The Online Trust Alliance on Tuesday released a report calling for businesses, consumers and government to share responsibility for ensuring that Internet of Things devices are not weaponized.
Issued in recognition of National Consumer Protection Week, the report outlines actions that businesses, consumers and government can take to ensure the security, privacy and vitality of IoT devices. It calls for a campaign to have retailers and consumers reject IoT products that pose a security threat.
OTA Executive Director Craig Spiezle later this month will meet with White House staff, and FTC and FCC commissioners to kickstart efforts to harden IoT security measures, he told the E-Commerce Times. In addition, he will participate in five or six congressional staff meetings.
The OTA report is the fourth in a series of vision papers. Its premise is that if manufacturers can not sell products that are inadequately secured, then they will have to change their policies to bolster security.
The IoT represents “a mounting and expanding threat vector to consumers and the Internet at large,” Spiezle said.
Addressing connected device security and privacy is as important as addressing global warming, the report suggests.
If there is not a concerted effort by all stakeholders, there will be a mass weaponization of devices. Weaponizing tactics will range from unlocking doors, disabling fire alarms, and stealing personal and business property, it warns.
Thousands of new Internet-connected devices dramatically improve the way we work and live. However, many IoT devices appear designed primarily for convenience and functionality, without much — if any — attention given to long-term security or privacy, Spiezle pointed out.
IoT companies are not heading in the right direction in the OTA’s view. The recent connected device privacy and security missteps of product makers such as D-Link, Spiral Toys and Vizio have showcased their weaknesses.
New Rules Needed
The IoT has reached a crossroads where regulation may be required, but the process of passing legislation would take too long, and it could never keep pace with the evolving threat landscape, according to the OTA.
The Trump administration’s goal to eliminate two regulations for every new one introduced means the government will not seek a solution any time soon, the report suggests.
Members of Congress should pass legislation to block botnets emanating from residential IP addresses, it urges. Such new rules would echo laws in several other countries.
IoT stakeholders have a shared responsibility, the OTA said. Consumers have a similar responsibility to patch insecure devices and ultimately to replace those with security protections that have become obsolete.
IoT Industry Needs to Step Up
The retail channel is perhaps the best avenue for initiating change, the report suggests. Retailers play a pivotal role in setting baseline security and privacy measures for the products they sell.
“All the involved groups are busy pointing fingers at others saying who should do what,” said Spiezle. “The reality is that we all have a shared responsibility.”
Manufacturers need to disclose their security support commitments to users prior to purchase, with security and privacy policies clearly articulated in something akin to food nutrition labels or new car stickers, the report recommends. Such notices should be included on product packaging and point-of-sale materials to inform consumers prior to purchase.
“It’s a time for action,” said Spiezle. “It’s great to say we need to make a change, but whose job is it? It is everyone’s responsibility. It has an aggregate effect. We need to think of the need for action as a collective effect.”
Brokers, builders, car dealers and realtors have a similar vested interest in pushing for IoT security solutions, the report maintains.
Sellers and owners should disclose all IoT devices and features, and render them inactive at the time of purchase, it suggests. They should fully inform new owners how to reactivate them and create secure passwords. That includes such measures as turning in physical and digital keys, and removing all personal data.
“It starts with device manufacturers,” Spiezle said. “The resellers and retailers have a real opportunity to say that we are not going to sell these things if safety is at risk. Maybe they need to take a stronger leadership for the products that they sell.”
The message has importance, but it might me coming from the wrong messenger, said Charles King, principal analyst at Pund-IT.
“The security of IoT devices is certainly something to worry about, but I don’t have a lot of faith in the OTA’s grassroots attempt to address what should be a top-down industry imperative,” he told the E-Commerce Times.
That results in part from the immaturity and fragmentation of the IoT market, King said. The inherent complexity of IoT technology will make it difficult for retail and consumer customers to address security concerns effectively.
Where will consumers and retailers get the information they need to decide whether or not devices are safe? he wondered. Who will make those assessments?
“It would be great if the OTA enlisted the help of a mainstream trusted organization, like Consumer Reports, into the effort, said King.
“In addition, it would be helpful if the group had a higher profile within the IT industry,” he added. “At this point, Microsoft is the OTA’s best known global sponsor. Getting the enthusiastic support of larger vendors would be a better strategy to effect change.”