BLU’s FTC settlement: good reminder that IoT security is tricky
On April 30, 2018, the FTC announced that it has reached a settlement with the US mobile phone maker BLU over deceptive security claims. As we're focused on consumer IoT security and management, I thought I'd reflect on some challenges this event has highlighted.
The phone manufacturer BLU Products, Inc. is an American company, headquartered in Miami, FL that makes bold, high-performance phones at an affordable price. You can buy their phones on Amazon and in several large retailers.
In the fall of 2016, Ryan Johnson of Krypowire bought one such BLU phone— a BLU R1 HD smartphone— to use on a trip to Taiwan. Johnson is a security expert who specializes in reverse engineering, so you can imagine his phone unboxing experience may be a bit thorough than most.
In his exploration, Johnson discovered that pre-installed software on the phone sends all his text messages to a server in China every 72 hours, a discovery that made news headlines.
Blu devices on Amazon, screenshot 5/8/2018
Next, the Krypowire team performed code and network analysis and published their findings on November 15, 2016. Here are some highlights:
- The Android device transmitted the body of text messages, contact lists, call history, unique device identifiers, and other data (such as app usage) to servers in China.
- These transmission activities are performed by a commercial Firmware Over the Air (FOTA) updating system by a company named Shanghai Adups Technology Co Ltd.
- At the time of the post, they noted that Adups claimed to have world-wide presence of over 700 million active users and a market share exceeding 70% across 150 countries.
- Kryptowire was able to capture and decrypt Personally Identifiable Information (PII) and text message contents.
- Kryptowire communicated its findings to Google, Amazon, Adups, and BLU.
So just a quick recap: BLU used a third party vendor, Adups, for some mobile phone software. And, with powerful permissions, this software sent sensitive data back to Adups, without the user’s knowledge.
Blu responded with a security patch, but fast forward 8 months to the BlackHat 2017 conference: Kryptowire gave a presentation that concluded that the infrastructure for the transmission of personal information still existed and was active on certain devices.
On July 31, 2017, BLU put out a statement on their policies and actions.
The Federal Trade Commission (FTC) has just announced that it reached a settlement on a complaint complaint against BLU and its owner for having violated the provisions of the Federal Trade Commission Act. Per the summary on FTC.gov:
“In its complaint, the FTC alleges that BLU and its co-owner and President Samuel Ohev-Zion misled consumers by falsely claiming that they limited third-party collection of data from users of BLU’s devices to only information needed to perform requested services. They also falsely represented that they had implemented “appropriate” physical, electronic, and managerial procedures to protect consumers’ personal information, according to the complaint.”
Also noted in the FTC’s press release,
“When the Commission issues a consent order on a final basis, it carries the force of law with respect to future actions. Each violation of such an order may result in a civil penalty of up to $41,484.”
Food for thought for consumers
The first defense measure is to develop awareness and education, understanding that devices that connect to the Internet carry with them risk and looking out for concerns. Unfortunately, many IoT device makers aren’t motivated to secure their devices as they have competing business drivers, such as reducing 3rd party vendor costs.
To stay in-the-know on connected gadgets in your home, consider setting a Google alert to monitor news about your devices. (Would you welcome a stranger to live in your home without Googling him first?) Or, if that sounds a bit arduous, consider purchasing only devices with really reputable brand reputations regarding security, even if it may cost a bit more.
Finally, of course I’ll add: Leverage security services such as Minim. We’re actively working on security measures to block a device’s traffic to IP addresses that have made blacklists, among other measures.
Reflections for IoT manufacturers
There are a few cautionary lessons to draw from this event, not just for mobile phone manufacturers, but for all IoT. While it’s becoming easier to make connected devices thanks to semiconductor chip innovation and SDK offerings, there’s overhead to consider: designing for security.
IoT device makers must consider the security of not only the software or hardware they make in-house, but the security of their entire supply chain. Proper due diligence involves review of legal agreements and testing actual performance before launching.
Secondly, what IoT makers might learn here is to monitor their devices in the wild. What sort of telemetry are you tracking? Could BLU have detected the Adups habitual, suspect communications to servers in China?
Last but not least, the regulatory actions here highlight the importance of transparency. The FTC’s complaint against BLU is centered on the continued misrepresentation to consumers about how their data was handled. As such, it is prudent for IoT makers to ensure their privacy policies accurately reflect their operations and swiftly communicate problems and corrective actions.
Of course, this is not music to the ears of marketing and comms departments, but consider the costs and look for resources. Working with security partners, legal partners, and government bodies can help hedge risk here. Keep tabs on initiatives such as the FTC’s Public Comment Communicating IoT Device Security Update Capability to Improve Transparency for Consumers and the UK Department for Digital, Culture, Media & Sport’s Secure by Design: Improving the cyber security of consumer Internet of Things Report.
IoT security is not easy, but there are plenty of us working on it.