With major IoT security flaws continuing to be exploited by hackers and malware, the Broadband Internet Technical Advisory Group (BITAG) has made sweeping recommendations for IoT manufacturers.
With several IoT-powered DDOS attacks bringing parts of the internet to a standstill in recent weeks, some of the industry’s biggest names have come together to contribute to a security report with a simple message: IoT start-ups and vendors need to step up and take responsibility for security.
Security and privacy have always been recurring themes in the connected world. The BITAG report suggests that both of those are being undermined by a number of factors, including a dangerous combination of user disinterest, a lack of security expertise and a dearth of automated security updates for IoT devices.
The report rightly points out that many of the IoT’s end users simply don’t have the time, capability or inclination to ensure their devices are protected from malicious attacks. It reads, “end users do not have the technical expertise to evaluate the privacy and security implications of any particular IoT device, or they may lack interest in doing so. Additionally, more often than not, the deployed devices lack automated mechanisms to perform secure updates or enforce security policy.”
The IoT security report was put together with input from the likes of Google and Cisco.
Read more: Newly created IoT botnet infects 3,500 connected devices
BITAG report: IoT security recommendations
The BITAG Technical Working Group ultimately recommends a number of potential solutions to the ongoing security problems faced by the IoT, including:
- IoT devices should ship with reasonably current software
- IoT devices should have a mechanism for automated, secure software updates
- IoT devices should use strong authentication by default
- IoT device configurations should be tested and hardened
- IoT devices should follow security and cryptography best practices.
- IoT devices should be restrictive rather than permissive in communicating
- IoT devices should continue to function if internet connectivity is disrupted
- IoT devices should continue to function if the cloud back-end fails
- IoT devices should support addressing and naming best practices
- IoT devices should ship with a privacy policy that is easy to find and understand
Read more: DDoS attack takes down Twitter, ramifications for IoT in enterprise
BITAG recommendations are easy to implement
Speaking exclusively to Internet of Business, Chris Carlson, vice president of product management at Qualys, highlighted the importance of IoT security by design.
“The BITAG Technical Working Group provides a number of best practice recommendations that are both sensible and fairly simple to implement”, he said.
“However, many IoT manufacturers don’t consider security within their products from the outset, and they don’t have a process lined up for distributing updates when they are needed.”
Carlson pointed out that a recent Verizon report suggested that the vast majority of data breaches were due to known vulnerabilities that had patches available. “This will be the big risk with IoT: updates for known problems will be [and already are] available, but if people don’t deploy them, then the hole still exists.”
“Security by design is a necessary approach for any IT project to stop the theft of data or things being broken. The IT sector has a huge amount of experience around deploying security projects, so making use of this should be a good opportunity to share those best practices – the work by BITAG should help spread this knowledge. Education is a big part of this. More teaching of secure application development principles would help.”