Coalition Releases Connected Device Requirements
Global support for OTA's security and privacy framework, integrates efforts of DHS, FCC, FTC, the Department of Commerce, trade organizations and others
Las Vegas, Nev. (CES) –Today the Online Trust Alliance (OTA) released its updated IoT Trust Framework® at the 2017 Consumer Electronics Show (CES). Serving as a product development and risk assessment guide for developers, purchasers and retailers of Internet of things (IoT) devices, the Framework is the foundation for future IoT certification programs. OTA’s goal is to highlight devices and companies that demonstrate a commitment to device lifecycle security and embrace responsible privacy practices. Such notifications and disclosures will aid consumers to make informed IoT device purchasing decisions.
Echoing written testimony he recently provided to the U.S. House of Representatives Energy and Commerce Committee, OTA Executive Director and President Craig Spiezle said; “Recent IoT attacks like those which compromised hundreds of thousands of connected devices to take websites like Amazon, Twitter and Netflix offline were just a ‘shot across the bow.’ The next incident could create significant safety issues. While most IoT devices are safe and secure, many still lack security safeguards and privacy controls placing users and the Internet at large are at risk.”
OTA recognizes that while there is no perfect security, companies that apply the Framework principles should be shielded from regulatory oversight and class action suits, and potentially realize lower insurance premiums. The updated Framework reflects input from hundreds of leading security and privacy industry leaders including ADT, Microsoft, SiteLock, Symantec, TRUSTe, Verisign and others. This newest Framework builds on the first version released in March 2016, and incorporates a broad range of public and private efforts to secure IoT devices.
“I have long supported multi-stakeholder processes to address the significant cybersecurity challenges facing our nation,” said Congressman Jim Langevin (D-RI), co-founder and co-chair of the Congressional Cybersecurity Caucus. “Recent attacks leveraging IoT devices have only highlighted the need for the work of organizations like OTA. It is essential that companies manage the cybersecurity risk of their IoT devices, applications, and services, and the IoT Framework provides clear principles that developers can use to mitigate risk and protect their customers.”
OTA researchers integrated IoT security and privacy recommendations from U.S. government agencies including the Department of Commerce, Department of Homeland Security (DHS), Federal Communications Commission (FCC) and Federal Trade Commission (FTC). In addition OTA incorporated several key recommendations advocated by organizations including the Broadband Internet Technical Advisory Group (BITAG), Center for Democracy & Technology (CDT), Consumer Federation of America (CFA), Consumer Technology Association (CTA), I am The Cavalry, International Telecommunications Union (ITU), Internet Society and National Association of Realtors® (NAR).
The IoT Trust Framework includes 37 principles, segmented into four key categories:
- Security (1-9) - Applicable to any device and their applications and backend cloud services. These include embracing a rigorous software development security process, adhering to security principles for data stored and transmitted by the device, supply chain management, penetration testing and vulnerability reporting programs. Further principles outline the requirement for lifecycle security patching.
- User Access & Credentials (10-14) - Requiring encryption of all passwords and usernames, shipping devices with unique passwords, implementing generally accepted password reset processes and integrating mechanisms to help prevent “brute” force login attempts.
- Privacy, Disclosures & Transparency (15-30) - Requirements consistent with generally accepted privacy principles including prominent disclosures on packaging, point of sale and/or posted online. Provide the capability to reset devices to factory settings and be in compliance with applicable regulatory requirements, including but not limited to the EU General Data Protection Regulation (GDPR) and Children's Online Privacy Protection Act (COPPA). Require disclosures about the impact to product features or functionality if connectivity is disabled.
- Notifications & Related Best Practices (31-37) - Key to maintaining device security is having mechanisms and processes to promptly notify a user of threats and action(s) required. Principles include requiring email authentication for security notifications and that messages must be written clearly for users of all ages and reading levels. In addition, tamper proof packaging and accessibility requirements are highlighted.
“OTA’s IoT Trust Framework provides actionable and prescriptive advice to help every IoT developer secure their apps and embrace responsible privacy practices. In order to continue to drive innovation and keep regulation at bay, these principles are an essential roadmap,” Jonathan Zuck, President of ACT – The App Association.
“The OTA IoT Trust Framework is really quite remarkable, covering technical and procedural aspects of trust throughout the entire IoT lifecycle; if tech companies, hardware manufacturers, and software producers were to abide by these principles, the IoT wouldn't be the wild, wild west it is now," Joseph Lorenzo Hall, Chief Technologist, Center for Democracy & Technology.
“Sometimes in the rush to get new technology to market not enough thought is placed on privacy and security” said Susan Grant, Director of Consumer Protection and Privacy at Consumer Federation of America. “With the OTA IoT Trust Framework as a guide, companies can develop products and services that not only deliver great value but that consumers can be confident in using.”
