All recently reported IoT vulnerabilities avoidable, says OTA


Wednesday, 14 September, 2016

All recently reported IoT vulnerabilities avoidable, says OTA

The Online Trust Alliance (OTA) has found that privacy and vulnerability issues could have been avoided if device manufacturers had implemented the correct security and privacy principles.

To come up with its findings, OTA researchers analysed publicly reported device vulnerabilities from November 2015 through July 2016 to determine if an OTA IoT Trust Framework principle could have averted them.

“In this rush to bring connected devices to market, security and privacy is often being overlooked,” said Craig Spiezle, executive director and president of the OTA. “If businesses do not make a systemic change, we risk seeing the weaponisation of these devices and an erosion of consumer confidence impacting the IoT industry as a whole due to their security and privacy shortcomings.”

The OTA Trust IoT Framework is the first global, multi-stakeholder effort to address IoT risks comprehensively. It includes a baseline of 31 measurable principles. Device manufacturers, developers and policymakers should follow these principles to help maximise the security and privacy of the devices and data collected for smart homes and wearable technologies.

The release of the framework reflected feedback from nearly 100 organisations, including ADT, American Greetings, Device Authority, Infoblox, Malwarebytes, Microsoft, the National Association of Realtors and Symantec. There was also feedback from consumer and privacy advocates, international testing organisations, academic institutions and US governmental and law enforcement agencies.

The ‘IoT Trust Framework Resource Guide’ found that failures were mostly attributed to insecure credential management, not adequately and accurately disclosing consumer data collection and sharing policies and practices, lack of rigorous security testing throughout the development process, the lack of a discoverable process or capability to responsibly report observed vulnerabilities, insecure or no network pairing control options, not testing for common code injection exploits, lack of transport security and encrypted storage, and lack of a sustainable and supportable plan to address vulnerabilities through the product life cycle.

“Security starts from product development through launch and beyond, but during our observations we found that an alarming number of IoT devices failed to anticipate the need of ongoing product support. Devices with inadequate security patching systems further open the door to threats impacting the safety of consumers and businesses alike,” said Spiezle.

Image credit: ©Iconimage/Dollar Photo Club

Related News

Digital trust leaders outperform their peers: research

Companies categorised as leaders in implementing digital trust strategies are reaping the...

IT decision-makers believe AI is key to protect against cyber threats: report

According to reseach, 40% of Australian IT decision-makers believe the use of AI will help them...

New Relic upgrades app security testing suite

The New Relic Interactive Application Security Testing solution has been upgraded with new...


  • All content Copyright © 2024 Westwick-Farrow Pty Ltd