By: Matthew N. Foree
With the increase of devices embedded with Internet connectivity and functions, called the Internet of Things (IoT), a corresponding interest in vulnerabilities in the security of such devices has developed. Recently, the Broadband Internet Technology Advisory Group (BITAG) released a report regarding its security and privacy recommendations concerning the IoT (Report). BITAG is a non-profit organization focused on bringing together engineers and technologists to develop consensus on broadband network management practices and other related technical issues that can affect users’ Internet experience. Entitled “Internet of Things (IoT) Security and Privacy Recommendations,” its Report analyzes devices embedded with Internet connectivity and functions (IoT devices) and offers guidelines to improve their security and privacy. A copy of the report is available here.
In its Report, BITAG observed several vulnerabilities of IoT devices, including security vulnerabilities, insecure communications, and data leaks. It noted that some IoT devices ship from the manufacturer with software that is either outdated or becomes outdated over time. As such, vulnerabilities discovered throughout the device’s lifespan may make the device less secure, unless it has the ability to update its software. BITAG also noted that many security functions of IoT devices are difficult to implement and include flaws. For example, some IoT devices provide automatic software updates, but do not use authentication or encryption. Therefore, unencrypted communications can be observed by other devices or an attacker. It also recognized that IoT devices may leak user data that is private, both from the cloud and between IoT devices.
To counteract the vulnerabilities it identified, BITAG offered several recommendations. Among other things, it recommended that IoT devices use best current software practices, including shipping with reasonably current software and having a mechanism for automated, secure software updates, as well as using strong authentication by default. Additionally, BITAG recommended that IoT devices follow best practices for security and cryptography, including encrypting local storage of sensitive data and authenticating communications, software changes, and requests for data. BITAG also recommended that the IoT device industry consider a cybersecurity program.
It remains to be seen whether manufacturers of IoT devices will invest in implementing the kind of recommendations suggested by BITAG. Until then, BITAG’s Report reiterates that this is an unresolved area of concern by highlighting ongoing security and privacy vulnerabilities of IoT devices.
For any questions you may have, please contact Matthew Foree at [email protected].