The emerging internet of things (IoT) world is rapidly taking shape and with it have come a host of security related concerns and challenges. Multiple organizations and vendors are working hard to help improve the state of IoT security with new initiatives that are being announced this week.
Among the biggest security issues that face consumers of IoT are unpatched devices that are at risk from security vulnerabilities. On Jan. 4, The U.S Federal Trade Commission (FTC) announced a new IoT challenge to help improve security in connected home devices. The goal of the IoT Home Inspector Challenge is to develop some form of technology tool that can help protect consumers against the risks posed by out-of-date software that runs on IoT devices. Those risks also include the challenge of dealing with hard-coded and factory default passwords that are embedded in devices.
The top prize in the contest is $25,000 with up to three honorable mention winners that will be awarded $3,000. Submissions to the contest will be accepted by the FTC starting on March 1, and the deadline for final submissions is May 22 at 12:00 p.m. EDT. The FTC expects to announce the winners of the contest on or about July 27, 2017.
“Every day American consumers are offered innovative new products and services to make their homes smarter,” Jessica Rich, Director of the Federal Trade Commission’s Bureau of Consumer Protection said in a statement. “Consumers want these devices to be secure, so we’re asking for creativity from the public – the tinkerers, thinkers and entrepreneurs – to help them keep device software up-to-date.”
Online Trust Alliance
The Online Trust Alliance (OTA) updated its IoT Trust Framework on Jan. 5, providing guidance on how to develop secure IoT devices and assess risk.
“The IoT Trust Framework is a good example of the security culture that is needed in the connected devices space,” Olaf Kolkman, Chief Internet Technology Officer for the Internet Society, said in a statement. “If companies are in the business of selling smart devices, they need to implement the requirements outlined in this framework before calling them smart.”
The framework is comprised of four key areas to help provide structure to understanding how to properly implement IoT security.
The first category is security principles, which outline best practices for secure code development and deployment. The second category details requirements for user access and credentials security. The third area in the IoT Trust Framework is about privacy, disclosures and transparency. Among the required disclosures suggested by the OTA is for vendors to include disclosures around the impact to product features or functionality if connectivity is disabled.
The fourth core category in the IoT Trust Framework defines notifications and related best practices for IoT security.
“These principles include requiring email authentication for security notifications,” the OTA Trust Framework states. “In addition messages must be written for maximum user comprehension and tamper-proof packaging and accessibility considerations are recommended.”
The OTA’s attempt at helping to define IoT security is one of many efforts in the market to develop guidelines for secure IoT devices. In October 2016, the Cloud Security Alliance released a detailed 75-page report for the development of secure IoT products.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.