FTC Consumer Protection Bureau Staff Warns CPSC of Safety Hazards of Poor IoT Device Security
FTC Consumer Protection Bureau staffers warned the Consumer Product Safety Commission Friday about what they view as widespread cybersecurity flaws in a range of IoT devices. They responded to a March request for comment on potential safety issues and hazards…
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
for IoT devices. Comments in docket CPSC-2018-0007 were due Friday evening (see 1803290032). The Cybersecurity Coalition in May urged the CPSC to address IoT cybersecurity issues “in tandem” with its device safety review, which didn't include security issues (see 1805090023). Poor security and privacy protections in IoT devices might create technology-related hazards, FTC staff said. “A car’s braking systems might fail when infected with malware, carbon monoxide detectors or fire alarms might stop working with the loss of connectivity, and corrupted or inaccurate data on a medical device might pose health risks to a user of the device. Consumers’ physical safety could also be at risk if an intruder had access to a connected lock, garage door, or burglar alarm.” Insecure devices “can erode consumer trust,” the FTC staff said. “Companies that manufacture and sell IoT devices must take reasonable steps to secure them from unauthorized access.” Staff recommended the CPSC consider how companies might provide consumers with the opportunity to sign up for communications about safety notifications and recalls for IoT devices. The product agency should take a “technology-neutral” approach to any security regulations it adopts as part of the proceeding and consider requiring IoT device makers publish any security standards, so the trade commission could act under against companies that misrepresent cybersecurity practices in a CPSC certification process, staff said.