Hi, I'm Matthew Clark, and this is lesson 6.7 device ownership.
In this lesson, we'll take a look at device ownership and I O. T S F recommended controls. So let's get started.
Changing ownership of the device can be fraught with challenges. Every time a device moves from one owner to another, a change of ownership event occurs,
which changes the threat environment for both the previous owner and the new owner. And there's many ways that this can happen.
Maybe you bought a used device off of Facebook marketplace. Or maybe you sold your old phone to a friend. Or maybe you traded an unused USB drive for something else. Or maybe you just gave it away. Recently, my mother in law just handed me her old laptop. She didn't want it or needed any longer.
Well, there's no password on it.
And when I opened it up the applications and Web pages and documents, they were all still open.
Who? It was my mother in law's laptop. But it's indicative of how consumers treat electron ICS. Remember the University of California Berkeley's report that said consumers actions contributed to the insecurity of coyote devices consumers who expect i o t devices toe act like
user friendly plug and play conveniences
may have sufficient intuition to use the device, but insufficient technical knowledge to protect or updated. I'm not trying to pick up my mother in law, but it was a timely riel world example.
Let's take a look at a malicious new owner first, and we're calling the new owner malicious, and that's assigning motive or nefarious intent. So let's just assume that the new owner is simply curious. Well, our first concern might be data related, and the concern could be
is the previous owners. Data is still available so that the new owner could see it.
Um, does the device store data? And if so, can the new owner go back and see that data somehow?
So, for example, what if we're talking about health data or data that maybe weight related coming off of a smart scale would probably scare my wife to death? And if somebody else would see her weight
does the device provides stored credentials or device certificate that could still be used access, cloud storage, or maybe a management console that maybe manages other devices they're still in the previous centers control.
And it might be tempting to ask yourself of this stage. How might you defend against that? And you might say yourself self, you good looking guy. You, ah, factory reset might be the best answer. But
just hold on there for a minute because the next thought should be, well, how maney average people are gonna think about doing a factory reset. And how would they know to do that? Is that something that they're gonna have to Google?
Another concern might be that the new owner could connect that device to the previous owners network as a rogue device. And sometimes you see these types of stories in the news where the new owner brings the device within the wireless network range. Assuming that they know who the previous owner, WAAS
and the device then auto connects to the wireless network, and the new owner then uses that sensor or that device as an entry point into that network,
let's take a look a the malicious previous owner. Now the new owners data could be available to the previous owner, especially if the new owner hasn't reset the device that they purchased and that device is still connected to the previous owners, master accounts
and where the previous center could still see you. No information that's coming off that device, whether it's from the management console or automated reports
or so forth. An example of this could be an I. O T. Device that connects directly to a Web service like a device in accessing the Internet, be a cellular network or so forth. Maybe it's a video recording device. Let's make it really scary.
Um, the new owner doesn't update the device ownership. They just plug it in and walk away, which seems kind of ridiculous. But let's say they do that.
The device then continues to send data to the previous owner's account, right? And what if that data is course, video or photos or or whatever, in the case of a camera? Or maybe it's health data, right? What if you would like to find out if someone's posting your daily weigh ins to Facebook? That would be a terrible thing to find out.
So is a sip. So we need to find and develop a process to securely transfer ownership of the device.
And maybe this is a simple as performing a factory set right and clearing all the user settings and securely removing sensitive data.
Maybe there's a requirement for an occasional account re authentication to prove you are who you say you are.
If that makes sense and you'll need to provide a process to verify transfer that it's been completed. For example, thean er net connected slow cooker might not need a verification, but the rental car. Bluetooth sync of your contact list? Uh, driving history. Maybe that might make sense to send a confirmation.
You might also want to develop a process to securely handle sensitive data. Right Data portability. How does the end user have the right to export the data or device settings? How does the company handle that data stored in the I. O T. Ecosystem
Data Racer? Something else to think about? How do you handle requests for the right to be for gotten?
And so these ownership changes a factory reset, you know they shouldn't impact the security updates. Ah, factory reset. Shouldn't reduce the devices Security profile, for example, And security updates shouldn't be rolled back just because there's a factory reset.
Security update. Communications should be transferred to the new owners. Well, if you provide a personalized notice of security updates, the email or text message, then this should be moved to the new registered owner. And the previous center should be updated that they don't have any other devices that are registered right. They let him know that that's been
been removed from their account.
And that process helps keep the customer master and device ownership logs clean and up to date.
And a factory reset should really walk a user through how to set up the basic security settings prior to first use. Especially if that factory reset is going to erase all of the user selected security mechanisms. Then having a walk through is really valuable.
So it shouldn't be surprising to find out that the I. O. T Security Foundation has, um, in their framework controls to address device ownership. So let's review some of them
the first one where device or devices air capable of having their ownership transferred to a different owner. All their previous owner's personal information should be removed are where device or devices user wishes to end their service than all personal information should be removed from the device and related services.
The service providers should not have the ability to do a reverse look up of device ownership. I think we went through a T Mobile example where their app could find lots of information about their customers. It's a terrible thing,
especially when it wasn't secured. Not that they should be able to find information other customers. But having it is open the A P I open to the world. That's not necessarily a good thing.
In case of ownership change. The device has a irrevocable method of Decommissioning and re commissioning
eso that somebody can't turn it back is the previous owner.
The device manufacturer also ensures that the identity of the device is independent of the end user. And, of course, that is to insurance anonymity on comply with the relevant privacy laws.
Well, that's it for this lesson. We discussed device ownership and we talked about threat modeling, and we went through the I O. T S F controls for ownership. I'll see you next time