it transmitted data securely.

Much like our nutrition labels adapt to new research (and plenty of lobbying by the food industry) our connected device security label may have to adapt.  The current Senate bill tasks the Office of Management and Budget to evaluate security requirements, but over at the National Institute of Standards and Technology (NIST) they are working hard on cybersecurity definitions and practices. Maybe a law delegating that research and standards setting to NIST makes sense here.

Based on what we’re seeing from the government’s response to insecure connected toys we could put forth a strong bill that would protect consumers, enterprises and the government by clearly defining aspects of a secure IoT device and then creating labels to go on such devices that show how they measure up.

For certain markets more stringent rules would likely make sense, but better information seems like a really good place to start. Think of the children.