There are times when you see or read something for the first time and it makes sense. But later, after you have had some time to think about it, the idea or proposal might not be as straightforward as you originally thought. This is where I am on connected-product repair legislation that has been introduced in more than 17 states.
At first blush, the proposed bills seem to make sense, both for consumers and for small businesses catering to embedded systems or personal electronics. The bills want to provide consumers with opportunities to have their Internet-connected products fixed. To do so, the bills seeks to mandate that original equipment manufacturers (OEMs) share all source code, operating system, and security schematic information to any product owner.
While looking at the proposed legislation, I started thinking about products and systems with embedded software. There is much more to today's connected products than physical parts. For many people, all of their personal and banking data are on their smartphones. Our contacts, emails, texts, pictures, and other information is contained on our phones. Many devices have our biometric information as well. How does this data get protected?
The proposed legislation in many states requires the OEM to provide the operating system, security, and other patches, to anyone. But access to the operating system and other microcode could also allow malware to be introduced into the system without the owner knowing. Some legislation goes further, allowing for the reset of security-related electronic functions — such as passwords, fingerprints, and encrypted data — that could circumvent protections the owner may already have in place. This could lead to sensitive data being exposed or lost due to mishandling.
Requirements for OEMs to provide remote diagnostics, with the ability for setting controls and location identification of the device, can also be used by hackers to wreak havoc.
For example, universal access to the settings make it possible for hackers to add their own fingerprint, face image, or iris scan to any smartphone, thus allowing access to:
If a company has a bring-your-own-device policy and an employee uses a device that has been altered, hackers will have an open door to corporate networks and the ability to steal employee Social Security numbers, trade secrets, and critical customer data. This applies to any Internet of Things (IoT) device, printer, camera, or wireless access point (WAP) that was repaired by a malicious independent repair person.
We know that in the world of the IoT, we are only as strong as the weakest link. In the past, if someone stole your radio, your phone, your car, or your company-issued laptop, the damage was minimal, and the result was mostly a nuisance. But today the ramifications of a security breach are monumental and can put companies out of business. For the IoT to fulfill its promise, the secure and private sharing of treasure troves of data must be built into the foundation of all products. As a result, policymakers need to ensure that all technology legislation, at its core, is focused on security and privacy protections.
When people have a coat altered or a purse repaired, they will first empty all the contents out, especially their ID, credit cards, checkbook, and other private information. Yet all of this data is stored on many Internet-connected products. And now, some legislators are proposing laws that could substantially increase access to this sensitive and valuable information.
At its face, it may appear that these repair bills will protect consumers. But, in reality, such bills may provide hackers with the tools they need to make our lives even less secure.
Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.Pat Osborne is a Certified Information Systems Security Professional (CISSP) with over 30 years in the IT field. He is the principal - executive consultant at Outhaul Consulting, LLC, and a cybersecurity advisor for the Security Innovation Center. He has experience in ... View Full Bio