A new standard for Internet of Things security

A new standard has been proposed to improve security of Internet of Things devices. The standard has been published by industry group OTA (Online Trust Alliance) and is now open for comments.

IoT needs more security

The Internet of Things consists of all kinds of devices (thermostats, doorknobs, lights, appliances) all connected through the Internet. Many of these devices collect privacy-sensitive data about people’s habits. Since these devices do not have keyboards and displays attached, configuration of these devices is difficult. Many device manufacturers have therefore left out important security measures, leading to all kinds of data breaches: from hackers knowing when and where you drive to people changing your lights without permissions.

To give just one example: many baby monitors can be easily hacked, letting people see your children and also talk to them directly. The new crime series CSI Cyber used this incident as inspiration for their first episode and one can expect the series to have more IoT-inspired episodes.

Experts are recommending to make two principles mandatory: Privacy by Design and Security by Design. Until now there was however no standard for checking whether these principles have been applied by manufacturers.

Online Trust Alliance Standard

The Online Trust Alliance has taking the initiative to create a practical standard for all smart devices. The standard is aimed at manufacturers, especially of consumer-oriented devices. It is not clear whether their standard will become mandatory. It seems that manufacturers will have to adopt the standard voluntarily. The press release states that the standard is supported by US companies ADT, Microsoft, Symantec, TRUSTe and Verisign.

OTA standard overview

The standard consists of 23 rules, covering four themes:

• User Information and control
• Proper use of data
• Permanent support
• Security

User Information and control

1. Privacy policy must be available at product purchase, e.g. printed on the box
2. Privacy policy must be clearly readable
3. Manufacturers must inform buyers what information is collected
15. Device must have a light indicating whether it is connected
20. Buyers should be able to change the privacy settings
22. If a user disables smart functions, the basic functions should keep working

Proper use of data

4. Information cannot be shared with outsiders or used for different purposes
5. Manufacturers must disclose for how long data is stored
6. Buyers must be able to delete their data
17. Family/home uses devices must have individual profiles and parental control

Permanent support

18. Manufacturers contact details need to be public in case of loss/theft etc
19. Manufacturers must have a mechanism for transferring ownership
21. Devices should be supported for a long period, ideally for life of the device

Security

7. Personal data must be protected with encryption
8. No use of default passwords
9. Device must conform to SSL best practices
10. HTTPS is mandatory
11. Security testing (pen-testing) is mandatory
12. Manufacturers must have a way to fix issues through updates
13. Manufacturers must have a data breach response plan
14. There must be a secure password recovery option
16. All software updates must be signed
23. All email communication should also be secure

Our thoughts

The standard is most useful where it offers concrete rules. It emphasizes the basics of security: small measures that are easy to implement but really helpful for any application. Rules such as no use of default passwords, https only and mandatory security testing are not new but worth repeating.

A practical problem with the standard is the one size fits all approach. One cannot make the same requirements for 100.000 euro cars as one can make for 2 euro toys. For independent makers of small devices, the standard is probably not feasible. A next version would probably benefit from having multiple levels.

It is interesting to note that source code transparency has been left out of the standard. The standard does not force manufacturers to make the source code of devices available for inspection. Making the source code available is the best way to properly inform consumers on what devices are really doing and whether the security testing was effective. It is also important as many devices already contain open source software, and for these devices it is already mandatory for manufacturers to give access to the source code in some way. It would be good if the standard gave some practical advice on how manufacturers should do this.

One interesting positive aspect in the standard is that it addresses family use devices (see nr. 17 below). If smart devices have multiple users, such as thermostats, security cameras and cars with passengers, permission is needed from each user to comply with European privacy laws. It will be interesting to see whether manufacturers are able to address this properly, or whether getting full permission in advance will be the responsibility of the buyer/driver/installer of each device.

Comments welcome

The standard is currently published as a proposal for comments. If you have comments and suggestions, you can obtain the full text and leave comments via the website. More information on participating parties is in the OTA press release. Note that ICT Institute has a training/workshop about privacy and personal data protection.

Image: from Ilya Sukhar’s IoT presentation at Facebook F8.