In-brief: A study by the Online Trust Alliance (OTA), a non-profit focused on online trust, put a figure on how many consumer security vulnerabilities could have been easily avoided. That figure: 100 percent. That’s right…every single one.
We’ve been reporting about the low-hanging fruit of vulnerabilities in consumer-focused connected devices for a long time. Years, in fact. Whether the device is a home surveillance camera or a “smart TV” or Bluetooth [fill in the blank], trivial and (often) exploitable security holes are often part of the package.
Now a study by the Online Trust Alliance (OTA), a non-profit focused on online trust, put a figure on how many consumer security vulnerabilities could have been easily avoided. That figure: 100 percent. That’s right…every single one.
OTA did a survey of vulnerabilities in consumer facing IoT devices between November 2015 and July 2016 and found that all of them could have been avoided had device manufacturers and developers implemented the security and privacy principles outlined in the the group’s IoT Trust Framework, a list of 31 measurable principles designed to improve the security and privacy of connected devices and data.
“In this rush to bring connected devices to market, security and privacy is often being overlooked,” said Craig Spiezle, Executive Director and President of the Online Trust Alliance. “If businesses do not make a systemic change we risk seeing the weaponization of these devices and an erosion of consumer confidence impacting the IoT industry on a whole due to their security and privacy shortcomings.”
Insecure handling of administrative credentials was a major issue for connected consumer devices studied by the OTA researchers, with administrative controls for devices often “open and discoverable.” Consumer devices often failed to articulae their data collection and sharing policies and practices accurately. And there was little evidence that rigorous security and penetration testing throughout the development process and prior to shipping took place, OTA said.
Common code injection attacks were often successful against these devices and basic security blocking and tackling like the use of transport layer security to protect communications to and from the device was lacking. That meant that personal and sensitive information including but not limited to user ID and passwords was often possible.
Finally, device makers often failed to provide a way for security researchers to report vulnerabilities, while many lacked a “sustainable and supportable plan to address vulnerabilities through the product lifecycle” including the ability to update firmware running on endpoints.
Security flaws and lax data privacy practices have been frequently observed. Most recently, for example, research by the firm ABI revealed that the Nest Cam by Alphabet does not power down when users turn it “off” using an associated mobile application. In a separate study, by researchers at German and French universities found that three-quarters of embedded systems that sport web interfaces contain serious security vulnerabilities.
OTA isn’t the only group studying the security of consumer devices. Earlier this year, federal data protection authorities from 29 countries including the U.S. and Canada conducted an annual “privacy sweep” that is looking at connected devices including personal health products.
In December, the OTA warned holiday shoppers to be wary of technology that sports a ‘always on’ Internet connection or that seek to collect data from consumers. The group has also warned home buyers to be mindful of smart home features they may inherit (or leave behind) with a property, and which can provide previous owners or new owners with physical access to properties or allow them to view sensitive images and data.