Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:30 AM
Pat Osborne
Pat Osborne
Connect Directly
E-Mail vvv

IoT Product Safety: If It Appears Too Good to Be True, It Probably Is

Proposed new connected-product repair laws will provide hackers with more tools to make our lives less secure.

There are times when you see or read something for the first time and it makes sense. But later, after you have had some time to think about it, the idea or proposal might not be as straightforward as you originally thought. This is where I am on connected-product repair legislation that has been introduced in more than 17 states.

At first blush, the proposed bills seem to make sense, both for consumers and for small businesses catering to embedded systems or personal electronics. The bills want to provide consumers with opportunities to have their Internet-connected products fixed. To do so, the bills seeks to mandate that original equipment manufacturers (OEMs) share all source code, operating system, and security schematic information to any product owner.

Wait, what?

While looking at the proposed legislation, I started thinking about products and systems with embedded software. There is much more to today's connected products than physical parts. For many people, all of their personal and banking data are on their smartphones. Our contacts, emails, texts, pictures, and other information is contained on our phones. Many devices have our biometric information as well. How does this data get protected?

The proposed legislation in many states requires the OEM to provide the operating system, security, and other patches, to anyone. But access to the operating system and other microcode could also allow malware to be introduced into the system without the owner knowing. Some legislation goes further, allowing for the reset of security-related electronic functions — such as passwords, fingerprints, and encrypted data — that could circumvent protections the owner may already have in place. This could lead to sensitive data being exposed or lost due to mishandling.

Requirements for OEMs to provide remote diagnostics, with the ability for setting controls and location identification of the device, can also be used by hackers to wreak havoc.

For example, universal access to the settings make it possible for hackers to add their own fingerprint, face image, or iris scan to any smartphone, thus allowing access to:

  • Wallet or other payment apps on the device;
  • Location settings for tracking;
  • Geotagging to allow location tracking even if it had been turned off by the smartphone owner;
  • Backup storage location changes; and
  • Mobile hotspot information along with the location information to track an individual and then connect to a smartphone without the user's knowledge.

If a company has a bring-your-own-device policy and an employee uses a device that has been altered, hackers will have an open door to corporate networks and the ability to steal employee Social Security numbers, trade secrets, and critical customer data. This applies to any Internet of Things (IoT) device, printer, camera, or wireless access point (WAP) that was repaired by a malicious independent repair person.

We know that in the world of the IoT, we are only as strong as the weakest link. In the past, if someone stole your radio, your phone, your car, or your company-issued laptop, the damage was minimal, and the result was mostly a nuisance. But today the ramifications of a security breach are monumental and can put companies out of business. For the IoT to fulfill its promise, the secure and private sharing of treasure troves of data must be built into the foundation of all products. As a result, policymakers need to ensure that all technology legislation, at its core, is focused on security and privacy protections.

When people have a coat altered or a purse repaired, they will first empty all the contents out, especially their ID, credit cards, checkbook, and other private information. Yet all of this data is stored on many Internet-connected products. And now, some legislators are proposing laws that could substantially increase access to this sensitive and valuable information.

At its face, it may appear that these repair bills will protect consumers. But, in reality, such bills may provide hackers with the tools they need to make our lives even less secure.

Related Content:


Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Pat Osborne is a Certified Information Systems Security Professional (CISSP) with over 30 years in the IT field. He is the principal - executive consultant at Outhaul Consulting, LLC, and a cybersecurity advisor for the Security Innovation Center. He has experience in ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
3/17/2018 | 3:08:08 PM
IOT devices are insecure by design, not repair
Ugh. So much speculation and so few facts.  

First, anyone that has actuallty read the proposed legislation in 18 states would notice that the only information, firmware, parts, tools and diagnostics required are those ALREADY being provided to thousands of repair techs around the world. None of this information is secret, and most of it is arleady available illegally in asia.  Legislation is carefully targeted for the sole purpose of allowing legal competition for repair services at the choice of the owner. 

Even when the equipment being repaired is being used for a security function (such as a security camera), the application run on cpu within the camera is irrelevant to repair.   The camera either passes a signal correctly or it does not.  Someone has to repair the camera, and give it back to the owner.  Its the owner that cares about his or her security -- and its still the owner that gets to decide whom to trust for repair.  

If anyone has any doubts of the responsibility of the OEM to protect the security of the owner, just read the purchase contract closely,  Every contract always dislaims responsibility for how equipment is used and carefull limits their risk and potential damages in that contract.

As to actual cyber risk -- equipnent is either secure by design, or insecure.  Sadly, millions of IOT devices are being thrown into the marketplace with weak or absent security -- allowing botnets and other hacks to proliferate worldwide.  These devices are already up and running and attached to a network, unlike devices which are broken and offline.   Equipment under repair is among the most secure because its offline. 

Opponents to Right to Repair have gleefully suggested that consumers will lose personal data without any explaination of how that might happen.  We've yet to hear of anyone losing personal data as the result of an iPhone repair -- because Apple does an excellent job of security and encryption.  Apple has even stated publically that despite their source code being posted on the internet, personal security was never at risk. 

Happy to discuss any real examples of how repair as a business has made IOT devices less secure. 


User Rank: Apprentice
3/12/2018 | 11:47:00 PM
Seriously? The misinformation is strong with this one.
Wow, there is a lot of misinformation, confusion, and good old fashioned "Fear, Uncertainty, and Doubt" (FUD) in this article.  It almost reads like a paid piece from a hardware manfuacturer.

I'm a little amazed that someone would write such a weak and unsubstatianted article in a time when Linux has become the foundation of most mobile and many IoT devices.  When every Android smartphone has it's base operating system source code available for anyone, your argument needs a lot more than vague hints and bad analogies to be reasonable.

The simple fact is that IoT devices are in such a horrible and sad state with regards to security that it's hard to imagine how it could get much worse.  Mandating that information is available for people and communities to attempt to improve or fix issues at least leads to options.

I want to write more, but it's just hard to even take this article seriously.
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-23
Contao 4.5.x through 4.9.x before 4.9.16, and 4.10.x through 4.11.x before 4.11.5, allows XSS. It is possible to inject code into the tl_log table that will be executed in the browser when the system log is called in the back end.
PUBLISHED: 2021-06-23
Use after free vulnerability in file transfer protocol component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to execute arbitrary code via unspecified vectors.
PUBLISHED: 2021-06-23
Improper neutralization of special elements in output used by a downstream component ('Injection') vulnerability in Security Advisor report management component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to read arbitrary files via unspecified vectors.
PUBLISHED: 2021-06-23
Improper neutralization of special elements in output used by a downstream component ('Injection') vulnerability in file sharing management component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to read arbitrary files via unspecified vectors.
PUBLISHED: 2021-06-23
Exposure of sensitive information to an unauthorized actor vulnerability in webapi component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to obtain sensitive information via unspecified vectors.