Internet-connected devices should ship with reasonably current software and/or on first boot push automatic updates to address any known critical vulnerabilities, says a new version of an industry recommended list of best practices for lifecycle security of the Internet of Things.
The recommendation is part of the Online Trust Alliance’s updated version of its IoT Trust Framework, which was released Thursday at the annual Consumer Electronics Show in Las Vegas.
With no agreed on standards for securing Internet-connected devices developers and manufacturers are turning to a number of sources for help, including industry associations. The alliance is supported by over 100 organizations around the world including Symantec, Verisign, InfoBlox, Malwarebytes, Microsoft, Twitter and GoDaddy,
“While most IoT devices are safe and secure, many still lack security safeguards and privacy controls placing users and the Internet at large are at risk,” alliance executive director Craig Spiezle said in a statement. The OTA recognizes that while there is no perfect security, companies that apply the framework principles should be shielded from regulatory oversight and class action suits, and potentially realize lower insurance premiums, the statement adds.
IoT security has become increasingly top of mind as threat actors discover ways of manipulating unsecured devices to form massive distributed denial of service bots. It’s such a concern that the U.S. Federal Trade Commission has launched a contest offering as much as US$250,000 to the developer of a tool that addresses security vulnerabilities caused by out-of-date software in IoT devices. In addition the FTC this week filed a complaint against Taiwan-based computer networking equipment manufacturer D-Link Corp. and its U.S. subsidiary, alleging that inadequate security measures taken by the company left its wireless routers and Internet cameras vulnerable to hackers and put U.S. consumers’ privacy at risk.
Also this week network equipment maker Netgear announced a bug bounty program with up to US$15,000 in rewards for finding security flaws in its routers and switches.
The framework includes 37 principles divided into four categories (security; user access and credentials; privacy, disclosures and transparency; and notifications and related best practices).
Among the additions:
–a new principle calling on product developers to help prevent or make evident any physical tampering of devices after installation. Among other things, the document notes, that would help identify devices that have been tampered with if returned to a retailer;
–a section on connectivity to IoT support Web sites now says that devices should include mechanisms to reliably authenticate their backend services and supporting applications;
–a new principle that calls on product creators to develop and maintain a “bill of materials” including software, firmware, hardware and third party software libraries (including open source modules and plug ins). This would apply to the device, mobile and cloud services to help quickly remediate disclosed vendor or open source vulnerabilities;
–a new principle that calls on product creators to design devices to minimum requirements necessary required for operation. For example, USB ports or memory card slots should only be included if they are required for the operation and maintenance of the device. Unused ports and services should be disabled;
–in addition to insisting that authentication credentials such as user passwords shall be salted, hashed and/or encrypted, the principle now makes it clear this applies to all credentials stored to help prevent unauthorized access and brute force attacks;
–a new principle that creators agreeing to the framework should develop “communications processes to maximize user awareness of any potential security or privacy issues, end-of life notifications and possible product recalls, including in app notifications. Communications should be written maximizing comprehension for the general user’s reading level.”
The framework is based in part on recommendations from from U.S. government agencies including the Department of Commerce, Department of Homeland Security (DHS), Federal Communications Commission (FCC) and Federal Trade Commission (FTC), as well as from the Broadband Internet Technical Advisory Group (BITAG), Center for Democracy & Technology (CDT), Consumer Federation of America (CFA), Consumer Technology Association (CTA), I am The Cavalry, the International Telecommunications Union (ITU), the Internet Society and National Association of Realtors.