Advisory Group: Before You Plug in that Smart Device, We Need to Have a Talk


A government-industry group is prepping a plan for how makers of connected devices should talk about security with customers.

An industry and government group approved an advisory document Tuesday outlining how makers of connected devices, such as smart toasters and baby monitors, should communicate with customers about security protections and vulnerabilities.  

Manufacturers should powwow with customers about whether devices can receive security updates, how those updates will be delivered and when they're likely to stop offering updates, according to the document.

Device-makers should also let consumers know some basic information about how those updates are secured so device owners can feel confident updates are coming from the company itself and not a nefarious hacker interrupting the process, the document said.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

Now that the document’s complete, its writers will work on sharing it with industry and government agencies, Harley Geiger, a co-chair of the working group that produced the document, said during a conference call.

The working group hopes to convince some manufacturers to adopt the communications procedures and advocate them as a best practice for the rest of the industry, said Geiger, who is policy director for the cybersecurity firm Rapid7.

The group also will submit the document to the National Institute of Standards and Technology, which is collecting public input on how government and industry should combat armies of co-opted zombie computers known as botnets, Geiger said.  

President Donald Trump called for the botnet study in a May executive order.

Connected devices, which are often difficult or impossible to patch against new security vulnerabilities, have proven fertile ground for botnets. The Mirai botnet, which pushed numerous major websites offline last year, was powered partly by such connected devices, often referred to as the internet of things.

The approved document was one of four documents members of the National Telecommunications and Information Administration multistakeholder group discussed during Tuesday’s phone conference.

The other documents, which have not reached a final draft yet, focus on security best practices for connected device companies offering security patches and updates, barriers to IoT security and a rundown of previous work in the IoT security field.

NTIA will likely promote final drafts of those documents to industry but they will not be official NTIA documents and will not be formally endorsed by the government, said Allan Friedman, director of NTIA cybersecurity initiatives.

Connected devices run the gamut from highly technical tools that operate industrial systems to cool gadgets such as smart toasters and dishwashers. Makers of those devices also range from well-heeled companies, such as major auto manufacturers, to fly by night start-ups.

That disparity makes it difficult, in some instances, to make uniform security recommendations, stakeholders on the conference call noted.

The disparity is also troublesome, however, because while a hacked car is a much more dangerous proposition for its driver than a hacked toaster, both can be equally dangerous if conscripted into a botnet.