PTP, IoT & the Norwegian Government

We were privileged to be invited to speak an event in Arendal, Norway yesterday to make the case for IoT regulation.

‘Arendalsuka‘ is the largest political gathering in Norway, an open forum event where the public can interact directly with political leaders, business leaders, entrepreneurs, governmental organizations, media and NGO’s.

Here’s the video:

In excess of 1,000 different talks occur over 5 days. The vice minister of the ministry of Justice and Public security attended the talk, which was followed by a lively debate about the potential for regulating insecure IoT.

After the EU spectacularly failed to regulate consumer IoT security earlier this year, Norway has an interesting opportunity to provide leadership in IoT security. Norway is outside the EU but inside the EEA and also a popular market for some consumer electronics companies to market-test new products.

The event

Our friends at the Norwegian Consumers Council have done some spectacular advocacy and consumer privacy work in IoT. It’s through their efforts to expose threats to children from My Friend Cayla that we first met. Since then, further high profile research has included exposing numerous security flaws in smart watches for tracking children as part of their #watchout campaign.

The NCC organised the event to drive home the significant problem with IoT security. With numerous senior individuals involved in data privacy and regulation present, it was an excellent opportunity to make the case for leadership in IoT security.

It all started with a doll

Well, of course it did. Through the combined efforts of NCC, PTP and Stefan Hessel, a German privacy lawyer, My Friend Cayla was withdrawn from sale and banned in some countries. This was a fantastic result.

BUT

Only Cayla and the iQue toy were banned. Similar toys from the same manufacturer with identical security flaws are still on the market.

‘Point’ bans against individual products are a great start, but they don’t really create the change in IoT security that is needed.

Despite the vendor involved clearly suffering a sales drop, they continue to ship vulnerable product. Numerous other smart toys from other vendors are still on the market. Numerous other consumer IoT devices are still on the market.

‘Point’ bans are not having the required effect on IoT security.

The problem

There are:

• Too many IoT products on the market for individual bans to create change
• Not enough security researchers and consumer advocacy groups to independently evaluate the security of all IoT products
• Only a few IoT vendors who actually care about consumer security. There are some notable ‘good’ vendors out there, but not nearly enough

As a result, consumers are exposed and confused: “Which product should I buy?” “Will I be hacked through it?”

More problems: Critical National Infrastructure hacks

As shown through our smart thermostat  research and the Horus Scenario involving solar panel controllers, there are also threats to critical national infrastructure from consumer IoT devices. Power spikes created by simultaneously switching large numbers of hacked devices could easily destabilise the power grid.

Similar ‘systemic’ hacks have been carried out by botnets created from vulnerable CCTV cameras. The Mirai bot-net took down various social networks for several hours in 2016. Similar methods could be used to significantly impact the stability of the internet in a nation, should an attacker wish.

We are stumbling in to a very dangerous area through the reluctance of government to regulate IoT.

Leadership

The UK Department for Culture, Media and Sport has made a start with some good IoT security guidance, but like the EU, they have stopped short of regulating.

Concerns include creating mountains of electronic waste for existing, insecure IoT product. Stifling innovation is another concern.

I disagree strongly with the above concerns:

Security can be an enabler; consumers can buy with confidence – this will stimulate sales of smart products

Further, if security becomes mandatory, huge economies of scale can be derived. Implementing standardised security in to a smart product could be a trivial matter, becoming part of the development lifecycle

Finally, many IoT products are so poorly designed or so ineffective that they quickly become electronic waste anyway. Security regulation will help prevent useless product from entering the market

I believe that Norway, being outside of the EU but inside of the EEA can become a beacon of leadership in European IoT security.

Quick fix

Implementing new primary legislation takes time and effort.

Instead, one could use existing legislation, but clearly explain to manufacturers how it relates to consumer IoT.

GDPR is an excellent example of legislation that could be used.

Other consumer protection laws could be quickly referenced in IoT standards, giving ‘teeth’ to IoT security.

However, governments must be prepared to ENFORCE these standards. By forming a partnership with retailers and building these standards in to their procurement process, we can all help prevent insecure IoT from entering the market.

An example

The UK DCMS ‘Secure by Design’ guidance is good. For example, principle 8 is to ‘Ensure that personal data is protected’

However, without the backup of GDPR, it is weak.

Manufacturers in the Far East are slowing realising that GDPR is a serious issue. Their representatives, brand owners and distributors in the West are increasingly aware of GDPR, but are perhaps unaware of how it applies to IoT

Why not link principle 8 of the DCMS standard to Article 5, part 1 (f) of GDPR:

“Personal data shall be:

processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).”

And now you have enforceable regulation for consumer IoT with minimal effort

Conclusion

This isn’t difficult. It isn’t rocket science. It’s just communication

But don’t forget that regulation means little without enforcement…

And here are some of the worthy people that could help implement this, from the debate yesterday. I didn’t understand a word of it, but I’m very hopeful!