Thursday, December 1, 2016

BITAG Publishes Report: Internet of Things (IoT) Security and Privacy Recommendations

Last week we published our report on Internet of Things (IoT) Security and Privacy Recommendations. I am very pleased with this report as not only is it again a consensus report – representing agreement of the full group of participants in the effort (see the final section of the report for the list of those involved) – but it is quite timely. It seems as if hardly a week can go by without another security incident involving IoT devices.

There are more and more of these IoT devices, and as they proliferate, as the network reaches deeper and deeper into our every day lives (particularly into our homes), the risks involved in lax or inadequate security become ever greater. These risks are what BITAG’s report and recommendations are aimed at helping to address.

The report does a very good job of describing the issue, laying out many of the causes and pointing to possible solutions – through a set of observations and best practice recommendations.

Observations. From the combined experience of our participants, the group observes in the report:
    • Security Vulnerabilities Some IoT devices ship “from the factory” with software that either is outdated or becomes outdated over time. Other IoT devices may ship with more current software, but vulnerabilities may be discovered in the future. 
    • Insecure communications Many of the security functions designed for more general-purpose computing devices are difficult to implement on IoT devices and a number of security flaws have been identified in the field, including unencrypted communications and data leaks from IoT devices. 
    • Data leaks IoT devices may leak private user data, both from the cloud (where data is stored) and between IoT devices themselves. 
    • Susceptibility to malware infection and other abuse Malware and other forms of abuse can disrupt IoT device operations, gain unauthorized access, or launch attacks. 
    • Potential for service disruptionThe potential loss of availability or connectivity not only diminishes the functionality of IoT devices, but also may degrade the security of devices in some cases, such as when an IoT device can no longer function without such connectivity (e.g., a home alarm system deactivating if connectivity is lost). 
    • Potential that device security and privacy problems will persist IoT device security issues are likely to persist because many devices may never receive a software update, either because the manufacturer (or other party in the IoT supply chain, or IoT service provider) may not provide updates or because consumers may not apply the updates that are already available.
    • Device replacement may be an alternative for inexpensive or “disposable” devices – Certain IoT devices may be so inexpensive that updating software may be impractical or not cost-effective. In some cases then, replacing a device entirely may be an alternative to software updates. 
    • *Possible future role for in-home network technology – While not labeled an “observation” as such, the group did spend some time in this report discussing the potential future of in-home network technologies and what some of that might look like. 

Recommendations. The report then goes on to give a number of recommendations, many of which will not surprise those readers who are engineers. There is significantly more detail in the report, so I highly recommend reading the full report itself. At a high level though, the recommendations are:
    • IoT Devices Should:   
      • Use best current software practices 
      • Follow security & cryptography best practices, including:
        • Encrypt configuration(command & control) communications by default
        • Secure Communications to and from IoT controllers
        • Encrypt local storage of sensitive data
        • Authenticate communications, software changes, and requests for data
        • Use unique credentials for each device
        • Use credentials that can be updated 
        • Close unnecessary ports and disable unnecessary services 
        • Use libraries that are actively maintained and supported
      • Be restrictive rather than permissive in communicating 
      • Continue to function if Internet connectivity is disrupted or if cloud-backend fails.
      • Support addressing and naming best practices.  
      • Ship with a privacy policy that is easy to find and understand.
    • Disclose rights to remotely decrease IoT device functionality. 
    • The IoT device industry should consider a cybersecurity program.
    • The IoT supply chain should play their part in addressing security & privacy issues, which includes:  
      • Privacy policies 
      • Reset mechanisms 
      • Bug reporting systems 
      • Secure software supply chains
      • Support IoT Devices for their entire lifespan 
      • Clear contact methods 
      • Report discovery and remediation of vulnerabilities 
      • Clear vulnerability reporting processes

Now I have received many questions as to what the “most important” recommendation might be. Here, I want to emphasize how the report should be taken as a whole. It outlines the extent of the problem and gives a significant number of pointed observations that may not be intuitive to non-technical folks, then gives numerous detailed recommendations. In fact, if nothing else, I highly recommend that readers take both the observations and recommendations together and resist looking for a single one that is “most important.” This report and each of its recommendations represent a comprehensive approach to the serious security and privacy issues facing the IoT device ecosystem, and readers should focus on how each of the observations and recommendations fit together.

It is my hope that this report can help to “move the ball forward,” and work to improve the security and privacy of IoT devices as well as help to limit the costs associated with the collateral damage that might otherwise affect IoT device users, manufacturers and vendors, as well as ISPs and others. In short, IoT holds great promise – and BITAG wants to do its part to help IoT devices realize such.

Please feel free to contact me with any questions or comments on the report.
Thank you much,


Executive Director and Chair of the Technical Working Group
Broadband Internet Technical Advisory Group (BITAG)

No comments:

Post a Comment