Blog: Vulnerability Disclosure

Responsible disclosure didn’t work? How to get an IoT vendor to take notice

Ken Munro 05 May 2017

Many IoT device manufacturers are starting to address security concerns, however there are still plenty out there who do not.

No doubt you’ve seen the plethora of disastrous IoT security issues that have made the press over recent years. Most security researchers try to disclose issues responsibly, though there are times when the IoT vendor simply isn’t interested in doing anything about it.

There are various motivations for this apparent disinterest; from a complete lack of understanding,  to the inability of the IoT business to communicate internally, through to “keep-shipping-irrespective-of-security-flaws-or-we-go-bust” disease.

Over the past year, I’ve seen some interesting ways of getting these vendors to pay attention; some through consumer pressure, others through regulation and litigation.

If you’re having difficulty with a vendor, you might find these avenues useful:

Find laws that they’ve breached, not necessarily in your country

A security researcher pointed out to the German Bundesnetzagentur that My Friend Cayla could be classified as a concealed audio bugging device.

This led to a near-instant ban and EUR25,000 for possession. Cayla has now been withdrawn from sale in numerous European countries.

So, don’t forget to look internationally when you’re looking for laws that the IoT device may have broken.

Has the vendor gathered more customer data than their terms and conditions state?

Check the small print and compare with the permissions for example in the mobile application that controls the IoT device.

If you find excessive data gathering, or data gathering beyond their terms, then it’s worth reading up about the recent We Vibe class action and related settlement.

Numerous other lawsuits are being filed; another recent example case involves Bose smart headphones.

Litigation is a very effective route to bring attention to poor IoT security, particularly if you can find a lawyer that will take on a class action case as no win/no fee.

Check for FCC violations

From time to time we find IoT devices on the market that don’t comply with their FCC approvals.

If you’ve dismantled the device, go check its Equipment Authorisation here: https://apps.fcc.gov/oetcf/eas/reports/GenericSearch.cfm

Check that the chipsets and physical architecture match those tested. If they don’t there may be a violation that you can report.

That might result in the product being withdrawn from sale for a period of time.

An aggressive approach perhaps, but if it results in insecure IoT devices being taken off the market until they are made more secure, then this is a route you could consider.

Find false claims in their advertising

The best known route is probably an FTC complaint. There have been a few related to IoT recently, including a highly successful complaint against Asus that resulted in the vendor being forced to ‘establish and maintain a comprehensive security program subject to independent audits for the next 20 years’.

My first foray in to FTC complaints was the result of meeting a really helpful US privacy advocate at RightsCon and giving a talk about IoT sex toys: https://www.accessnow.org/cms/assets/uploads/2017/04/AccessNow-FTCComp-Svakom.pdf.

When filing a complaint, one needs to show practice that has been “unfair” and/or “deceptive”. So, review the documentation and advertising claims that come with the IoT device and file a complaint if you think it has merit.

In the UK we have the Advertising Standards Authority.

If you can find misleading or false advertising, make a complaint online here: https://www.asa.org.uk/make-a-complaint.html.

If the product documentation makes false claims, try Trading Standards in the UK.

For example, we’re working on yet another connected kettle that, among many fails, states in its documentation that all communications are encrypted using SSL. We have proof that this isn’t the case.

Remember, you don’t always need to be physically in the country where you’re making the complaint.

Engage consumer bodies

Attention was drawn to My Friend Cayla by the Norwegian Consumers Council as part of their #toyfail campaign. The Norwegian Consumer Ombudsman, Forbrukerombudet, has done a great job of consumer advocacy in the IoT space.

This resulted in a formal complaint to the EU Consumer Organisation (BEUC), though this was somewhat trumped (in a positive way!) by the German ban.

Consumer Reports in the US have already made progress with IoT, so go find your national consumer groups and get them to apply pressure to IoT vendors.

File reports with data privacy regulators

Most data privacy regulators deal with breaches of consumer data. However, few will deal with bad practice that could LEAD to a breach.

It is clearly illegal and unethical to breach an IoT vendor in order to create a data breach to report to the regulator, but do keep alert for other threat actors having done this.

It is worth monitoring https://breachalarm.com/ and https://haveibeenpwned.com/ to see if the IoT vendor you’re interested in has had a breach.

I was quite surprised to see that Svakom, the sex toy vendor from the FTC complaint above, had already been breached and lost  more than 1,000 consumer records.

Report issues to retailers

On the back of the CloudPets breach, we sent a Twitter DM to a large UK toy retailer (The Entertainer) who were still stocking and actively promoting the toy. We referenced media coverage of the breach.

The retailer acted very quickly and delisted the toy for a period of time; kudos to them. That said, they’re now selling it again at 80% off list price, I guess clearing down their stock as the vendor (Spiral Toys) is unlikely to be taking returns!

My Friend Cayla has also been delisted by Amazon UK and is nearly impossible to buy in the UK and many other European markets.

If we can limit the ability to sell insecure toys, manufacturers of insecure IoT products have a real incentive to deliver more secure products.

Expose poor practice in the press

No IoT vendor wants their reputation to be tarnished in the media. If you’ve worked through responsible disclosure without any meaningful response or success, maybe speak to a journalist and see if they can get the attention of the manufacturer.

You could chat to other high profile security researchers too – they may be able to help you with contacts and disclosure strategy.

The highest profile stories I’ve seen of late were where the vendor doesn’t manage the incident well. Instead of dealing with it and reassuring customers, they do all they can to defend their own reputation. See TalkTalk and nomx for details!

File a report with CERT

The various CERTs around the world can be incredibly helpful when coordinating disclosure and getting the attention of manufacturers.

Make contact with them and have a discussion – explain your problem and see if they can help.

We’ve had some great assistance from US-CERT and others when dealing with silent or grumpy vendors. Having a recognised body involved in the disclosure process can really help.

Involve politicians

Politicians sometimes take interest in consumer privacy. Find those with an interest in cyber security and report issues to them.

I was most impressed when it was reported that a US Senate committee had asked formal questions of Spiral Toys in relation to the CloudPets breach.

That is the sort of attention that no IoT manufacturer wants to experience. Shine a light on poor behaviour through our elected representatives.

In conclusion

There is still a dearth of regulation in the consumer IoT space, but there are numerous routes to apply pressure to IoT vendors whilst lawmakers catch up.

Good practice advice for IoT security is widely available, however if the vendors won’t improve by themselves, we have to drive their secure behaviour through as many vectors as possible.

It may be an unexpected route that gets the result you want. Bear in mind that Al Capone was convicted of tax evasion…