Donate

OTA IoT Trust Framework

The connected future is here - let’s make a connected world that is secure.

The Internet of Things (IoT) offer consumers, businesses, and governments across the globe countless benefits. As is true with most emerging technology, however, there remain some significant challenges. The Online Trust Alliance (OTA), an Internet Society initiative, believes that through leadership, innovation, and collaboration, we can overcome these challenges and create a safer and more trustworthy connected world. This requires a shared responsibility including industry embracing security and privacy by design, and adopting responsible privacy practices.

IoT Trust Framework - Summary

IoT Trust by Design

The Internet Society’s IoT Trust Framework identifies the core requirements manufacturers, service providers, distributors/purchasers and policymakers need to understand, assess and embrace for effective security and privacy as part of the Internet of Things.

Though there are other IoT-related frameworks, this IoT Trust Framework is unique in two significant ways:

1. It covers security, privacy and long-term sustainability (lifecycle) issues. Many others focus just on security or interoperability or privacy, and few take into account the lifecycle issues associated with these products and services, such as how to transition data and accounts associated with a smart home or what to do when software upgrades are no longer available for a long-lived device such as a garage door opener.

2. It holistically addresses the entire ecosystem. This includes devices/sensors, mobile apps and backend services. Most frameworks focus on just the devices, but a system is only as strong as its weakest link.

The Framework Overview is available in the following languages:

IoT Trust Framework - Full Version

Full Framework v2.5

Focused on “consumer grade” devices and services for the home and enterprise, including wearable technologies

The IoT Trust Framework® includes a set of strategic principles necessary to help secure IoT devices and their data when shipped and throughout their entire life-cycle. Through a consensus driven multi-stakeholder process, criteria have been identified for connected home, office and wearable technologies including toys, activity trackers and fitness devices.

The Framework is broken down into 4 key areas:

  • Security Principles – Applicable to any device or sensor and all applications and back-end cloud services. These range from the application of a rigorous software development security process to adhering to data security principles for data stored and transmitted by the device, to supply chain management, penetration testing and vulnerability reporting programs. Further principles outline the requirement for life-cycle security patching.
  • User Access & Credentials – Requirement of encryption of all passwords and user names, shipment of devices with unique passwords, implementation of generally accepted password reset processes and integration of mechanisms to help prevent “brute force” login attempts.
  • Privacy, Disclosures & Transparency – Requirements consistent with generally accepted privacy principles, including prominent disclosures on packaging, point of sale and/or posted online, capability for users to have the ability to reset devices to factory settings, and compliance with applicable regulatory requirements including the EU GDPR and children’s privacy regulations. Also addresses disclosures on the impact to product features or functionality if connectivity is disabled.
  • Notifications & Related Best Practices – Key to maintaining device security is having mechanisms and processes to promptly notify a user of threats and action(s) required. Principles include requiring email authentication for security notifications and that messages must be communicated clearly for users of all reading levels. In addition, tamper-proof packaging and accessibility requirements are highlighted.

Find the Framework in the following languages:

English

Chinese

French

Japanese

Spanish