The Internet of Things (IoT) has been in the news lately for facilitating numerous DDoS exploits across the planet. A global non-profit think tank called the Online Trust Alliance (OTA) has published a paper entitled IoT, a vision for the future. It outlines how the IoT can grow and thrive, especially given that “users’ confidence that their data is secure and private is at an all-time low.” The paper lays out some of the unique challenges posed by securing the IoT and how the network of things can become more sustainable and protect users’ privacy. It is based on an OTA framework of interlocking trust relationships that was released earlier this year.
Securing the IoT is more complex than securing ordinary endpoints. The IoT has a collection of smart devices, such as webcams and Internet-connected printers, which run internal apps (such as web and FTP servers) and cloud services, all of which have their own vulnerabilities. As the OTA report says, “Every facet and data layer is a potential risk and each data flow must be secured.” Second, building in security for IoT is not usually first and foremost in the minds of every app developer. This is what happened with the Chinese webcam vendor that was part of the botnet exploit mentioned at the beginning of this post. These vendors are usually more interested in having an app that could easily manage the numerous cameras around the world. Not to pick on this vendor, but this is the typical scenario. Most IoT devices are designed without security or privacy needs up front.
Finally, many IoT devices aren’t easily updated when it comes to operating systems or firmware or both. Some of these devices have been in use for more than a decade without any updates. Witness how many IoT devices make use of outdated Windows XP embedded OS, or run on XP hosts. As the OTA report states, “Unfortunately, while such solutions may ship secure, no degree of patching can address design limitations against unforeseen threats decades later.” OTA convened a cross industry working group with the vision to create an IoT Trust Framework, a voluntary self-regulatory model. (You need to be an OTA member in order to download the framework.) They worked with over 100 stakeholders and focused on 31 criteria covering the connected home, office and wearable technologies.
The framework looks at device security, using privacy by design principles, including transparency and device controls, adding lifecycle support and having data portability and transferability. The framework also includes such things as readily available and clearly stated privacy policies, disclosure by the device makers about personally identifiable data collected by each device, descriptions of what data is shared by the device and with whom, and the term and duration of data retention policies. There are other matters such as forcing default passwords to be changed on first use and using SSL and HTTPS protocols by default. All of these are worthy practices for non-IoT devices too. The OTA framework is a good start at trying to stem the tide of potential IoT security weaknesses. Hopefully it will catch on and prevent future botnet-like exploits from happening.