SecurityWeek Shows How Not To Set Up SSL/TLS on Your CDN

This is a little different than our usual IoT Security topics, but SecurityWeek magazine is currently demonstrating how NOT to set up SSL/TLS your CDN (content distribution network).

If you go to SecurityWeek now, you will see that they switched much of their content over to an https-based server that requires the use of SSL/TLS (as the White House CIO has mandated for all federal sites). Normally, this is a good thing, but not when it prevents readers from seeing your site at all.

securityweek_SSL_error_connection_is_not_private
Google Chrome 43 refusing to browse to https://www.securityweek.com because of a certificate name mismatch.

The reason Chrome (and other browsers) are banning access to https://www.securityweek.com is that the CN  (common name) on the server’s X.509 certificate is “incapsula.com” not “securityweek.com.”  This is a mismatch browsers  look for to prevent hackers from hijacking legitimate https-based sites with any old certificate.

securityweek_servers_certificate_does_not_match_the_url

The errors provided by the browser (“Your connection is not private…”, “Server’s certificate does not match the URL” and “NET:ERR_CERT_ COMMON_NAME_ INVALID”)  provide all the clues we need to diagnose the problem.

If we click the “Certificate information” link in the error message, we can see that the “CN” (found in the “Subject” attribute) of the X.509 certificate is indeed “incapsula.com.”

securityweek_x509_certificate_cn_is_incapsula

We can also look at the often-supported “Subject Alternative Name” field to see if “DNS Name= *.securityweek.com” or a reasonable typo exists in that field.  Unfortunately, it does not.

securityweek_not_listed_in_subject_alternative_name

So what is “incapsula.com” and why is it on securityweek.com’s https site?  A quick web search shows that incapsula.com  is a CDN, or “content delivery network,” that essentially pre-distributes and serves up the images, script files and other static content from large sites like securityweek.com so that loads hit the CDN’s network of distributed servers instead of the original securityweek.com servers.

securityweek_what_is_incapsula

So what should computerweek.com have done instead of this?  As with many web configuration items, there are many options.  Three of them might have been to:

  1. Use a CDN-branded https:// address like “https://computerweek.incapsula.com”.  This would work because incapsula.com’s “wildcard” cert would cover any domain name that ended in “incapsula.com.”  This is what many smaller sites do when they use HTTPS services on a CDN, but bigger “brand name” sites usually do #2 or #3 instead.
  2. Add their domain name to the list of “Subject Alternative Names” on incapsula’s wildcard cert.  As you can see above, many other companies have already done this.  (In fact, inspecting this field on X.509 server certificates is often a fun way to harvest a list of major customers from many cloud providers.)
  3. Buy their own “cdn.securityweek.com” or similar X.509 certificate and have the CDN provider install it.  This is most secure way to go, but it also carries the most cost.

Nest Privacy Policy: 7 Best Practices

The Nest privacy policy is one of the best IoT Security Lab has seen.  It is easy-to-find, easy-to-read, and quickly gives consumers the confidence they need to buy Nest’s products.

Whether you are a IoT smart device consumer or manufacturer, please read on to learn more about seven privacy policy best practices Nest uses to comfort and protect its buyers.

1. Privacy Policy is Easy to Find

First, if your consumers are interested in privacy (and research shows they are), make it easy for them to find information about it on your web site.  Nest does this by putting a link to their privacy policy on EVERY page.

NestPrivacyPolicy

2. Privacy Summary Written for Humans

When you click “privacy,” Nest doesn’t just take consumers to a jargon-laden privacy policy written by attorneys.  Instead, they show you a picture of a woman in her home with her child, and equate the sharing of data with “deciding who we invite in.”

NestPrivacyPolicy2

3. Note That Privacy Depends on Security

It is impossible to have privacy without security.   Security prevents malicious people from breaking through the access controls – whether curtains, doors, digital permissions or encryption –  that provide other people’s privacy.

Nest reminds people of this connection using more everyday language like “same…tools that banks use” and “double-bolt the doors.”  They also reinforce the human connection with another picture of a woman, her husband, and their young family.

