Tuesday 22nd November saw the ‘Broadband Internet Technical Advisory Group’ (BITAG) announce its latest publication trying to tackle the growing problems with security and privacy with the IoT.
It’s a very timely release of the report after the recent negative headlines regarding IoT security flaws such as the DDOS attacks on Dyn, which blocked access to some of the biggest websites on the Internet.
The reports aim to set guidelines to help dramatically improve the security and privacy of the IoT which in turn will start to minimize the costs associated with the collateral damage from such large-scale attacks. If not addressed this will continue to effect consumer trust in the IoT. Below outlines some of the key observations and recommendations from the report for the IoT industry to consider:
Observations: (current state of the IoT market)
- Device security vulnerabilities and throughout its lifetime. Devices shipped with poor security and not updated during the lifetime of the device.
- Insecure communications. Many devices use insecure unencrypted communication which makes it an easy target for hackers.
- Data leaks from device or cloud.
- Susceptibility to malware
- Potential for service disruption
- Device security and privacy problems will persist, as many manufacturers don’t perform regular updates or patching.
- Potential device replacement rather than upgrade. Disposable products that may be cheaper to replace rather than try to patch.
Recommendations: (how the IoT can start to rebuild consumer trust)
- Utilise the latest current software practices, such as good levels of security and ability to patch/update.
- Follow the latest security best practices, including the latest security transport layer and encryption.
- Devices should be restrictive rather than permissive when communicating. Inbound connections should not be allowed by default.
- IoT devices should continue to function even if internet connectivity is disrupted
- IoT devices should continue to function even if cloud back end is disrupted
- Follow naming and addressing best practices, such as IPv6
- Disclosure rights to restrict functionality remotely
- Industry should consider an Industry Cybersecurity Program, a “Secure IoT Device” logo or notation could be carried on IoT retail packaging.
- IoT supply chain should play their part in addressing IoT security and privacy issues
What are the implications from a test perspective? BITAG makes a couple of key recommendations:
- ‘IoT Device Configurations Should Be Tested and Hardened: some IoT devices allow a user to customize the behaviour of the device. BITAG recommends that manufacturers test the security of each device with a range of possible configurations, as opposed to simply the default configuration.’
- ‘BITAG recommends that the IoT device industry or a related consumer electronics group consider the creation of an industry backed program under which some kind of “Secure IoT Device” logo or notation could be carried on IoT retail packaging.
There is a clear recommendation for more formal structured independent testing regimes for IoT devices and services, which would enable a manufacturer to demonstrate compliance to the latest standards or IoT/internet guidelines. Also for industry trusted organisations to lend their ‘quality badges’ to IoT enabled devices. For example, consumers place a lot of trust in the Kitemark established by the BSI (British Standards Institute). For a product to have such a Kitemark a consumer would be reassured that it has been through a rigorous QA and security process to evaluate the device. It also means that manufacturers who decide to connect devices to the internet does not have to invest in complex testing procedures, equipment and staff.
Test and Verification Solutions (T&VS) IoT lab and certification process helps enable companies to ensure their products conform against the latest industry standards and QA & security testing best practices. For more information see here