The Broadband Internet Technical Advisory Group (BITAG) has criticised internet of things (IoT) vendors in its IoT Security and Privacy Recommendations report, saying that products are not secure enough.
The non-profit, multi-stakeholder organisation group, with members such as Google and Disney, wants IoT vendors and startups to stop selling unsecure IoT devices. It argues that vendors need to be more responsible for the security of less tech savvy users: “The nature of consumer IoT is unique in that it can involve non-technical or uninterested consumers.”
In the report, BITAG outlines two fundamental issues that IoT has:
- Devices ship with outdated and vulnerable software and vendors don’t provide appropriate after sales support.
- Communications are often unencrypted and home users don’t know how to isolate insecure devices from their networks.
It also makes recommendations which include strong authentication and encryption, eliminating insecure default accounts and automated patch management. The encryption recommendations are extensive, with the group calling for protection of configuration communications, device-to-controller sessions, and local IoT device storage.
Devices should shut ports and services that they’re not using and need to be able to operate without connections.
BITAG also calls for IoT industry to implement what it calls the Industry Cyber security Program.
The program would act as a self-regulating group that ensures the safety of connected devices with the introduction of a “Secure IoT Device” logo on device packaging.
Ultimately, BITAG insists that the security of IoT devices should be approached with more insight, and warns against the rise of increased attacks against consumers: “Some end-user security and privacy risks could also enable a new form of digital harassment.
“For widely deployed devices, security risks can be compounded across hundreds or thousands of devices to create distributed attacks on critical infrastructure.
“Security and privacy problems with IoT devices could ultimately constrain the future growth of the IoT sector. A small number of high-profile incidents may curtail demand for IoT devices, or otherwise constrain the growth and potential of IoT. Thus, it is critical these issues be addressed to support the long-term health, vibrancy, and growth of the IoT marketplace.”