Internet of things security is uniquely challenging because it’s “three dimensional," says OTA Executive Director and President Craig Spiezle.
One hundred percent of internet of things security failures reported between November 2015 and July 2016 could have been easily avoided had manufacturers and developers taken a more serious approach to security and privacy, according to new research.
That number comes from Online Trust Alliance, a nonprofit that works with companies and policymakers to enhance privacy and security on the internet.
“I wasn’t surprised, but somewhat disappointed that so many of the basics continue to be overlooked,” OTA Executive Director and President Craig Spiezle said in an interview.
» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.
He and his team found that every single security failure could have been identified and addressed before products reached the market if companies had followed the 31 principles and practices outlined in OTA’s "IoT Trust Framework."
That might seem like a lot, but many are basic best practices, such as verifying that patches, firmware and software revisions come from trusted sources—something Nest failed to do that led to malfunctioning thermostats in January 2016—or disabling user accounts after a certain number of invalid login attempts to prevent brute force or other login attacks.
According to a March 2016 issue brief from the Atlantic Council's Scowcroft Center on International Security, consumers’ security concerns are the biggest barrier to IoT adoption. And it's no wonder: In its 2014 IoT study, HP found "an alarmingly high number of vulnerabilities per device."
In January 2015, the Federal Trade Commission included this note in its staff report on privacy and security in the IoT; yet, the vulnerabilities and privacy issues OTA assessed were all found more than six months after the release of that report.
Spiezle says IoT security is uniquely challenging because it’s “three dimensional.” There’s the security of the physical device, the mobile app, and the back-end service—and then there’s the data flow between the three points.
“Even though the security fundamentals are simple, the complexity magnifies the difficulty of managing [a product’s] security,” he said.
The implications, however, are far-reaching.
“Security starts from product development through launch and beyond," Spiezle said. “If businesses do not make a systemic change, we risk seeing the weaponization of these devices and [further] erosion of consumer confidence impacting the IoT industry on a whole due to their security and privacy shortcomings.”