Microsoft, Verisign, Symantec Sign on for IoT Security Framework

Written by

ADT, AVG Technologies, Microsoft, Symantec, TRUSTe and other Internet of Things (IoT) specialists have released the IoT Trust Framework as part of the Online Trust Alliance’s IoT Working Group.

The group was formed in January as a global, multi-stakeholder effort to address IoT risks comprehensively. The framework presents guidelines for IoT manufacturers, developers and retailers to follow when designing, creating, adapting and marketing connected devices in two key categories: home automation and consumer health and fitness wearables.

The task force has concluded that the safety and reliability of any IoT device, app or service depends equally on security and privacy, as well as a third, often overlooked component: sustainability. The life-cycle supportability of a device and the protection of the data after the warranty ends is critical to the security, privacy and personal safety of users and businesses worldwide, the group noted.

“The rapid growth of the Internet of Things has accelerated the release of connected products, yet important capability gaps in privacy and security design remain as these devices become more and more a part of everyday life,” said Craig Spiezle, executive director and president of the Online Trust Alliance (OTA).

It raises plenty of valid questions. For example, when someone sells a house with a smart thermostat or garage door, how does the new owner ensure former users can no longer access these devices? How do manufacturers protect against intrusions into smart TVs and theft of data collected from device cameras and microphones? What is the collective impact on the smart grid or our first responders should large numbers of these devices be compromised at once?

“Without addressing sustainability, devices that may have been secure off the shelf will become more susceptible to hacking over time allowing hackers to remotely control these devices,” the framework noted. “This is a persistent concern, first demonstrated with baby monitors, just recently by infiltration of fitness wearables to spy on health vitals, and will likely be again soon, perhaps through general mayhem caused by sabotaging connected appliances.”

Some of the Working Group’s proposed best practices include:

Making privacy policies readily available for review prior to product purchase, download or activation.

Encrypting or hashing all personally identifiable data both at rest and in motion.

Disclosing prior to purchase a device’s data collection policies, as well as the impact on the device’s key features if consumers choose not to share their data.

Disclosing if the user has the ability to remove or make anonymous all personal data upon discontinuing device or device end-of-life.

Publishing a timeframe for support after the device/app is discontinued or replaced by newer version.

“As the nation’s largest home security provider, ADT supports the sharing of best practices focused on the privacy and security considerations for the connected home,” said Paul Plofchan, chief privacy officer at ADT. “As a member of the working group, we applaud OTA’s effort to open the dialogue with public and private sector participants in an effort to create a sustainable consumer protection framework.”

In parallel with these best practices, OTA is developing specific testing tools and methodologies to formalize the IoT Trust Framework with scoring criteria, leading to a voluntary Code of Conduct and a forthcoming certification program. OTA welcomes collaboration with organizations interested in partnering to help accelerate and broaden adoption of such certification programs worldwide.

What’s hot on Infosecurity Magazine?