OTA Details the Shared Responsibility of Businesses, Consumers and Government to Avoid IoT Weaponization

Bellevue, Wash. – The Online Trust Alliance (OTA), the non-profit with the mission to enhance online trust, today released its fourth in a series of vision papers entitled “Securing the Internet of Things; A Collaborative and Shared Responsibility.” The report, released in recognition of National Consumer Protection Week, outlines the imperative actions that businesses, consumers and government must take to ensure the security, privacy and vitality of Internet of Things (IoT) devices.

“The thousands of new Internet-connected devices are dramatically improving the way we work and live,” said OTA President and Executive Director, Craig Spiezle. “However, many IoT devices appear designed primarily for convenience and functionality without much if any attention to long-term security or privacy.”

The paper likens connected device security and privacy to global warming. It warns if there isn’t a concerted effort by all stakeholders, there will be a mass weaponization of devices—ranging from unlocking doors, disabling fire alarms, and the theft of personal and business property. As highlighted by the recent connected device privacy and security missteps by D-Link, Spiral Toys and Vizio, OTA believes IoT companies are not heading in the right direction.

“Much like global warming or industrial pollution, there will be long-term consequences resulting from inaction with IoT threats,” the paper states. “The impact of these threats have jumped to the physical world. The lack of action has created a treasure chest ripe for abuse by white collar criminals, terrorists and state sponsored actors as IoT devices become weaponized. Left unchecked we may realize a “digital environmental disaster.”

In the paper, OTA states that IoT devices are reaching a crossroads where regulation may be required. However, OTA acknowledges that passing regulation will take too long and will never keep pace with the evolving threat landscape. With the Trump administration’s stated goal to eliminate two regulations for every new one introduced, OTA does not expect government to solve this problem any time soon.

It details how stakeholders have a collaborative and shared responsibility:

• Retailers, Resellers & E-commerce Sites – The retail channel is perhaps the most influential party holding the keys to change. Not unlike retailers pledging not to sell products made by child labor or those from unsustainable forests, they play a pivotal role in setting baseline security and privacy measures for the products they profit from.
• Developers, Manufacturers & Auto Makers – Manufacturers need to disclose their security support commitment to users prior to purchase. Not unlike food nutrition labels or new car stickers, they need to clearly articulate their security and privacy policies. Such notices should be included on product packaging and point of sale materials to easily inform consumers prior to purchase.
• Brokers, Builders, Car Dealers & Realtors – A smart home or connected auto can be an attractive selling point for every buyer or renter. Often listed as a home or car feature, sellers should be encouraged to disclose all such devices and features, disable their access, and provide new owners the ability to re-set them. At “closing,” car rental or sale they should be required to turn in their physical and digital keys, and remove all personal data.
• Internet Service Providers & Wireless Carriers – Botnets taking control of IoT devices has become a reality recently with the discovery of thousands being commandeered to attack high-profile websites, rendering them inaccessible. Today in several countries including Australia and Germany, Internet Service Providers (ISPs) are required to block botnets emanating from residential IP addresses. While many have recognized this as a best practice, U.S. based ISPs and wireless carriers are not required to take action.  Perhaps this is an opportunity for ISPs to expand their security offierings.
• Regulators & Policy Makers – Regulators need to recognize there is no perfect security or privacy. To promote innovation and commerce they should encourage self-regulation while providing a “safe-harbor” to device manufacturers who demonstrate they have adopted reasonable security and responsible privacy practices. Conversely, companies that fail should be “put on notice” that they may be exposed to oversight, fines and or class-action suits.
• Consumers – Consumers must recognize the need to patch and ultimately replace insecure devices beyond their expected security life. When buying a connected device one should review the company’s support commitment and privacy policy. If this information is not readily available or if their privacy practices are unacceptable, look for another product or retailer.

OTA’s “Securing the Internet of Things; A Collaborative and Shared Responsibility” vision paper is at https://otalliance.org/Vision. OTA’s IoT resources including the IoT Trust Framework outlining required device security norms and responsible privacy practices are posted at https://otalliance.org/IoT. The Framework was developed through a multi-stakeholder process which provides developers actionable and prescriptive advice to ship and maintain security and privacy for the life of their products and applications.