You should be able to trust your garage door opener, but in the age of the Internet of Things (IoT), it and other smart-connected devices are entry points for hackers and other ne’er-do-wells.
While security in the automotive sector is top of mind given recent vehicle hacks, and the FDA highly regulates medical devices, consumer connected home and wearable technology products are a segment where security is looser, and that’s why it’s the focus of the non-profit Online Trust Alliance (OTA), which found that 100 per cent of recently reported IoT vulnerabilities were easily avoidable.
Specifically, OTA found that had device manufacturers and developers implemented the security and privacy principles outlined in the OTA IoT Trust Framework, the recently reported susceptibilities would have never occurred or been mitigated, said OTA executive director and president Craig Spiezle.
This conclusion was based on OTA researchers analyzed publicly reported device vulnerabilities from November 2015 through July 2016 to determine if an OTA IoT Trust Framework principle could have averted them. Comprised of 31 baseline principles, the framework is a t global, multi-stakeholder effort to address IoT risks comprehensively. Spiezle said the development of the framework has the OTA working with a number of unanticipated groups, including retailers looking to educate customers on connected home products, and realtors selling connected homes full of smart devices, such as garage door openers, appliances and thermostats.
OTA began developing the framework in February 2015, and released it formally in March 2016. This release reflected feedback from nearly 100 organizations including ADT, Microsoft, Device Authority, the National Association of Realtors, Symantec, Infoblox, consumer and privacy advocates, international testing organizations, academic institutions, and U.S. governmental and law enforcement agencies. “The ultimate goal of this framework is to set the foundation for some sort of certification program that people can test against,” said Spiezle.
The OTA is pleased with the amount of support it has received to date, he said, and after this summer’s Black Hat conference, it made sense to reassess the framework in the wake of the many high profile security breaches. The OTA’s researchers analyzed IoT threats reported in the press, consulted with security firms doing primary research and mapped out the observed incidents. Spiezle said the goal was to see if the framework needed to be changed.
And it didn’t. Rather, the 53 vulnerabilities that were looked at were already addressed by 16 of the 31 principles in the framework, he said. OTA researchers found the most glaring failures could be attributed to a number of factors that could have been dealt with, including insecure credential management, not adequately and accurately disclosing consumer data collection and sharing policies and practices, and the omission or lack of rigorous security testing throughout the development process including but not limited to penetration testing and threat modeling.
Spiezle said the security and privacy fundamentals in connected home devices and wearables are following a similar path of mobile apps and the web, but the problems are three dimensional in that data is often going from a device to a mobile app and then to a web service, which amplifies the threat vectors.
In addition, the segmentation of device manufacturers influences their inherent security, said Spiezle. Some are startups rushing to get to market on a deadline, and some of the principles in the framework are not part of their core DNA, he said, while others are established companies. Traditional manufacturers of home devices such as garage door openers and thermostats, meanwhile, are taking advantage of the open source libraries and off-the-shelf firmware. “They’re not doing a complete vulnerability assessment of their supply chain.”
One thing the OTA research found in that regard was that there lacks a sustainable and supportable plan to address vulnerabilities through the product lifecycle including the lack of software and firmware update capabilities as well as insecure and untested security patches and updates. Spiezle said the concern is that a supplier could potentially orphan a device and leave it vulnerable. And if a smart home gets sold, will all of the devices that are a part of it be properly transferred over? “It starts to open some interesting issues and liabilities.”
While the OTA is not suggesting the sky is falling, Spiezle said it’s important that we understand how a criminal might be able to “weaponize” connected home devices – potentially tripping multiple burglar alarms or opening garage doors across an entire neighborhood. “These devices provide access to other devices in a network.”
