What is the essential information that manufacturers should communicate to consumers about security updates for Internet of Things (IoT) devices?
A working group of private sector volunteers produced a document to address this question with voluntary, actionable recommendations for IoT device manufacturers. The group was convened by the National Telecommunications and Information Administration (part of the US Dept. of Commerce) to study issues surrounding IoT security update capability, though the document is the product of the working group and not a government agency.
The document, entitled "Communicating IoT Device Security Update Capability to Improve Transparency for Consumers" identifies three key elements, and suggests three additional considerations as a template for providing consumers with critical information about update capability. The goal of the communication is to enable consumers to make more informed purchases based on IoT device security, thereby driving market forces to better reward more secure products.
A. Three key elements IoT device manufacturers should communicate to consumers before purchase are:
- Describe whether the device can receive security updates.
- Describe how the device receives security updates.
- Describe the anticipated timeline for the end of security update support.
B. Three additional considerations IoT device manufacturers may communicate to consumers before or after purchase are:
- Describe how the user is notified about security updates.
- Describe what happens when the device no longer receives security update support.
- Describe how the manufacturer secures updates, or how the update process is reasonably secure.
Issue background - IoT security patches
The security of Internet of Things (IoT) devices is widely recognized as an increasingly important risk to manage as the devices proliferate, take on more computing power and connectivity, and become embedded in a wide variety of sensitive environments. Like virtually all computers and software, IoT devices inevitably carry security flaws, exposing the devices to the risk of breach or attack until those vulnerabilities are mitigated.
While there are many fundamental components of IoT security, such as secure design, providing security updates or patching is a key way to protect IoT devices when vulnerabilities are discovered after a device has entered the market. IoT devices that cannot be patched risk repeated exploitation of device vulnerabilities until the device is taken offline. Yet consumers often have little insight into whether a particular IoT device is capable of receiving security updates, and until what date the device is supported, making informed purchasing choices more difficult. The lack of transparency is especially acute for fungible products at lower price points.
The concept of an IoT security rating or "nutrition label" is routinely floated to enhance consumer transparency. For example, the excellent 2016 report from the US Commission on Enhancing the National Cybersecurity recommended a voluntary rating and label scheme for security. Some federal legislation, such as Sen. Markey's Cyber Shield Act, proposes an Energy Star-like program to provide consumers with IoT security information. The EU Agency for Network and Information Security is also considering a labeling system for IoT devices certified as secure. Finally, multiple independent organizations like Consumers Union and UL are developing standards and ratings to help consumers evaluate product cybersecurity. As a critical component of IoT security, update capability and lifecycle have a role in each of these frameworks.
NTIA multistakeholder process
In 2016, the National Telecommunications and Information Administration (NTIA) launched an open process to discuss IoT security updates. As with past "multistakeholder" processes, this work was facilitated by NTIA, but led by participants that included numerous technical and policy experts from private industry and civil society.
The participants divided up into working groups focused on particular issues related to security updates, including transparency. (This blog post focuses on transparency, but you can read more about the good work of the other working groups, and the status of their respective documents, here.) The transparency working group included dozens of participants from diverse backgrounds, and was co-chaired by Aaron Kleiner of Microsoft, Beau Woods of the Atlantic Council, and myself.
The full body of stakeholders convened by NTIA ultimately reached consensus in favor of the working group's final document - Communicating IoT Device Security Update Capability to Improve Transparency for Consumers. In drafting the document, the working group considered a broad range of inputs, including technical standards and guidance on IoT security from government agencies, nonprofits, and companies.
It's worth noting that the Federal Trade Commission commented on the working group document. The FTC's comments function as a standalone statement from the Commissioners (rather than a staff report) while providing additional input and background information to the working group document. The FTC comments are available here.
Communicating IoT Security Update Capability
Communicating IoT Device Security Update Capability is, believe it or not, tightly scoped to communicating IoT security update capability, not other aspects of IoT security and privacy that are important in their own right. The document does not recommend exact language device manufacturers must use, require specific methods of communicating, or dictate means of providing an update. And finally, the document takes pains to make clear that it is voluntary and not intended to describe a basis for regulation or a standard of care. The recommendations to device manufacturers are divided into two categories: key elements to communicate before purchase, and additional information that can be communicated before or after purchase.
A. Key Elements - Manufacturers should consider communicating these elements to consumers prior to purchase.
- Describe whether the device can receive security updates. This could be a simple yes/no statement, or a symbol.
- Describe how the device receives updates. Are updates manual or automatic? What basic user actions are required for updates - an account, additional fees?
- Describe the anticipated timeline for the end of security update support. This should state the minimum period consumers can expect security updates. A specific date is preferable. If support timeline is unknown or indefinite, this should be indicated.
B. Additional Elements - Manufacturers should consider communicating these elements to consumers before or after purchase.
- Describe how the user is notified about security updates. How will the user know that an update is needed? This could be combined with element A.2.
- Describe what happens when the device no longer receives security update support. Does the device lose functionality? Is there extended subscription or third party support available? Or does the user simply continue operating at the user's own risk?
- Describe how the manufacturer secures updates, or how the process is reasonably secure. Manufacturers could describe how they verify source or test functionality of updates, or the manufacturer could simply reference a standard or solution.
Up for adoption
IoT security updates can be communicated in a variety of ways – such as a physical label on a box, or a product description on an online retailer's website – and the methods and capabilities to deliver updates can vary widely. Simplicity in communication should be a priority, to ensure understanding across a wide range of consumers. Even if a manufacturer declines to communicate all the items, just informing consumers before purchase whether a device can receive updates and for how long would be a welcome boost to transparency from the status quo.
We recognize that maintaining and communicating security update capability for IoT devices is not trivial, but requires expertise, resources, and persistence. We hope the Communicating IoT Device Security Update Capability template and other resources developed through the NTIA multistakeholder process will be broadly helpful to manufacturers seeking greater transparency for consumers and security for IoT devices.