NestPrivacyPolicy5

4. Buyer Controls Sharing and Retention

Two of the critical concepts in IoT privacy are who can see your data (sharing) and how long can they use it (retention).  Nest tackles both issues in their human-readable policy.

  • Sharing: “We only share personal info when you ask us to connect a Nest product to another device in your home. We also let you know what we’re sharing and why. And you can stop sharing your information at any time.”
  • Retention: “We have a Delete My Account feature that removes your personal information from our servers.”

5. Separate Web and Device Privacy  Polices

One of the most common mistakes companies make while rushing to market is to reuse their web privacy policy as their device privacy policy.   Since web privacy policies are often written to allow advertisers to seek as much information from consumers as possible, carrying these policies forward into devices can cause embarrassing leaks or even invite legal action.

To draw a clean line between the two types of policies, Nest lists them separately (web vs. device) and clearly states that it only talking about devices and device data when it leads off its device privacy policy.

NestPrivacyPolicy4

6. Data Is Made Anonymous Before Publication

“Big data” got a scare in 2014 when a researcher used a complete set of obfuscated taxi route data to figure out the personal travel habits of an entire city.  With that in mind, data providers have been been more careful to only release data that hides the individual identity and behaviors of individual consumers.

While we cannot say for sure that Nest has thoroughly scrubbed and boiled its data, its privacy policy certainly says the right things about “aggregating” and “anonymizing” data shared publicly and with Nest’s partners.

NestPrivacyPolicy6

7. A Real Privacy Contact

Finally, Nest provides a catch-all contact, in this case an email address, in case their buyers have any questions.

NestPrivacyPolicy3

How Are Others Doing?

Like Nest, we would also love to hear suggestions about how well other IoT companies are doing with privacy, or which other companies you would like us to evaluate.  To contact us about either topic, please send email to “meetus@iotsecuritylab.com

Privacy Breaches Lead to Significant Brand Damage

A 2015 report from the National CyberSecurity Alliance (NCSA) shows that data breaches that result in privacy lapses lead to significant brand damage.

Privacy_Breach_Cause_Brand_Damage

The report covers the experiences of IT professionals who work at a company which experienced a data breach.   41% of those employees noted that “loss of customer loyalty” (e.g., brand damage) was the second most negative consequence of the breach.

This finding reflects previous research conducted by the Ponemon Institute and should help prioritize the efforts of device manufactures to promote good security and protect consumer privacy.

Click the following link for the full data privacy consumer behavior report from the National CyberSecurity Alliance.

Data_Privacy_Day_Privacy_Is_Good_For_Business_240wide

IoT Security Lab is a Data Privacy Day Champion.

Half of All Consumers Think Security Equals Privacy

According to the National CyberSecurity Alliance (NCSA), half of all U.S. consumers think that “security” is the same as “privacy.”

Security_and_Privacy_Are_Synonymous_To_Consumers

In its recent survey, the NCSA found that:

  • 48% of the American public believes that privacy and security are the same
  • 52% of the American public believes that privacy and security are different

The survey results suggest that consumers shopping for smart devices could be just as turned off by poor security as an unclear  privacy policy.   It also suggests that detailed information about security and privacy issues (such as the security alerts IT professionals are used to consuming) could be ignored by consumers who cannot even distinguish security and privacy.

Click the following link for the full data privacy consumer behavior report from the National CyberSecurity Alliance.

Data_Privacy_Day_Privacy_Is_Good_For_Business_240wide

IoT Security Lab is a Data Privacy Day Champion.

High Net Worth or In Their Fifties Equals Privacy Sensitive

The National CyberSecurity Alliance (NCSA)  has released a new report that links demographics and privacy in technology.

Demographics_Matter_Highest_Net_Worth_Are_Most_Privacy_Sensitive

According to the report, the most “privacy sensitive” groups are:

  • 46-65 year olds
  • those with the “highest” net worth

This finding reflects previous research conducted by the Lares Institute and should help device manufacturers understand why certain groups may fail to adopt their smart devices unless information about their privacy is transparent.

Click the following link for the full data privacy consumer behavior report from the National CyberSecurity Alliance.

Data_Privacy_Day_Privacy_Is_Good_For_Business_240wide

IoT Security Lab is a Data Privacy Day Champion.

