Connected devices retain valuable data that could be extracted after they’re discarded, said research firm Independent Security Evaluators Monday, announcing a presentation on the topic Friday at DEF CON IoT Village in Las Vegas by Northeastern University cyber researcher and doctoral student Dennis Giese. “While consumers are aware that data needs to be wiped from smart phones and computers before discarding,” IoT devices pose “new challenges and risks, as they too retain valuable data,” said Giese. With billions of IoT devices being purchased, consumers “need to understand that their trash could become a hacker’s treasure,” said the researcher. Most IoT devices store information, like Wi-Fi credentials, or user data, to operate correctly and the data needs to be available in unencrypted plaintext. Many devices also store other information on flash storage in the device: for example, robot vacuums store maps, cleaning histories and log files, he said. Some cameras store short video sequences, and audio speakers save playlists. In his research, Giese found most IoT devices have a “bad implementation of a factory reset." He found that with used devices he purchased -- even when the previous owner set a factory reset -- “most of the user data and log files still remain.” As part of the Friday presentation, Giese plans to demonstrate how data can be extracted from a used robot vacuum, which was reset by the previous owner, and how it’s possible to use that data to track down the previous owner. ISE encourages manufacturers to “make it more obvious and easier to find and reset a device,” a spokesperson said.

Sens. Ed Markey, D-Mass., and Richard Blumenthal, D-Conn., reintroduced two bills Friday to improve cybersecurity in cars and airplanes. The Security and Privacy in Your Car Act would direct the National Highway Traffic Safety Administration and FTC to “establish federal standards to ensure cybersecurity in increasingly computerized vehicles and to protect drivers’ privacy.” The Cybersecurity Standards for Aircraft to Improve Resilience Act would require disclosure of cyberattack information on aircraft and “standards to identify and address cybersecurity vulnerabilities” of commercial U.S. aircraft operations.

Comments are due Aug. 9 on the National Institute of Standards and Technology’s draft cybersecurity white paper concerning blockchain technology, the agency announced Tuesday. The paper outlines “standards, building blocks, and system architectures that support emerging blockchain-based identity management systems and selective disclosure mechanisms.”

Seventy-nine percent of U.S. broadband homes worry about data security and privacy issues, blogged Parks Associates Tuesday. Roughly 35 percent of U.S broadband households faced a data security problem -- including identity theft, data theft or a virus or spyware infection -- in the past 12 months. “Many consumers do not trust companies with their data, nor do they believe they receive adequate value for sharing their data,” said analyst Lindsay Gafford: They'll be more comfortable with connected products when security protections are built in and companies are “more transparent about how they collect and use” their data.

D-Link agreed to security improvements to settle a 2017 FTC lawsuit, the agency said Tuesday. The commission previously alleged the company's wireless routers and internet cameras were vulnerable to hackers and invasion of users' privacy, an allegation the manufacturer had vowed to fight. Now, it will start "a comprehensive software security program, including specific steps to ensure that its Internet-connected cameras and routers are secure," the agency said. "This includes implementing security planning, threat modeling, testing for vulnerabilities before releasing products, ongoing monitoring to address security flaws, and automatic firmware updates, as well as accepting vulnerability reports from security researchers." D-Link will get biennial third-party assessments of its software security program for 10 years. The pact was filed in U.S. District Court in San Francisco and commissioners approved 5-0. "Security flaws risked exposing users’ most sensitive personal information to prying eyes,” said Consumer Protection Bureau Director Andrew Smith. “Manufacturers and sellers of connected devices should be aware that the FTC will hold them to account for failures that expose user data to risk of compromise.” The company didn't comment.

Legislation requiring U.S. government devices follow minimum security requirements (see 1903110054) was advanced for full chamber consideration Wednesday by the Senate Homeland Security and Governmental Affairs Committee. The Internet of Things Cybersecurity Improvement Act (S-734/HR-1668) was introduced by Sens. Mark Warner, D-Va.; Cory Gardner, R-Colo.; Maggie Hassan, D-N.H.; and Steve Daines, R-Mont., along with Reps. Robin Kelly, D-Ill., and Will Hurd, R-Texas. The House Oversight Committee advanced companion legislation last week.

Twitter “inadvertently” collected and shared user iOS location data with an advertising partner without user consent, the platform blogged Monday. If a user was operating more than one Twitter account on iOS, the platform might have accidentally collected location data for all accounts associated with the device, if the user opted into tracking on at least one account, the company said. The data was stored for a “short time” on the ad partners’ systems before deletion, the company said.

Huawei asked the FCC to "take notice of recent remarks by Chinese officials underscoring that Chinese laws do not require private companies to engage in cyberespionage, and that the Chinese government does not control private companies headquartered within its borders." The smartphone OEM "has never 'spied' on behalf of the Chinese government -- or any other," CEO Ren Zhengfei says it wouldn't if the government asked, and China has never made such a request, it wrote the agency. Friday's posting in docket 18-89 included a report by Hanhua Zhou, research scientist at the Institute of Law, Chinese Academy of Social Sciences. Thursday, FCC members voted to deny China Mobile OK to sell services in the U.S., and may revoke previous permission given China Unicom and China Telecom (see 1905090039). The commission didn't comment Friday on Huawei.

The FCC isn’t falling short on 5G security (see 1905060057), emailed Mark Jamison, University of Florida professor and a member of the Trump FCC transition landing team. “The FCC should -- and does -- have 5G security as a high priority,” Jamison said. “But that does not mean that it should grab every opportunity to devote more resources to the issue. Security is a central mission of many other federal agencies. The FCC should always be supportive and informed of what these agencies do, but not at the cost of failing in its unique responsibilities, such as paving the way for 5G deployment.”

President Donald Trump signed an executive order on strengthening the federal government’s cybersecurity workforce. Thursday's EO includes a rotational program for federal employees to “expand” cybersecurity expertise via temporary assignments at other agencies. Department of Homeland Security Cybersecurity and Infrastructure Security Agency staffers can trade positions with employees in similar roles elsewhere. The President’s Cup Cybersecurity Competition will be an annual cybersecurity competition for federal civilian and military employees. Trump's comments here.