"The OTA IoT Trust Framework provides a broad array of best practices that taken together will significantly increase the security and privacy of IoT devices," said Philip Reitinger, the President and CEO of the Global Cyber Alliance. "These devices are of significantly increasing importance to our daily lives and the functioning of the Internet, and our individual and collective security and privacy will depend on our ability to secure them. As an excellent and continually improving set of security and privacy principles, OTA’s recommendations should be implemented by IoT vendors and developers."
"The IoT Trust Framework is a good example of the security culture that is needed in the connected devices space,” said Olaf Kolkman, Chief Internet Technology Officer for the Internet Society.“ If companies are in the business of selling smart devices, they need to implement the requirements outlined in this framework before calling them “smart.”
“Time has come to establish a clear understanding of what can be expected from IoT suppliers and users. The OTA IoT Trust Framework is excellent input in the global dialogue on Internet of Things good practice and deserves the full attention of all those that care about a sustainable way forward in developing and deploying Internet of Things products, services and ecosystems,” said Maarten Botterman, Chairman of the IGF Dynamic Coalition on the Internet of Things.
“The Online Trust Alliance’s IoT Trust Framework includes valuable practices that companies should embrace to make sure consumer smart home technology is secure, private and sustainable for the future,” said National Association of REALTORS® President William E. Brown, a Realtor® from Alamo, Calif. “The collaboration between NAR’s Center for REALTOR® Technology and OTA has allowed us to understand and address best practices and technologies necessary to protect anyone using smart and connected device technology in their home.”
“The Internet of Things is at the forefront of driving the digital economy. However, recent cyberattacks make it clear that there's more to be done to cement trust into IoT devices. OTA's IoT Trust Framework is precisely the type of industry-led, consensus-based approach that can help industry thrive and innovate, without being weighed down by potentially onerous and preemptive regulations,” said Ryan Hagemann, Technology and Civil Liberties Policy Analyst, Niskanen Center.
"Symantec has helped protect over a billion Internet of Things (IoT) devices so far, but unfortunately, the vast majority of new IoT devices lack proper security fundamentals when they come to market,” said Brian Witten, co-chair of the IoT working group and senior director of Symantec Research Labs. “The OTA IoT Trust Framework provides device manufacturers with the appropriate guidelines to build in security and ensure that consumers are protected from day one. We are happy to see the Online Trust Alliance’s commitment to aligning the industry on IoT security requirements."
Interactive Marketing, Technology & Privacy Leaders
"OTA’s IoT Trust Framework is impressive and much needed to achieve our vision of trust, and we support the OTA's work in bringing the myriad of stakeholders together to help solve these security and privacy issues," said Ben Williams, head of operations and communications with Adblock Plus. "At the end of the day, companies need to take responsibility for engineering into their IoT products and protocols some appropriate protections from exploits and vulnerabilities."
As new trends in technology emerge, it's critical they incorporate the latest security best practices. The worst-case scenario would be to see millions, or even billions of insecure devices come online and potentially add to the massive bot-nets that already exist,” said Mike Jones, Director of Product Management, Agari. “We believe the OTA’s IoT Trust Framework provides the right direction for the wave of new online devices that has already started."
The IoT is expanding rapidly and is expected to grow further over the coming years. Unfortunately, security is typically an afterthought, simply because it is deemed too difficult to do and to facilitate effectively at the scale required for IoT devices,” said Device Authority CEO Darron Antill. “The OTA’s IoT Trust Framework addresses critical challenges and provides important guidelines for device manufacturers to implement – essentially a best practice guide for IoT security, privacy and safety.”
“With the rapid growth of connected devices, it’s critical that developers incorporate key security protections such as identity, authentication and encryption into their product designs,” said DigiCert CTO Dan Timpson. “The OTA Trust Framework outlines essential security practices that manufacturers need to follow to advance market confidence and protect their IoT investments.”
"IoT and connected devices become more and more common in our everyday life. Healthcare, law enforcement, space and telecommunication companies rely on smart devices in many aspects of their everyday work. This is why it's extremely important to adopt a clear and comprehensive framework addressing IoT security and privacy. We applaud OTA in creating the IoT Trust Framework in this emerging sector of the global economy,” said Ilia Kolochenko, CEO, High-Tech Bridge.
“The IoT Framework represents outstanding collaboration of some of the world’s most respected cybersecurity and privacy advocates. This comprehensive collection of best practices serves as an excellent and much needed guide for data security and privacy for all types of organizations, regardless of size or mission”, said Rich LaMagna President of LaMagna and Associates. “As a baseline for certification programs it is an excellent assessment tool for developers, retailers and consumers.”
“Our identities can be exploited due to vulnerabilities in IoT connected devices,” said Neil Daswani Chief Information Security Officer at LifeLock, Inc. “We applaud efforts, such as the 2017 IoT Trust Framework, to boost security standards across the industry and protect entry points associated with identities in a way that is accessible by business and consumers alike.”
