The rapid rise in the Internet of Things (IoT) has brought forth a new generation of devices and services representing the most significant era of innovation and growth since the launch of the Internet. IoT solutions are game-changers offering consumers, businesses and governments across the globe countless benefits. While the vast majority of devices are safe and secure by today’s standards, all too many are being sold without security safeguards, adequate privacy controls or lifecycle support. Combined, these devices have become proxies for abuse with a capacity for causing significant disruption including life safety issues.
To address these combined issues, OTA convened a cross industry working group with the vision to develop best practices and create an IoT Trust Framework, a voluntary self-regulatory model. Released this past March, the Framework identifies 31 criteria initially focused on connected home, office and wearable technologies. It serves as a voluntary code of conduct and the foundation for several certification and risk assessment programs in development.
The Framework represents a major step to help shape products being developed, but we also need to consider what we can do to help address the risks in products being sold today and in use worldwide. We recommend the Committee to call on stakeholders to consider these initial guidelines. Where technically and economically feasible, these and other efforts are needed so together, we may build a safer, more secure world and enable the IoT industry to reach its full potential.
- Developers and manufacturers
- Proactively communicate to customers any security and safety advisories and recommendations.
- Products which can no longer be patched and have known vulnerabilities should either have their connectivity disabled, the product recalled and/or the consumers notified of the risk to their personal safety, privacy and security of their data.
- Provide disclosures, including on product packaging, stating the term of product / support beyond the product warranty
- Update websites to provide disclosures and security advisories in clear, everyday language.
- Retailers / Resellers / eCommerce Sites
- Voluntarily withdraw from sale products being offered without unique passwords or without a vendor’s commitment to patching over their expected life
- Apply supplementary labels or shelf-talkers advising buyers of products with exemplary security data protection and privacy policies.
- Notify past customers of recalls, security recommendations and of potential security issues.
- Consumers and users have a shared responsibility. Users need to
- Maintain devices and stay up to date on patches.
- Update contact information including email address for all devices.
- Regularly review device settings and replace insecure and orphaned devices (see Exhibit A).
- ISPs should consider the ability to place users in a “walled garden” when detecting malicious traffic patterns coming from their homes or offices. In concept this would allow basic services such as 911 access and medical alerts, while limiting other access. Such notifications can advise consumers of the harm being incurred, and the need to make changes, replace devices or seek third party support. It is important to clarify as outlined by the FCC’s Communication Security & Reliability Council in 2012, such notifications should not directly burden ISPs or carriers to remedy the problem unrelated to their services provided.
- Fund outreach and education, working with trade organizations, ISPs, local grassroots organizations, media, State Agencies and others to raise awareness of the threats and responsibilities. Focus on teachable moments such as at time of purchase, inclusion in billing statements and emails to installed base of users and notices to ISP customers.
- Prioritize “whole-of-government” approach to the development, implementation, and adoption of efforts and initiatives, with a global perspective. Coordinated efforts will help to ensure industry can innovate and flourish while enhancing the safety, security, and privacy of consumers, enterprises, and the nation’s critical infrastructure.
The future of IoT it cannot be realized without addressing security and privacy risks and policy issues. Securing and protecting the things that matter most—our systems, our data, and our privacy—is a shared responsibility. Security and privacy must become part of every product’s feature set. These cannot be bolted on mid-flight, and instead must be designed in from the onset. Creating a culture of security, privacy and sustainability with transparency will yield long-term benefits to society. OTA looks forward to working with all parties to help accelerate the development of best practices, including core safety and privacy requirements, to realize the potential of IoT. Read More >