Recent actions of the US Federal Trade Commission are a wakeup call that it's time to make security a top design priority.
In surveys of embedded designers' priorities I have seen over the years, including one in 2013, I have never seen security rise to the top of the pile. Time to market, hiring, code complexity, and new technology are always way higher than security concerns.
Well, folks, the Internet of Things (IoT) boom may have turned the tide on insecure connected devices. The Federal Trade Commission is coming down hard on a company ignoring security issues in its products.
The company in question is TRENDnet, which you may recognize from visits to Best Buy, Staples, and Tigerdirect.com. TRENDnet makes low-end routers, hubs, and (this is the one that got it in hot water) IP webcams.
The FTC's complaint alleges that TRENDnet marketed its SecurView cameras for purposes ranging from home security to baby monitoring, and claimed in numerous product descriptions that they were "secure." In fact, the cameras had faulty software that left them open to online viewing, and in some instances listening, by anyone with the camera's Internet address.
So now TRENDnet has to take back the devices or offer updated security software to everyone who bought a camera during the disputed period -- and that's going to cost big bucks.
Another reason you don't want the FTC on your case is the public disclosure of normally confidential data like revenues.
For example, the world now knows TRENDnet had $62 million in revenue in 2012 with $7.4 million coming from IP cameras, so at roughly $30 each, wholesale, that's 25,000 units. This level of detail is normally private.
So now are you going to take security seriously?
In focus groups of engineers, and talking to software security folks, it seems security is one of those things that nobody worries about until something bad happens. Now that the FTC is looking into IP security, it's time for others to follow suit.
Interestingly the FTC seems to be very proactive on this issue and is holding a workshop in Washington on November 19. Maybe you should send your Chief Security Officer?