22nd Nov BITAG report on IoT security and privacy

Tuesday 22nd November saw the ‘Broadband Internet Technical Advisory Group’ (BITAG) announce its latest publication trying to tackle the growing problems with security and privacy with the IoT.

It’s a very timely release of the report after the recent negative headlines regarding IoT security flaws such as the DDOS attacks on Dyn, which blocked access to some of the biggest websites on the Internet.

The reports aim to set guidelines to help dramatically improve the security and privacy of the IoT which in turn will start to minimize the costs associated with the collateral damage from such large-scale attacks.  If not addressed this will continue to effect consumer trust in the IoT. Below outlines some of the key observations and recommendations from the report for the IoT industry to consider:

Observations: (current state of the IoT market)

  • Device security vulnerabilities and throughout its lifetime. Devices shipped with poor security and not updated during the lifetime of the device.
  • Insecure communications.  Many devices use insecure unencrypted communication which makes it an easy target for hackers.
  • Data leaks from device or cloud.
  • Susceptibility to malware
  • Potential for service disruption
  • Device security and privacy problems will persist, as many manufacturers don’t perform regular updates or patching.
  • Potential device replacement rather than upgrade. Disposable products that may be cheaper to replace rather than try to patch.

Recommendations: (how the IoT can start to rebuild consumer trust)

  • Utilise the latest current software practices, such as good levels of security and ability to patch/update.
  • Follow the latest security best practices, including the latest security transport layer and encryption.
  • Devices should be restrictive rather than permissive when communicating. Inbound connections should not be allowed by default.
  • IoT devices should continue to function even if internet connectivity is disrupted
  • IoT devices should continue to function even if cloud back end is disrupted
  • Follow naming and addressing best practices, such as IPv6
  • IoT devices should ship with a privacy policy
  • Disclosure rights to restrict functionality remotely
  • Industry should consider an Industry Cybersecurity Program, a “Secure IoT Device” logo or notation could be carried on IoT retail packaging.
  • IoT supply chain should play their part in addressing IoT security and privacy issues

 

What are the implications from a test perspective? BITAG makes a couple of key recommendations:

  • ‘IoT Device Configurations Should Be Tested and Hardened: some IoT devices allow a user to customize the behaviour of the device. BITAG recommends that manufacturers test the security of each device with a range of possible configurations, as opposed to simply the default configuration.’
  • ‘BITAG recommends that the IoT device industry or a related consumer electronics group consider the creation of an industry backed program under which some kind of “Secure IoT Device” logo or notation could be carried on IoT retail packaging.

There is a clear recommendation for more formal structured independent testing regimes for IoT devices and services, which would enable a manufacturer to demonstrate compliance to the latest standards or IoT/internet guidelines. Also for industry trusted organisations to lend their ‘quality badges’ to IoT enabled devices. For example, consumers place a lot of trust in the Kitemark established by the BSI (British Standards Institute). For a product to have such a Kitemark a consumer would be reassured that it has been through a rigorous QA and security process to evaluate the device.  It also means that manufacturers who decide to connect devices to the internet does not have to invest in complex testing procedures, equipment and staff.

Test and Verification Solutions (T&VS) IoT lab and certification process helps enable companies to ensure their products conform against the latest industry standards and QA & security testing best practices. For more information see here

2018-02-23T10:07:04+00:00 1st December, 2016|Blog, Thought Leadership|
T&VS NEWSLETTER SIGN-UP
The T&VS newsletters inform you about industry news, events and information from T&VS. No spam, we promise and it is always easy to unsubscribe.
We never share your information. Read our Privacy Statement
Interested in Formal Verification?
Then why not attend the TVS Formal
Verification Bootcamp training?
The 2-day Formal Verification Bootcamp is for design and verification engineers looking to enhance their knowledge of formal verification and to learn how to write effective assertions to find and fix bugs. The course is a mix of presentations and hands-on development exercises.
Bootcamp Enquiry Form
If you are interested in receiving additional information on the course then simply email Mike Bartley (TVS CEO and Course Leader) by entering your details below.
Interested in SystemC?
FREE SystemC UVM Library Now Available
The TVS SystemC UVM library closely mimics UVM but gives users a license free UVM-based verification environment.
Have your product requirements been successfully tested and implemented?
Find out how asureSIGN can help you implement a successful Requirements Driven Verification and Test Strategy by visiting asureSIGN or enter your details and we will be in touch.
Course Dates and Pricing
To receive additional information, including course dates and pricing, please contact our training team who will be happy to help.
Download Request
Please complete the following form then click 'submit' to access the download.
Presentation Request
Please complete the following form then click 'submit' to gain access to the presentations.
DOWNLOAD REQUEST
Please complete the following form and then click 'submit' to gain access to the download.
FREE QA ASSESSMENTS
Did you get what you were looking?

Let the testing experts help. We will run a FREE QA assessment which will include our top 5 recommendations to help maximise your testing.