Security within the Internet of Things continues
to be an area of focus with a major government agency involved on behalf of consumers.
The Federal Trade Commission just introduced its response to a set of guidelines for communicating IoT
device security support information to consumers.
The Elements of Updatability comprises a set of guidelines designed to help manufacturers inform consumers about the security update
capabilities of IoT devices. The guidelines were introduced earlier this year by the Communicating Upgradability and Improving Transparency Working Group at the National Telecommunications and
Information Administration.
Here are the original key elements that the group says companies should disclose before sale:
- Whether the device can receive security updates
- How the device receives security updates
- The anticipated timeline for the end of security support
Before an IoT device is purchased, the FTC recommends companies disclose
a minimum-security support period to provide consumers with a concrete reference point to compare devices. The FTC suggests that anticipated timelines can be aspirational and have the potential to
mislead consumers.
In the event that a company provides a general time period of support, such as two years, the FTC recommends the start date of that period is disclosed.
In addition
to the original three areas within the guidelines, the FTC recommends adding another element about key device limitations.
Companies should disclose if an IoT device would lose functionality
or become highly vulnerable at the end of the security support period, according to the FTC. This is important if the expectation of similar non-connected devices would be to have a longer and safer
lifespan.
“With respect to the IoT, consumers may not expect a largely mechanical device, like a refrigerator or a toaster, to suddenly lose basic functionality because of lapsed
support, when that support is significantly shorter than the expected life of a similar ‘dumb’ product,” the FTC stated in the comment document. “To the contrary, in some
cases, a consumer may reasonably expect an unsupported ‘smart’ device to fail in such a way that it continues to perform its basic mechanical function.”
The FTC recommends
that device manufacturers adopt a standardized form of notifying consumers about security updates on devices or in the apps used to control devices, as well as establishing a system for consumers to
opt-in to receive notifications about security support.
Although the original elements of updatability include an additional element suggesting that manufacturers describe their update process
and how updates are secured, disclosing that information could be unnecessary, according to the FTC.
“When providing updates, manufacturers must, of course, ensure that the process is
reasonably secure,” the FTC stated. “Explaining those safeguards to consumers, however, imposes significant communication costs on industry while providing little, if any, benefit to
consumers.”