Skip to main content

FTC Presses for IoT Device Security

The Internet of Things (IoT) will transform everything from cars and refrigerators to security and the power grid, but not without potential threats to life and limb that the government and industry need to mitigate.

That comes according to comments to the Consumer Product Safety Commission by the Federal Trade Commission. While CPSC is focused on the T in IoT — it was seeking comment on devices — the FTC is now focused on the I, since it is now principally responsible for internet privacy, security and neutrality.

The CPSC sought input on device safety standards and the role of government in that process. Although the CPSC specifically said it was not asking for information on personal security or privacy, FTC weighed in anyway, signaling the two were inextricably linked. “A criminal who hacks into a connected-home network could not only collect information about consumers who live in the house, but also could activate or deactivate home security devices, potentially causing threats to personal safety,” FTC staffers said.

And the FTC was not done with the frightening device insecurity scenarios, although it was also not ready to propose new regulations.

“[A] car’s braking systems might fail when infected with malware, carbon monoxide detectors or fire alarms might stop working with the loss of connectivity, and corrupted or inaccurate data on a medical device might pose health risks to a user of the device,” the FTC said.

Then, there is the prospect of an intruder with access to connected locks or security systems. In that case, while the FTC said perfect security was not possible, it added that companies should be required to take “reasonable” efforts to protect them from unauthorized access given the possible consequences.

“Security risks associated with IoT devices may implicate broader safety concerns, not just privacy,” the FTC told the CPSC.

The staffers took no position on whether those threats needed to be met with government regulations, but if the CPSC decides there need to be, they should be flexible and technology-neutral, said the FTC.

The FTC also advised that if the CPSC sets any device certification standards, it should require them to be made public, so the agency can enforce them under its authority to go after any company that misrepresents what it is are doing.