Consumers Make Buying Decisions Based on Privacy

A new report linking data privacy and consumer buying behavior was released in advance of Data Privacy Day.

Consumers_Make_Buying_Decisions_Based_On_Privacy

According to the report:

  • 39% of people said they’d made a buying decision based on privacy concerns.
  • 27% of millenials abandoned a purchase online because of security and privacy concerns in the past month.
  • 32% of US adults always conside a company ‘s privacy poliies when choosing which websites to visit or online services to use.

These figures reflect previous research conducted by the Lares Institute, Raytheon (in partnership with NCSA) and Ipsos.

Click the following link for the full data privacy consumer behavior report from the National CyberSecurity Alliance.

Data_Privacy_Day_Privacy_Is_Good_For_Business_240wide

IoT Security Lab is a Data Privacy Day Champion.

IoT Privacy Policy: Grading Lowe’s IRIS

As larger companies embrace the Internet of Things (IoT), they are starting to publish formal privacy policies that describe what data they collect and what they do with that data. Unfortunately, these policies are filled with legalese and are usually as indecipherable as the End User License Agreements (EULAs) that come with packaged software.

That’s where IoT Security Labs comes in: deciphering the policy.  Today we’ll be looking at the privacy policy of the Iris home automation system published by  Lowe’s Home Centers .

Lowes_Iris_Privacy_Policy_Evaluation

Overview

Lowe’s IRIS is a system of interconnected sensors, controls, and cameras that allow people to check on and sometimes modify conditions in their homes.

IRIS allows people to monitor temperature, door and window openings, limited video streams and other conditions remotely, and it can sent alerts when certain environmental events occur.  IRIS also allows people to set thermostat, lighting and similar controls  remotely.

Lowe’s IRIS Privacy Summary

The Good:

  • Lowe’s Publishes a Privacy Policy
  • IRIS System Alerts are “Separate from Other Marketing Services”
  • Potentially Insecure Communication Channels  are Listed
  • Reminder to Keep Passwords, PINs and FOBs Secure

The Bad:

  •  Wide Range of “Collected Information”
  • Unclear Restrictions on Partners’ Use of Information
  • Credit Card Is Always Required (And Stored)
  • Automatic Consent to Full Credit Check
  • No Time Limit on Retention of Personal Information
  • Opt-Out of Marketing Messages
  • “Do Not Track” is Ignored

The Ugly:

  • Marketing Says IRIS Could Be a Home Security System, But Legal Disagrees
  • IRIS Can Update Its Own Equipment, but Consumer Is Still Responsible for Security
  • Privacy Policy Confuses Device Communications and Web Surfing

The Good

Lowe’s Publishes a Privacy Policy

Lowe’s deserves credit for getting their privacy policy out in front of their consumers.  In fact, I found the policy just by following the standard “terms of service” link on an air filter notification.

IrisSmartHomeNotification_PrivacyPolicyLink

IRIS System Alerts are “Separate from Other Marketing Services”

Section 13.3 of Lowe’s terms of service provides a perfect example of the message consumers should look for in their IoT systems (emphasis mine): “Your Iris service includes important email and text messages relating to alerts, system status and important account updates. These are a core part of the Iris service and separate from the other marketing services Lowe’s offer.”

Potentially Insecure Communication Channels  are Listed

The IRIS policy does a good job telling consumers that the convenient communication channels they will probably use for their alerts are also potentially insecure.  These include “phone call, text message, and emails.”  For example, in section 13.1, Lowe’s states, “please be aware that emails in particular are not secure.”

