The growing number of devices connected to the Internet of Things or IoT, provides an endless number of possibilities for our world. But as more and more devices come out, it’s impossible to ignore the security of them. One non-profit, the Online Trust Alliance, has taken steps to address the problem of cybersecurity in the IoT by releasing an updated IoT Trust Framework. The framework, originally released in 2015, includes 31 principles of trust and privacy that it recommends IoT manufacturers follow.
BYOD is becoming more and more standardized in the workplace, and with that comes the rise of the IoT. Because of this boom in popularity, many manufacturers are in a hurry to meet demand and don’t always consider the total security of the devices they are making. The IoT Trust Framework aims to serve as a guide to IoT manufacturers to cut down on the number of security vulnerabilities associated with IoT devices. According to research by the OTA, 100 percent of recently reported vulnerabilities in IoT devices could have been avoided if this framework of trust was followed.
Internet of Things security testing
One important guideline the framework offers is more security testing for IoT devices. Testing is a vital part of the development process, and IoT manufacturers must devote more time to penetration testing and code injection, so devices have fewer vulnerabilities upon initial release. According to Craig Spiezle, president of OTA, the technology needed for basic testing is readily available and should not be a problem for serious manufacturers to acquire. Testing for vulnerabilities and flaws allows the manufacturer to quickly make updates as needed.
To go along with that, developing a lifecycle plan for each device is critical. The manufacturer must understand that many of these devices are going to need patches and other software to help support them and something about security flaws.
Another recommendation was strengthening encryption for data in transit and at rest. It makes sense–it’s already required for PCI compliance and strongly recommended for HIPAA, but it’s considered a best practice all around. According to research, devices that rely on Bluetooth can have usernames and passwords that are exposed during transmission. And at the Def Con conference this year, 47 vulnerabilities were found in 23 IoT devices, many of them due to poor design decisions like the use of plaintext and hard-coded passwords. Keeping them encrypted when devices connect to something such as a smartphone or tablet can protect users from inadvertently having their information exposed.
Other recommendations the framework makes include locking administrative privileges and creating an easy method of communication for researchers, third parties and users to report vulnerabilities found in a device goes a long way.
The IoT will only grow, and it’s best for manufacturers to get their security ducks lined up while the concept is still relatively new. If companies who make IoT devices devote more energy to providing a feasible device life cycle, penetration testing and encryption, it will go a long way toward eliminating security vulnerabilities found in a device.
The full framework is available for download on the Online Trust Alliance website.