IoT News Roundup
Online Trust Alliance releases report regarding shared responsibility and the IoT; Coresystems intros software platform to provide real-time customer service for the IoT; STMicroelectronics offers cloud-compatible Wi-Fi module for IoT, M2M applications; Fujitsu, Enmo Technologies collaborate on technology for Fujitsu IoT devices; Opto 22 accepted into IBM Watson IoT partner ecosystem; mPrest, New York Power Authority deploy software to ensure reliability of statewide critical power infrastructure; NXP, Canonical to demo IoT gateways at Embedded World; CEL unveils article for IoT design engineers.
Mar 17, 2017—
Online Trust Alliance Releases Report Regarding Shared Responsibility and the IoT
The Online Trust Alliance (OTA) has released its fourth in a series of vision papers, titled "Securing the Internet of Things; A Collaborative and Shared Responsibility." The report, released in recognition of National Consumer Protection Week, outlines the imperative actions that businesses, consumers and governments must take to ensure the security, privacy and vitality of Internet of Things devices.
"The thousands of new Internet-connected devices are dramatically improving the way we work and live," said Craig Spiezle, OTA's president and executive director, in a prepared statement. "However, many IoT devices appear designed primarily for convenience and functionality without much, if any, attention to long-term security or privacy."
The paper likens connected device security and privacy to global warming. It warns that if there isn't a concerted effort by all stakeholders, there will be a mass weaponization of devices—ranging from unlocking doors and disabling fire alarms to the theft of personal and business property. As highlighted by the recent connected device privacy and security missteps by D-Link, Spiral Toys and Vizio, OTA believes IoT companies are not heading in the right direction.
"Much like global warming or industrial pollution, there will be long-term consequences resulting from inaction with IoT threats," the paper states. "The impact of these threats has jumped to the physical world. The lack of action has created a treasure chest ripe for abuse by white collar criminals, terrorists and state sponsored actors as IoT devices become weaponized. Left unchecked we may realize a "digital environmental disaster."
In the paper, OTA claims that IoT devices are reaching a crossroads in which regulation may be required. However, OTA acknowledges that passing regulation will take too long and will never keep pace with the evolving threat landscape. With the Trump administration's stated goal to eliminate two regulations for every new one introduced, OTA does not expect government to solve this problem any time soon. It details how stakeholders have a collaborative and shared responsibility:
Retailers, Resellers & E-commerce Sites: The retail channel is perhaps the most influential party holding the keys to change. Not unlike retailers pledging not to sell products made by child labor or those from unsustainable forests, they play a pivotal role in setting baseline security and privacy measures for the products they profit from.
Developers, Manufacturers and Auto Makers: Manufacturers need to disclose their security support commitment to users prior to purchase. Not unlike food nutrition labels or new car stickers, they need to clearly articulate their security and privacy policies. Such notices should be included on product packaging and point-of-sale materials to easily inform consumers prior to purchase.
Brokers, Builders, Car Dealers and Realtors: A smart home or connected automobile can be an attractive selling point for every buyer or renter. Often listed as a home or car feature, sellers should be encouraged to disclose all such devices and features, disable their access, and provide new owners the ability to re-set them. At "closing," car rental or sale, they should be required to turn in their physical and digital keys, and remove all personal data.
Internet Service Providers and Wireless Carriers: Botnets taking control of IoT devices has become a reality with the discovery of thousands being commandeered to attack high-profile websites, rendering them inaccessible. In several countries, including Australia and Germany, Internet Service Providers are required to block botnets emanating from residential IP addresses. While many have recognized this as a best practice, U.S.-based ISPs and wireless carriers are not required to take action.
Regulators and Policy Makers: To promote innovation and commerce, regulators should encourage self-regulation while providing a "safe-harbor" to device manufacturers that demonstrate they have adopted reasonable security and responsible privacy practices. Conversely, companies that fail should be put on notice that they may be exposed to oversight, fines and or class-action suits.
OTA's "Securing the Internet of Things; A Collaborative and Shared Responsibility" vision paper is available here. OTA's IoT resources, including the IoT Trust Framework outlining required device security norms and responsible privacy practices, are posted here. The framework was developed through a multi-stakeholder process that provides developers with actionable and prescriptive advice to ship and maintain security and privacy for the life of their products and applications.
ASK THE EXPERTS
Simply enter a question for our experts.
Sign up for the RFID Journal Newsletter
We will never sell or share your information