Security

IoT security is RUBBISH says IoT vendor collective

Online Trust Alliance calls on gadget vendors to stop acting like clowns

Padlocks by Simon Cocks Flickr CC2 license

A vendor group whose membership includes Microsoft, Symantec, Verisign, ADT and TRUSTe reckons the Internet of Things (IoT) market is being pushed with no regard to either security or consumer privacy.

In what will probably be ignored by the next startup hoping to get absorbed into Google's Alphabet's Nest business, the Online Trust Alliance (OTA) is seeking comment on a privacy and trust framework for the Internet of Things.

Stunt-hacks and bad implementations have demonstrated that IoT security is currently pretty hopeless. The OTA says that won't change if manufacturers and services keep pumping out gewgaws and gadgets without caring about risks.

Announcing the framework, the OTA warns against letting the Internet of Things market repeat history and ignore the product lifecycle in their security considerations.

“Sustainability—the life-cycle supportability of a device and the protection of the data after the warranty ends—is critical to the security, privacy and personal safety of users and businesses worldwide”, the announcement of the framework states.

In other words, vendors can't simply abandon users either at the end of the warranty, or at some arbitrary end-of-life date. If a security vulnerability emerges (and the vendor still exists), it should be patched.

After the Windows 10 launch's procession of excessive permissions and by-default Wi-Fi password sharing, the cynical might laugh at the OTA's call for transparency in IoT services, but that's just what the group demands. The alliance's president and executive director Craig Spiezle ticks off fitness trackers, smart home kit, smart TVs and the smart grid as being at risk.

So what's in the document itself?

The IoT Draft Trust Framework says security and privacy should be “a priority from the onset of product development and be addressed holistically”.

The framework also includes the following minimum requirements:

  • Don't hide the privacy policy – demanding that someone wait until after buying a product before they see the privacy policy is a no-no, and consumers need to know the impact of opt-in or opt-out decisions on a product or service.
  • Make the privacy policy readable – the OTA notes that this includes the user interface design presenting the policy. Since a home sensor or a fitness tracker lacks the user interface, vendors should keep in mind that the policy will be read on another device.
  • Tell people what you're collecting – or as the framework puts it, “Manufacturers must conspicuously disclose all personally identifiable data types and attributes collected.”
  • IoT vendors' promiscuous attitude to data sharing is frowned on – data should only be shared with third parties who agree to keep it confidential, and only for limited purposes.
  • Tell consumers how long you're keeping their data.

Other recommendations include forcing users to change devices' default passwords; personal data should be encrypted or hashed both at rest or in transit; where data is sent from the IoT gadget to a server, it should follow SSL best practice; and HTTPS should be the default for all device-to-server communications.

The Register is also heartened to note the recommendations include telling customers what data is stored in the cloud, disclosing what functions consumers will lose if the “smart” device is disconnected or its smart features are disabled; and vendors should make sure anonymised data can't be re-identified.

There's a bunch more, but this list gives a good feel for how seriously the OTA is taking its role. Whether gadget vendors pay any attention remains to be seen. ®

Sponsored: 2016 Cyberthreat defense report