“We need more officers on patrol.”
“The access control issue is by far the biggest challenge in API security,” says Erez Yalon, vice president of security research at Checkmarx and API security project lead for the Open Worldwide Application Security Project (OWASP), an open source-focused foundation. Four of OWASP's top 10 API security risks relate to authorization and authentication, Yalon noted. “This is no different, and in some cases even more severe, for IoT and smart home appliances.”
Mark Ostrowski, head of engineering at Check Point Software, points out that appliance vendors that use open source operating systems may design, build and ship devices that are vulnerable by the time they reach a customer's home. Patching and updating these systems is often difficult and typically must be initiated by the customer. “As we become more reliant on smart devices, we need to extend enhanced IoT security to the home as well.”
While Consumer Reports researchers have seen cases of unauthorized access through a product's apps or smart features, the company rep said it's “rare” and typically occurs in the realm of “startups and small white-label brands” trying to bring seemingly high-tech products to market but without the robust quality assurance of implementation testing.
Seventeen states (including Maryland) have privacy laws requiring companies to protect buyers' personal information. The Federal Trade Commission and state attorneys general have also enacted consumer protection laws to strengthen security; Consumer Reports filed an investigation into poor security on the pregnancy app Glow with the California Attorney General's office, which won a settlement in late 2020; and the FCC's proposed Cyber Trust Mark could further encourage companies to maintain security best practices.
advertisement
“But in general, we need more police on patrol and stronger penalties when companies break the law by using weak security protocols,” Consumer Reports researchers said through a spokesperson.
Notice left on GitHub's MyMazda integration page following Mazda's DMCA takedown.
GitHub
I told Barber, Duritz, and Clark that I was uncomfortable sharing their story on a news site. They'd made something that was extremely useful to some people who deal with “smart” devices tied to not-quite-smart phone apps. The potential reward for their work had always been self-satisfaction, a tip-box donation, and maybe a friendly email. Now the potential risk was a DMCA notice, threats of legal action, their code being taken down, or some combination of these.
Garage door opener conglomerate Chamberlain last year blasted third-party apps like Home Assistant for “unauthorized use” of its opener API, saying the company was deliberately thwarting related extensions. Home Assistant founder Paulus Schoutsen wrote in a Home Assistant blog that Chamberlain required them to pay “certified partners” to integrate with its myQ openers, something the open-source, non-profit project couldn't do. Owners were able to circumvent the blockage with a small ratgdo device and wiring and regain access to their devices.