Security an afterthought in connected home, wearable devices

In a survey of publicly reported vulnerabilities for consumer connected-home and wearable technology products between November 2015 and July 2016, the nonprofit Online Trust Alliance found that all of potential problems could have been easily avoided..

Based on an extensive review of publicly reported internet of things (IoT) device vulnerabilities, the Online Trust Alliance (OTA) today announced that all of the problems could have been easily avoided.

"In this rush to bring connected devices to market, security and privacy is often being overlooked," Craig Spiezle, executive director and president of the OTA, said in a statement today. "If businesses do not make a systematic change, we risk seeing the weaponization of these devices and an erosion of consumer confidence impacting the IoT industry on a whole due to their security and privacy shortcomings."

If only they had listened ...

The OTA, a nonprofit group comprised of academics and representatives from the public and private sector, is dedicated to developing and advocating best practices and policy concerning security and privacy. Researchers from the OTA recently analyzed publicly reported vulnerabilities for consumer connected home and wearable technology products from November 2015 through July 2016. They found that in each case, if device manufacturers and developers had implemented the security and privacy principles outlined in the OTA IoT Trust Framework, the vulnerabilities would not have occurred.

[ Related: Connected medical device makers need to step up security ]

"Security starts from product development through launch and beyond, but during our observations we found that an alarming number of IoT devices failed to anticipate the need of ongoing product support," Spiezle said. "Devices with inadequate security patching systems further opens the door to threats impacting the safety of consumers and businesses alike."

Most glaring security flaws

OTA revealed its findings today at the American Bar Association's 2016 Business Law Section Annual meeting in Boston.

OTA said the most glaring failures it found were attributed to the following causes:

  • Insecure credential management, including making administrative controls open and discoverable
  • Not adequately and accurately disclosing consumer data collection and sharing policies and practices
  • The omission or lack of rigorous security testing throughout the development process, including but not limited to penetration testing and threat modeling
  • The lack of a discoverable process or capability to responsibly report observed vulnerabilities
  • Insecure or no network pairing control options (device to device or device to networks)
  • Not testing for common code injection exploits
  • The lack of transport security and encrypted storage including unencrypted data transmission of personal and sensitive information including but not limited to user ID and passwords
  • Lacking a sustainable and supportable plan to address vulnerabilities through the product lifecycle, including the lack of software/firmware update capabilities and/or insecure and untested security patches/updates

"The Online Trust Alliance's IoT Trust Framework includes valuable principles that companies should embrace to make sure consumer smart home technology is secure, private and sustainable for the future," Tom Salomone, president of the National Association of Realtors (NAR) and broker-owner of Real Estate II in Coral Springs, Fla., said in a statement today. "Device vulnerabilities need to be understood and addressed in order to protect what is near and dear to anyone using smart and connected device technology in their home."

[ Related: White-hat hackers key to securing connected cars ]

The OTA's Trust IoT Framework is a global, multi-stakeholder effort to address IoT risks comprehensively. The OTA began developing the framework in February 2015 based on the feedback of nearly 100 organizations, including ADT, American Greetings, Device Authority, Malwarebytes, Microsoft, NAR, Symantec, consumer and privacy advocates, international testing organizations, academic institutions and U.S. government and law enforcement agencies. The framework includes a baseline of 31 measurable principles that OTA says device manufacturers, developers and policy makers should follow to maximize the security and privacy of the devices and data collected for smart homes and wearable technologies.

Join the CSO newsletter!

Error: Please check your email address.

More about American GreetingsMalwarebytesMicrosoftSymantec

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Thor Olavsrud

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts