All recently reported IoT vulnerabilities avoidable, says OTA
The Online Trust Alliance (OTA) has found that privacy and vulnerability issues could have been avoided if device manufacturers had implemented the correct security and privacy principles.
To come up with its findings, OTA researchers analysed publicly reported device vulnerabilities from November 2015 through July 2016 to determine if an OTA IoT Trust Framework principle could have averted them.
“In this rush to bring connected devices to market, security and privacy is often being overlooked,” said Craig Spiezle, executive director and president of the OTA. “If businesses do not make a systemic change, we risk seeing the weaponisation of these devices and an erosion of consumer confidence impacting the IoT industry as a whole due to their security and privacy shortcomings.”
The OTA Trust IoT Framework is the first global, multi-stakeholder effort to address IoT risks comprehensively. It includes a baseline of 31 measurable principles. Device manufacturers, developers and policymakers should follow these principles to help maximise the security and privacy of the devices and data collected for smart homes and wearable technologies.
The release of the framework reflected feedback from nearly 100 organisations, including ADT, American Greetings, Device Authority, Infoblox, Malwarebytes, Microsoft, the National Association of Realtors and Symantec. There was also feedback from consumer and privacy advocates, international testing organisations, academic institutions and US governmental and law enforcement agencies.
The ‘IoT Trust Framework Resource Guide’ found that failures were mostly attributed to insecure credential management, not adequately and accurately disclosing consumer data collection and sharing policies and practices, lack of rigorous security testing throughout the development process, the lack of a discoverable process or capability to responsibly report observed vulnerabilities, insecure or no network pairing control options, not testing for common code injection exploits, lack of transport security and encrypted storage, and lack of a sustainable and supportable plan to address vulnerabilities through the product life cycle.
“Security starts from product development through launch and beyond, but during our observations we found that an alarming number of IoT devices failed to anticipate the need of ongoing product support. Devices with inadequate security patching systems further open the door to threats impacting the safety of consumers and businesses alike,” said Spiezle.
CrowdStrike to buy Adaptive Shield
CrowdStrike is augmenting its SaaS security capabilities through the acquisition of Israeli-based...
LockBit named nastiest malware of 2024
LockBit, a ransomware malware known to have been used to attack Australian targets, has been...
Extreme Networks launches ZTNA solution
Extreme Networks' new ExtremeCloud Universal ZTNA solution combines cloud network access...