The consumer product world is experiencing a broad emergence of Internet-connected tech products with embedded sensors and microchips that allow them to perform tasks never before imagined. They are part of the Internet of Things (IoT) and they will eventually redefine what we consider normal. And like many tech items that evolve from pricey retail versions to low cost promotional versions, the day when IoT products arrive in the promotional industry is likely to come soon. Imagine a T-shirt that monitors your heart rate and then automatically adjusts the program of your treadmill, a pill box that emails you if your elderly mother forgets to take her medicine, or GPS–enabled stickers that can track anything with a Find-my-iPhonetype app. These products and hundreds more are all possible in what our industry could call the Internet of PromotionalThings (IoPT). In time, there are bound be IoPT features added to a wide range of industry categories – from pens to drinkware to bags to apparel – as developers find meaningful ways to reimagine the customer experience and broaden marketing opportunities.
But the benefits of IoT and IoPT may come at a price. These connected consumer products are raising serious concerns for regulators around the globe as issues of cybersecurity and privacy abound.3 Consumers have already been subjected to hacking incidents with IoT control devices in automobiles, heart regulators, baby monitors, cameras, oil pipelines and credit card scanners, to name a few. Promotional professionals should take the time to educate themselves about IoT now, before the products become plentiful in the industry, so that when they begin to appear you will be better able to make informed decisions and protect your clients’ brands.
Only 4% of the world was online in 1999 when Kevin Ashton, a British scientist working at Proctor and Gamble (P&G), coined the term “Internet of Things.”It was the title of a presentation he gave on the use of radio frequency identification tags (RFID) for P&G’s supply chain. Ashton was convinced that life would be greatly improved if computers weren’t dependent on humans for data entry – that electronic sensors, like RFID, were much more efficient. He wrote, “If we had computers that knew everything there was to know about things—using data they gathered without any help from us—we would be able to track and count everything, and greatly reduce waste, loss and cost. We would know when things needed replacing, repairing or recalling, and whether they were fresh or past their best. We need to empower computers with their own means of gathering information, so they can see, hear and smell the world for themselves, in all its random glory. RFID and sensor technology enable computers to observe, identify and understand the world—without the limitations of human-entered data.”
That same year, Neil Gross wrote in Business Week, “In the next century, planet Earth will don an electronic skin. It will use the internet as a scaffold to support and transmit its sensations. This skin is already being stitched together. It consists of millions of embedded electronic measuring devices: thermostats, pressure gauges, pollution detectors, cameras, microphones, glucose sensors, EKGs, electroencephalographs. These will probe and monitor cities and endangered species, the atmosphere, our ships, highways and fleets of trucks, our conversations, our bodies – even our dreams.”
The Internet of Things described by Ashton and Gross is in “full flower” today, says Pew Research Center, with IoT devices pervasive in cars, voice-activated assistants, appliances, security systems, health-monitoring devices, road sensors, and personal fitness trackers. And with the crop of new products introduced at the Consumer Electronics Show (CES), IoT features have begun to emerge in cameras, door locks, door bells, beauty mirrors, window blinds, toothbrushes, hairbrushes, wine bottle sleeves, umbrellas and dozens of other products. The research firm Gardner estimates that 8.4 billion connected “things” are in use worldwide in 2017 and will grow to more than 20 billion by the year 2020.
But according to Pew, “the very connectedness of the IoT leaves it open to security and safety vulnerabilities.”3It is these vulnerabilities that fuel regulators’ concerns. At the November 2017 ICPHSO International Training Workshop held in Tokyo, Japan, regulators from the U.S., Europe and Japan participated in panel discussions on IoT security risks. Anne Marie Buerkle, Acting Chair of the U.S. Consumer Product Safety Commission (CPSC) addressed the issue directly in her keynote stating that cybersecurity in IoT devices has become one of CPSC’s highest priorities and is specifically noted in the Agency’s 2017 Report on Emerging Technologies. “But we cannot solve these issues by ourselves,” Buerkle said. To address them successfully, she emphasized, will take a coordinated effort by regulators worldwide. But this will take time as the issues are complex, the opportunities for collaboration are limited and there are many more questions than answers.