Reminder to Keep Passwords, PINs and FOBs Secure

Lowe’s policy contains a reminder we would hope to see from any IoT vendor: “you are responsible for keeping any passwords and PIN numbers…confidential, and for keeping keyfobs…secure. You should log out… You are responsible for notifying us immediately if you believe that the security of your account may have been compromised…”  (Section 13.5)

IRIS_Key_Fob

The Bad

Wide Range of “Collected Information”

Lowe’s policy allows the company to collect a wide variety of personal information, including physical address, email address, phone numbers, photographs and “details about your various devices in your home.”   (Section 20)

Unclear Restrictions on Partners’ Use of Information

The information Lowe’s collects may be used to “communicate with you,” “manage our customer information database” and “customize your experience.”   Lowe’s may use this information or “may share personal information we collect on the Site with our service providers who perform services on our behalf.”  Lowe’s may also, “share your information among our affiliates and joint marketing partners, who may send you marketing information.” (Section 20)

While it may be unlikely that Lowe’s intends to ship your personal video streams off to  Mechanical Turk to mine them for hints, similarly invasive uses do not seem to be prohibited by its privacy policy.

Credit Card Is Always Required (And Stored)

Even the Basic/Free tier requires consumers to enter valid credit card information.  (Section 2.2)  This information is then stored so the service can automatically bill you if you accidentally exceed the Basic Tier limits (Section 4.3 and 8.2), or if you decide to upgrade to a higher service tier.

Automatic Consent to Full Credit Check

“You authorize Lowe’s to obtain a non-investigative consumer report, commonly referred to as a credit check or credit report, about you from a consumer reporting agency at any time that you are signed up to receive the Iris service.”  (Section 6.4)

A credit report can reveal extensive information about you, including your date of birth, your social security number, most of your employment information, all your credit cards, bank accounts and loans, and legal actions such as bankruptcies, liens and wage garnishment.

No Time Limit on Retention of Personal Information

There is a brief and vague section about how Lowe’s will protect personal information, but there is no mention of how long the data will be retained.

Opt-Out of Marketing Messages

Lowe’s terms of services make it clear that you will need to “opt out” of its email and similar promotions.  “By accepting this agreement, you agree to receive Lowe’s marketing communications both Iris specific and non-Iris specific.” (Section 20)

“Do Not Track” is Ignored

Lowe’s is similarly clear about ignoring “Do Not Track” flags.  “We do not process or respond to “Do Not Track” signals from your browser or other mechanisms that enable consumer choice regarding the collection of personal information about one’s online activities over time and across third-party Websites or online services.”  (Section 20)

The Ugly

Marketing Says IRIS Could Be a Home Security System, But Legal Disagrees

The video description of the IRIS system says that it could be used to detect prowlers, and there is an IRIS page dedicated to positioning the product against “Competitors: Cable/Telcos/Alarm Co’s.”

IRIS_As_A_Security_System

However, Lowe’s Terms of Service make it clear that IRIS should not be used as a traditional home security system.  Specifically:

  • It cannot be used for emergency service. (Section 12.1)
  • It cannot be connected directly to police or other public services.(Section 15.2)
  • It provides no insurance protection; in fact, you agree to hold Lowe’s harmless if anything does happen. (Section 18.1)
  • It was not designed to meet building or fire codes. (Section 12.1)
  • The system can send you home security alerts, but these may be “lost” and Lowe’s is not responsible for delivering these alerts. (Section 13.1)

The contradiction is a problem for people (like us) evaluating the privacy of the system because we cannot be sure if we should look at it as a security system or not.  (Ultimately, we decided it was not.)

RECOMMENDATIONS:

  • For Consumers: Don’t buy IRIS to use as a home security system.
  • For Vendors: Square your marketing with your T&S.

IRIS Can Update Its Own Equipment, but Consumer Is Still Responsible for Security

Lowe’s Terms of Service state that that “Once your system is registered and working, we may need to access your hub or devices to upgrade the firmware.”  (Section 2.3)    That’s fine until you get to the part which states, “you alone are responsible for protecting…Iris products…from unauthorized access, viruses, spyware and all other types of malicious code.”  (Section 13.4).

As a consumer, I’m now confused: is Lowe’s going to fix everything EXCEPT security problems with my devices?

RECOMMENDATIONS:

  • For Consumers: To prevent malware at home, consider deploying ALL your in-house automation on a separate network from your home computers, tablets and other systems.  (An easy way to do this with a home router is to put all your wireless automation on your “GUEST” network.  Commercial routers can also be used to “segment your network.”) 
  • For Vendors: If you claim responsibility for updating and maintaining your deployed components, you also need to claim responsibility for keeping them secure and virus-free.

