The Ethics Of The IoT: Are Engineers Failing To Speak Up?

Winter and spring were not kind to the Internet of Things (IoT), and it is not looking any better heading into the summer months. This article explores what is wrong with IoT devices today, who’s responsible, and what we can do moving forward to increase consumer confidence in the IoT.

This is critical to enterprise security as threat actors leverage IoT sensors deployed both in homes and in businesses for both proxies, and for persistence enabling lateral movement. Enterprises should also be concerned as in 2018, there were multiple DDOS attacks exceeding 1Tb per second in volume. According to NetScout, IOT Devices are attacked within five minutes and targeted by specific exploits in 24 hours.

• In late 2018, Dark3 released a report on cheap IoT light bulbs. The findings included permissions where consumers needed to agree to real-time location tracking by a Chinese company to dim their lights at home.
• This spring, Nest locked users out of their accounts if their passwords had appeared in another breach. This retroactive security was necessary as threat actors were taking control of thermostats, cameras, and security systems with no hacking skills required.
• In May, security firm Fidus found that a fall sensor marketed to seniors with dementia allowed threat actors to listen to and track the locations of users without their knowledge. Although there was a PIN, it was not set by default and could be remotely disabled. Worse, the researchers could not determine how to notify the manufacturer so there could be a recall, as there was a half-dozen similar devices being sold all with the same vulnerabilities.

The overwhelming majority of IoT devices on the market are hot garbage that do not follow security best practices. Allowing consumers to use passwords that have appeared in breaches before makes it easy for threat actors to gain persistence on devices. Devices with no update mechanism means IoT devices become a perpetual threat once the first vulnerability is found. Most people have no way of knowing that their IoT sensor needs an update, so it’s unrealistic to shift the responsibility of software updates to consumers.

This Is Not A Technology Problem

This is an ethics problem. Five different professional societies for engineers speak to the issues of safety, security, and privacy in their Code of Ethics documents:

1. IEEE Code of Ethics
   “ … to hold paramount the safety, health, and welfare of the public, to strive to comply with ethical design and sustainable development practices, and to disclose promptly factors that might endanger the public or the environment.”

2. IEEE Computer Society Code of Ethics
   “1.03. Approve software only if they have a well-founded belief that it is safe, meets specifications, passes appropriate tests, and does not diminish quality of life, diminish privacy or harm the environment. The ultimate effect of the work should be to the public good.”

3. ACM Code of Ethics
   “2.9 Design and implement systems that are robustly and usably secure.”

4. ISC2 Code of Ethics
   “Protect society, the common good, necessary public trust and confidence, and the infrastructure.”

5. ISSA Code of Ethics
   “Promote generally accepted information security current best practices and standards;”

It’s easy to be complacent and to give in to breach fatigue as each passing week brings a new cyber security breach. However, engineers working on IoT projects and who are members of at least one of these professional societies are ethically bound to raise legitimate concerns about the safety and security of IoT products being developed. Engineers who are not a member of a professional society may not be ethically responsible in the very formal sense, but failing to speak up is a substantial risk to their career and livelihood if the device they’ve developed is insecure or government investigations result from a security breach.

See Related: “Top 5 Cyber Security Breaches of 2019 So Far”

Ethically, engineers on IoT projects should push for a reasonable standard of due diligence that includes at least the following practices:

• Automated software updates without user interaction, and refusing to ship products that cannot be updated once “in the wild”.
• Requiring passwords that follow the NIST 800-63 Guidelines, including not accepting passwords that have appeared in past breaches and providing multi-factor authentication capabilities by default.
• Only building products where the underlying infrastructure can be reasonably be secured and maintained so that a breach of the IoT cloud doesn’t allow a threat actor to compromise all the connected devices.
• Clear privacy policies that allow consumers to opt-out of data sharing but continue using the IoT device. The world does not need another tl;dr privacy policy that takes ten minutes to read.

Engineers are professionally accountable for the design, development, testing, and maintenance of IoT devices, so the responsibility for making the world a safer place is squarely on them. We can measure their success by the media coverage of the upcoming 2019 holiday shopping season. We will know they have failed if it is a season of overheated news stories pointing out that toys are spying on children again. Success will be lack of negative stories about the IoT, instead showcasing stories about how a breakthrough IoT technology made the world a better place for families and communities.

Read more from this author>>