"IoT devices have tremendous promise, but also carry great risks. As 20 billion new IOT devices come online over the next five years, adherence to security and privacy principles are essential for users and the resiliency of the Internet. It is clear the status quo is not acceptable. But even with the recent events involving Mirai and its derivatives, we likely won’t see a serious effort in securing these emerging technologies. The IoT Trust Framework from the OTA is a crucial step in the right direction. It includes baseline requirements for every new IoT product coming to market and should be used by businesses, consumers and retailers alike to assess risk prior to selling or buying any connected device,” Jean-Philippe Taggart, Senior Researcher, Malwarebytes.
The OTA IoT Trust Framework is a benchmark set of security standards for the Internet-connected home and wearables device market. Developed as the first comprehensive set of criteria, it puts a minimum set of controls on manufacturers and device service providers to help protect consumers not only from privacy and device risks, but exposing intruders to other Internet-connected computers in the home and workplace , said Scott Perry, Principal - Scott S. Perry CPA, PLLC
“As a leading consumer online brand, Publishers Clearing House has learned security and privacy practices are the foundation of trust and long-term consumer relationships. With the rise of IoT solutions in the home, office and classroom, the risks to consumers and the internet at large is being amplified exponentially”, said Sal Trip, AVP. “The IoT Trust Framework serves as a self-regulatory framework providing balanced criteria for every IoT company to adhere to.”
"Every individual and organization has much greater security exposure than most realize," said Dr. Aleksandr Yampolskiy, CEO of SecurityScorecard, the leader in security ratings. "Our vulnerability research shows the proliferation of IoT devices in an interconnected society has created an alarming risk for very organization. The OTA framework is key for IoT for manufacturers to standardize on and for enterprises to measure and help protect their customers’ data and privacy"
“It’s always best to build in comprehensive security practices from the very beginning. Unfortunately, this is not always the case which ultimately leads to a reactive versus proactive approach impacting both customer and company. We hope that the OTA’s IoT Trust Framework becomes widely utilized from concept to launch in the development cycle to help prevent security and privacy compromise,” Neill Feather, President of SiteLock.
“Responsible privacy practices are a global requirement for all IoT solutions, when they are sold and through their entire life. The OTA IoT Framework provides clear guidelines for all device manufactures to implement from providing disclosures prior to purchase through the ability for users to delete or transfer data when devices are sold or use terminated,” Chris Babel, CEO of TRUSTe.
"As a data provider to Security Researchers and more, we see the effects of compromised security and credentials daily", says Tom Bartel, CEO of ThreatWave. "With the continued innovation and expansion of IoT markets, these providers need resources like the IoT Trust Framework to provide guidance and support. OTA's efforts are a tremendous benefit for the industry and consumers alike demonstrating the leadership we have come to expect and appreciate from the OTA."
"With malicious actors exploiting security vulnerabilities on IoT devices in an effort to compromise the resiliency and availability of websites and services, companies must consider the impact their devices can have on the broader Internet ecosystem. OTA’s IoT Trust Framework is a set of essential security principles for vendors to use in development as well as for enterprises to use to assess every connected device on their network from the boardroom to the breakroom," said Danny McPherson, Senior Vice President and Chief Security Officer, Verisign.
"As innovation in the digital age keeps growing, so do the risks associated with every exciting new product or concept. The OTA as an organization has made exceptional strides to limit those risks while still promoting the benefits of an interconnected world and its recent IoT Trust Framework is a great example of this. It provides detailed best practices for tackling security challenges and privacy concerns while protecting developers, companies and consumers from the potential pitfalls of IoT technology that's still in its infancy." – Michael Fisher, President, Yes Lifecycle Marketing.
"As more IoT solutions become data and ad driven, it is incumbent on the industry to adopt security standards and responsible privacy practices. The IoT Trust Framework is an excellent roadmap to maximize data protection, privacy and regulatory compliance," Roy de Souza, CEO, ZEDO
OTA is meeting with leading manufacturers and retailers at CES to accelerate the adoption of the Framework, and discuss the importance of device security and responsible privacy practices. In addition, Spiezle will be speaking about IoT threats and solutions during a panel at the CES Cybersecurity Forum at the Venetian today at 1pm PST alongside leaders from DHS, Intel Security and RSA. Also at CES, OTA is a Platinum sponsor of the Consumer Technology Association “Alliance Community Reception” being held on Friday, Jan. 6 at 4 PM in the Venetian, Level 2, Bellini 2005, where OTA will be providing onsite briefings.
The Online Trust Alliance (OTA) is a non-profit with the mission to enhance online trust and user empowerment while promoting innovation and the vitality of the Internet. Its goal is to help educate businesses, policy makers and stakeholders while developing and advancing best practices and tools to enhance the protection of users' security, privacy and identity. OTA supports collaborative public-private partnerships, benchmark reporting, and meaningful self-regulation and data stewardship. Its members and supporters include leaders spanning the public policy, technology, ecommerce, social networking, mobile, email and interactive marketing, financial, service provider, government agency and industry organization sectors.