Posted: 3 Min ReadResearch Group

Why We Need a Security and Privacy “Nutrition Label” for IoT Devices

Things are getting worse as the growing number of home IoT devices increases their aggregate attack surface

Your microwave may be a hacker’s best friend. As thousands of Internet of Things (IoT) devices including fitness trackers, security webcams and smart home appliances flood the market, American homes have become tempting attack vectors for those with malicious intent. The devices can be hijacked to launch worldwide attacks or used to squirrel into home networks and steal people’s personal and financial information.

Things are getting worse as the growing number of home IoT devices increases their aggregate attack surface. Over the last few years, Symantec Research Labs has traced the rise of IoT-specific malware like Mirai, Brickerbot, and Tsunami, along with a series of high-profile attacks using IoT devices. Mirai, for example, infected internet-connected security cameras to create a massive botnet which brought down wide swaths of the Internet in a worldwide denial-of-service (DoS) attack. The Symantec 2018 Internet Security Threat Report found a 600 percent increase in overall IoT attacks in 2017. And  Symantec experts warn in a blog post that “as home-based IoT devices become more ubiquitous, there will likely be future attempts to weaponize them – say, by one nation shutting down home thermostats in an enemy state during a harsh winter.”

It needn’t be that way. As I’ll explain in this blog post, a simple solution may be at hand: A security and privacy “nutritional label” for IoT devices so that consumers know whether the IoT devices they buy are safe and secure, much like the “Nutrition Facts” label the FDA developed to help consumers know what is in their food.

Consumers right now have no way to know the risks any particular device poses. An electronic toy a parent is considering buying might be able to eavesdrop on conversations, record videos without consent, and secretly disclose the child’s location, posing a serious threat to the family’s safety and privacy. Consumers need a concise, informative label that conveys high-level security and privacy facts for an IoT device so they can be well-informed before buying.

Such a label would have these three important goals:

  • Identify the essential security and privacy factors that most affect consumers.
  • Use an effective visual layout to help consumers understand the security and privacy implication of each of these factors.
  • Create a sustainable communication channel to offer an up-to-date security and privacy assessment of IoT devices.

Essential Security and Privacy Factors for the Label

What exactly would be on such a label? Symantec Research Labs proposes four categories of information, which cover the device’s sensors, connectivity, security and privacy features.

Sensors: Because of advances in micro-machinery and easy-to-use microcontroller platforms, sensors can be easily integrated into IoT devices — and it can be difficult or even impossible for consumers to know which are inside and might be gathering data. So a label should list all of a device’s sensors, including audio, video, motion and environmental.

Connectivity: IoT devices use common networking technologies like WiFi or Ethernet or more specialized ones that use less power or provide ad hoc connectivity. These protocols include Wi-Fi, Ethernet/LAN, Bluetooth, ZigBee and ZigWave. All connectivity protocols should be listed on the label so consumers can know the ways in which the device can send or receive data.

Security: The label should cover a basic set of security guidelines. For example, it should include whether the device uses potentially insecure authentication mechanisms, encrypted communication when backing up data, and whether its firmware is updated over-the-air securely. Among the information included should be certificates used, secure boot, update management, password schemes, authentication, and remote access.

Privacy: The label should inform consumers if the device collects any personal information or anonymous diagnostic data, as well as whether any local or remote data storage is supported. Some important factors for this category include personal identifiable information (PII) collection, telemetry data collection/sharing and opt-in/opt-out policies, and data storage and retention policy (for example, when it is GDPR-compliant).

The Label’s Visual Layouts

Symantec Research Labs has designed two potential visual layouts for the label, as you can see below. The first is similar to the FDA nutrition label, while the second relies on icons and text to convey high-level information.

Keep in mind that there are more parameters that should be listed on the label than are found in food nutrition labels, because of the complexity of privacy and security. Our vision is to balance providing an adequate level of detail, while making the information understandable and accessible to consumers. Collaboration with manufacturers, service providers, certification bodies, and others will be needed to strengthen and secure the emerging IoT ecosystem and reflect that in what is provided on the label.

Design 1: Uses design concepts based on the FDA nutrition label.
Design 1: Uses design concepts based on the FDA nutrition label.
Design 2: Uses icons and text.
Design 2: Uses icons and text.

Conclusion

We think labels like these will be good for consumers, because they’ll better informed about the devices they purchase and will be more likely to buy ones that can’t be hacked. And they’ll be good for device makers, because secure and well-informed consumers will be more likely to buy IoT devices. And while the labels won’t help people lose that extra ten pounds they put on this winter, it’ll help keep them safe and secure, no matter what device they use.

Webinar

ICD and a Platform Shift: A LIVE Digital News Event from Symantec

Join us for a digital news event to hear how Symantec and our partners are working together to drive down the cost and complexity of cyber security, while protecting enterprises against sophisticated threats. Learn more about our Integrated Cyber Defense platform.

REGISTER NOW FOR THIS EVENT
You might also enjoy
Research Group3 Min Read

Defending Data Requires More than Good Intentions

Symantec Research Labs used publicly available security scans to identify/expose private information

About the Author

Yun Shen

Senior Principal Research Engineer

Current research interests focus on applying data-driven approaches to better understand malicious activity on the Internet. Yun Shen's research involves a mix of quantitative analysis, machine learning, and systems design. He has been part of SRL since 2012.

About the Author

Pierre-Antoine Vervier

Senior Principal Research Engineer, NortonLifeLock

Pierre-Antoine’s research is focused on computer networks security. During his Ph.D. he designed SpamTracer to study attacks against Internet routing. He also works on the mining of large datasets for threat intelligence and attack investigation.

Want to comment on this post?

We encourage you to share your thoughts on your favorite social platform.