Security within the Internet of Things continues to be an area of focus with a major government agency involved on behalf of consumers.
The Federal Trade Commission just introduced its response to a set of guidelines for communicating IoT device security support information to consumers.
The Elements of Updatability comprises a set of guidelines designed to help manufacturers inform consumers about the security update capabilities of IoT devices. The guidelines were introduced earlier this year by the Communicating Upgradability and Improving Transparency Working Group at the National Telecommunications and Information Administration.
Here are the original key elements that the group says companies should disclose before sale:
Before an IoT device is purchased, the FTC recommends companies disclose a minimum-security support period to provide consumers with a concrete reference point to compare devices. The FTC suggests that anticipated timelines can be aspirational and have the potential to mislead consumers.
In the event that a company provides a general time period of support, such as two years, the FTC recommends the start date of that period is disclosed.
In addition to the original three areas within the guidelines, the FTC recommends adding another element about key device limitations.
Companies should disclose if an IoT device would lose functionality or become highly vulnerable at the end of the security support period, according to the FTC. This is important if the expectation of similar non-connected devices would be to have a longer and safer lifespan.
“With respect to the IoT, consumers may not expect a largely mechanical device, like a refrigerator or a toaster, to suddenly lose basic functionality because of lapsed support, when that support is significantly shorter than the expected life of a similar ‘dumb’ product,” the FTC stated in the comment document. “To the contrary, in some cases, a consumer may reasonably expect an unsupported ‘smart’ device to fail in such a way that it continues to perform its basic mechanical function.”
The FTC recommends that device manufacturers adopt a standardized form of notifying consumers about security updates on devices or in the apps used to control devices, as well as establishing a system for consumers to opt-in to receive notifications about security support.
Although the original elements of updatability include an additional element suggesting that manufacturers describe their update process and how updates are secured, disclosing that information could be unnecessary, according to the FTC.
“When providing updates, manufacturers must, of course, ensure that the process is reasonably secure,” the FTC stated. “Explaining those safeguards to consumers, however, imposes significant communication costs on industry while providing little, if any, benefit to consumers.”