A Closer Look at the FTC's IoT Security Recommendations

We asked a security expert to evaluate the Federal Trade Commission's security guidance for consumer-facing IoT products.
By Mary Catherine O'Connor
Feb 11, 2015

Last month, the Federal Trade Commission issued two reports about data security, consumer privacy and the Internet of Things. The main report summarized recommendations resulting from an FTC workshop conducted in 2013, while the second report, titled "Careful Connections: Building Security in the Internet of Things," is meant to serve as a guidebook for companies developing consumer-facing IoT products.

Don Schleede, information security officer at Digi International, a Minnesota-based manufacturer of embedded systems, as well as routers, gateways and other communications devices for machine-to-machine (M2M) systems, manages Digi's Device Cloud, a cloud-based device-management solution that provides Digi's customers with secure, remote access to Digi devices. We asked Schleede to parse the specific guidance that the FTC provided, and to share his views on the approaches to IoT data security that makers of consumer goods—from cars to smart thermostats—have taken thus far.

Don Schleede
The FTC report says that manufacturers of IoT products ought to follow best practices developed by digital security experts throughout the decades, calling out three in particular: the use of encryption, a technique called "salting" and another known as rate limiting. Whether you're a manufacturer, a reseller or an end user of IoT devices, for commercial or consumer applications, it's helpful to understand these fundamental IoT security strategies.

On encryption, the report's recommendation is quite simple, urging companies to select strong encryption over weak methods, such as the Wired Equivalent Privacy (WEP) protocol for wireless networks. "WEP has been broken for years," Schleede says, adding that makers of Internet-connected products ought to use the Advanced Encryption Standard (AES), which the U.S. National Institute of Standards and Technology (NIST) established. "I'd like to have seen NIST standards recommended here," he said of the report.

The report reads: "Add 'salt' – random data – to hashed data to make it harder for attackers to compromise." Schleede was somewhat surprised to see the report jump from such a basic mention of "strong encryption," without specifying standards, to recommending the specific use of salting—the practice of generating random data and adding it to a password, which authorized parties then process using a cryptographic hash function that keeps the original password intact. Hackers cannot easily access a salted password, because they would need both the password and the randomly generated salt data.

Simply enter a question for our experts.
Sign up for the RFID Journal Newsletter
We will never sell or share your information
RFID Journal LIVE! RFID in Health Care LIVE! LatAm LIVE! Brasil LIVE! Europe RFID Connect Virtual Events RFID Journal Awards Webinars Presentations