Privacy Policy Confuses Device Communications and Web Surfing

Lowe’s privacy policy starts strong, with explicit commitments to avoid co-mingling IRIS alerts and regular Lowe’s marketing.   However the “Privacy Notice” section (Section 20) appears to blur the lines.

The problem could be that the IRIS privacy notice appears to be a modification of a standard retailer’s web site privacy policy, which essentially says that the retailer can use any means necessary to figure out who you are, track you, and present you with targeted offers based on your likely purchasing patterns.

Some of that baggage remains in phrases like “web beacons” that don’t apply to device communications.  At the same time, Lowe’s also tries to carve out special protection for device communications in “Service Delivery” clauses and the like.   Unfortunately, the result is a mismash of web and device privacy rules that seem to leave IRIS data open to many uses – several of which could surprise privacy-seeking consumers.

RECOMMENDATIONS:

  • For Consumers: Seek out vendors that treat device information with special care, as outlined in their privacy policies.
  • For Vendors:  Be careful not to let overzealous web site privacy policies (which aim to identify “anonymous” visitors and address particular demographics accessing your site with specific offers) bleed into your device privacy policies (where the identity of your consumers is already known).

Lowe’s IRIS Privacy Policy

Current PolicyEvaluated Policy (PDF Nov 18, 2014)

Next Steps

Take the IoT Privacy Survey

Suggest Another Privacy Policy to Review

 

 

IoT Security Lab Becomes Data Privacy Day Champion

Data_Privacy_Day_Privacy_Is_Good_For_Business

IoT Security Lab is proud to be a Data Privacy Day Champion as we look forward to Data Privacy Day on January 28.    The date commemorates the January 28, 1981, signing of Convention 108, the first legally binding international treaty dealing with privacy and data protection.

On Jan. 27, 2014, the 113th United States Congress adopted S. Res. 337, a nonbinding resolution expressing support for the designation of Jan. 28 as “National Data Privacy Day” in America.
For our part, IoT Security Lab pledges to make the privacy of IoT devices and the systems that support more transparent to consumers, so everyone can make informed privacy decisions when they purchase smart devices.

Internet of Things “Smart Device” Privacy Survey

Are you terrified of your TV or other smart device? Please take our five-minute, six-question Internet of Things (IOT) privacy survey. Results from all takers will be displayed when you complete it.

Evil Smart Device

What types of smart devices might reveal too much information about you? (Check ALL that apply.)

What smart device features make you nervous? (Check ALL that apply.)

What information do you currently fear losing through a smart device? (Check ALL that apply.)

IOT Internet of Things Medical Records Worth $250 Per Patient?

Internet of things (IOT) devices generating, storing or processing medical records could be exploited, and each record could be worth up to $250 per patient.

The $250-per-IOT-medical-record figure comes from John Halamka, chief information officer (CIO) of the Beth Israel Deaconess Medical Center and chairman of the New England Healthcare Exchange Network, as he was being interviewed for IT World in the wake of the 4.5 million patient record privacy breach at Community Health Systems by hackers in China.

“If I am one of the 50 million Americans who are uninsured … and I need a million-dollar heart transplant, for $250 I can get a complete medical record including insurance company details,” he said.  As long as personal details like age, weight and height are approximately correct, a person could use the stolen data (and a standard fake ID) to convince a hospital they are insured and receive treatment, Halamka continued.  (“Why would Chinese hackers want hospital patient data?” by Martyn Williams, August 18, 2014 – IDG News Service)

At 2014’s DEFCON security convention healthcare security researcher Shawn Merdinger demonstrated how medical devices could expose personal health information to hackers.  The types of devices he looked at included anesthesia carts, lab systems, refrigeration storage, PACS (imaging/radiology), MRI/CT, cardiac defibrillators, infusion pumps, nuclear medicine systems, fetal monitors and integration points with monitoring systems – all with their own issues.  In one example, he located more than a thousand of these devices connected and listening after tickling just one exposed workstation plugged into a hospital group’s wide open network.  (“Just What the Doctor Ordered?” by Scott Erven and Shawn Merdinger, August 8, 2014 – DEFCON 22)