The Online Trust Alliance (OTA), a non-profit with the mission to improve online trust, announced Friday that every vulnerability or privacy issue reported for consumer connected home and wearable technology products since November 2015 could have been easily avoided. Specifically, OTA found had device manufacturers and developers implemented the security and privacy principles outlined in the OTA IoT Trust Framework, the recently reported susceptibilities would have never occurred.
OTA is revealing its findings at the American Bar Association’s 2016 Business Law Section Annual meeting in Boston. OTA has also been asked to share its IoT Trust Framework and these findings in speaking engagements across the United States and Europe over the next couple months.
The OTA aims to help educate businesses, policy makers and stakeholders while developing and advancing best practices and tools to enhance the protection of users’ security, privacy and identity.
OTA supports collaborative public-private partnerships, benchmark reporting, and meaningful self-regulation and data stewardship. Its members and supporters include leaders spanning the public policy, technology, ecommerce, mobile, interactive marketing, financial, service provider, government agency and industry organization sectors.
A global, multi-stakeholder effort to address IoT risks comprehensively, OTA Trust IoT Framework, includes a baseline of 31 measurable principles which device manufacturers, developers and policy makers should follow to help maximize the security of and privacy of the devices and data collected for smart homes and wearable technologies. OTA began developing the framework in February 2015, and released it formally in March this year.
This release reflected feedback from nearly 100 organizations including ADT, American Greetings, Device Authority, Malwarebytes, Microsoft, the National Association of Realtors, Symantec, consumer and privacy advocates, international testing organizations, academic institutions, and U.S. governmental and law enforcement agencies.
“The Online Trust Alliance’s IoT Trust Framework includes valuable principles that companies should embrace to make sure consumer smart home technology is secure, private and sustainable for the future,” said National Association of REALTORS President Tom Salomone, broker-owner of Real Estate II in Coral Springs, Florida. “Device vulnerabilities need to be understood and addressed in order to protect what is near and dear to anyone using smart and connected device technology in their home.”
OTA researchers found glaring failures that were attributed to insecure credential management including making administrative controls open and discoverable; not adequately and accurately disclosing consumer data collection and sharing policies and practices; omission or lack of rigorous security testing throughout the development process including but not limited to penetration testing and threat modeling; lack of a discoverable process or capability to responsibly report observed vulnerabilities; insecure or no network pairing control options (device to device or device to networks); as well as failing to test for common code injection exploits.
Data also revealed lack of transport security and encrypted storage including unencrypted data transmission of personal and sensitive information including but not limited to user ID and passwords, while lacking a sustainable and supportable plan to address vulnerabilities through the product lifecycle including the lack of software/firmware update capabilities and/or insecure and untested security patches/updates.
“Security starts from product development through launch and beyond but during our observations we found that an alarming number of IoT devices failed to anticipate the need of ongoing product support. Devices with inadequate security patching systems further opens the door to threats impacting the safety of consumers and businesses alike,” said Spiezle.