Examples of the safety issues CPSC is concerned about were identified in a hacking contest staged at the August 2016 Def Con Conference in Las Vegas. Def Con is the longest running computer security conference in the world, attracting more than 20,000 hackers and IT professionals annually. A month later, Def Con announced that 47 new vulnerabilities affecting 23 devices from 21 manufacturers were identified at the conference, allowing hackers to open locks, reprogram thermostats, freeze water pipes, and take control of a wheelchair, among others. Fred Bret-Mounet, a researcher who found some of the issues stated, “I can shut down the equivalent of a small to midsized power generation facility or I can use that device as a Trojan within a target’s network to spy on them.”
The vulnerabilities identified at Def Con have been attributed to a variety of predictable causes: poor design decisions, coding flaws, hard-coded passwords, back doors, inadequate testing, rush to market, lack of standards and regulations, and the lack of cybersecurity expertise. These vulnerabilities are already showing up in the marketplace. In New York City, in January 2016, the Department of Consumer Affairs issued a consumer warning about baby monitors that provide easy access for predators to watch or even speak to unsuspecting children, and the department announced that it had filed subpoenas against several major manufacturers of video monitors all of whom market their devices as secure. The risk of these types of vulnerabilities appearing in IoPT devices could be significant since our industry has little experience with cybersecurity and many of the factories that develop promotional products are small, with limited resources and with fast-track development cycles that sometimes skimp on performance testing. Low cost and speed to market are often their defining objectives.
At the Tokyo ICPHSO conference, one of the expert panels focused on solutions – ways that IoT devices could be made more secure – and whether existing cybersecurity standards from standards organizations like ISO, IEC and UL are robust enough for IoT. Stephen Brown, Director of Innovation at the global test lab CSA Group, argued that existing cybersecurity standards are adequate if products are tested at qualified labs and subjected to comprehensive testing at each stage of their development. But the testing protocol Mr. Brown advocated was extensive and may only be affordable for mega corporations. David Kosnoff, VP of Quality Assurance for Hasbro, approached the problem from the manufacturer’s perspective and spoke about the need for cybersecurity training of everyone involved in the design and development of IoT products. He also advocated enhancing Failure Modes Effects Analysis (FMEA) to include cybersecurity. FMEA is a standard QA tool that manufacturers use to identify all the ways a product may might fail as a critical step in designing out defects in the product development stage.
Left unanswered are many questions our industry will have to deal with as new IoPT products hit the market. Without even considering privacy issues, the cybersecurity questions are extensive. What is the responsibility of suppliers and distributors when vulnerabilities are discovered? How will they handle registering users of IoPT devices so that software and firmware can be updated with patches? How will suppliers develop firmware and software patches (to remedy vulnerabilities) without having in-house expertise in circuit board design, microchip programming and other intricacies of IoT devices? Whose responsibility will it be to pay for these fixes and for how long? Will there have to be a new provision added to Section 15(b) of the Consumer Product Safety Act requiring companies to report on security breaches? How will CPSC and other global regulators treat IoT vulnerabilities for product recalls? And how will all of this impact recall insurance policies and premiums? These questions and many more should be adequately addressed before the industry jumps into the deep end of the pool with IoPT devices.
So while it will ultimately be very cool to have a lunch box that can send an alert if peanuts are within 50 feet, a child’s backpack that allows a worried mom to track her elementary school child, or pens that can automatically notify the advertiser to send out a new refill when the ink is running dry, you should take the time now to implement an education program in your company to learn about the technology, the cybersecurity issues, the privacy issues, the regulatory issues and how you will evaluate products and vendors when these type of products come to market.
IoT PRODUCT/SERVICE CERTIFICATION OPTIONS
|ISO 27000 Series||Information Security Management System including SDLC and incident management||Y|
|IEC 62443 Series||Cyber Security Management System including product security and SDLC||Y|
|NIST 800-53||Cyber Security Management System *US Only||N|
|UL 2900||Product testing and evaluation||N|
*Courtesy of CSA Group