Restricting app permissions

Limiting the permissions of apps, while less complicated than setting up a guest network, is one of those things.

Even if Janis finds out that that the app is “asking for something strange, like access to your photo album or location, after the outlay of money and the time setting things up, is she really going to worry about this permission? What about the permissions that have descriptions that she does not understand? I suspect she will simply accept the risk and let the app remain installed on her device.”

She and just about everybody else.

Caveat emptor?

This, of course, does not mean consumers bear no responsibility. “Buyer beware” has been a principle for centuries. Still, when the risks are largely hidden and the average user does not understand them, it is easy to focus on what a device will do for you, ignoring what it could allow someone to do to you.

But Wilbur said there is help for those who are willing to look for it. “In the Internet Society’s IoT Trust Framework, we cover many of these issues, including principles such as limiting the number of login tries before locking out attempts for a period of time,” he said.

He noted that Mozilla, which operates the Firefox browser, offers a buying guide for IoT products called *privacy not included and that Mozilla, Consumers International, and the Internet Society have created a list of minimum security standards that all IoT devices should meet, including encrypted communications, security updates, strong passwords, vulnerability management, and privacy practices.

Better IoT security depends on manufacturers and government

Janesko said that on the consumer side, addressing the problem will require a “cultural change and education. There needs to be training/awareness campaigns for everyone” on things like authentication and managing permissions.

But she said manufacturers and vendors should be doing a lot more as well, starting with hardening the security of devices and make it easier for users to configure and control them. “This would require some level of threat-modeling whereby the apps and their permissions are evaluated by professionals who are aware of the latest abuse cases and can visualize new abuse scenarios,” she said.

It will also likely take some government or regulatory consistency, which she said will not be happening with the “unenforceable” California Consumer Protection Act (CCPA), which took effect Jan. 1, 2020. She said the U.K.’sCode of Practice for Consumer IoT Security is much better.

In her view, the IoT “security standards” landscape is much too confusing at this point. “There are way too many organizations that have their own standards now—manufacturers are likely to wait and see what they will be forced to do rather than selecting one standard and it being the ‘wrong’ one,” she said. But she added that NIST (National Institute of Standards and Technology) is “often the go-to organization for setting standards in the USA, and they have been rapidly building out their IoT recommendation set.”

Fundamentally, the only hope for long-term substantive change is for security management to make it a habit, Janesko said, “like brushing your teeth two times per day, wearing a coat when it is cold outside, and locking a door when you leave your home. Education should start in schools, but we have to find a way to address the folks who are out of school.”