Are there Trojan horses in your home and in your neighbors’ homes and apartments waiting for signals to attack? The inherent vulnerability from untended internet connectivity is an unplanned, unsavory, and unacceptable consequence of the rapid proliferation of smart devices in homes. In an attempt to control or at least minimize security and privacy threats, a major industry group released recommendations for Internet of Things (IoT) manufacturers, especially those that make products sold for use in consumer’s homes.
The Broadband Internet Technical Advisory Group (BITAG) represents a broad cross-section of internet companies. The group’s purpose is to bring transparency and clarity to internet management and to the interactions among networks, applications, devices, and content that can affect users’ internet experience.
The potential threats to your security and privacy are one side of the major concern of IoT smart home devices. The recently demonstrated potential for individual home devices to be recruited into botnets for ill purposes represents the other side of home device threats. On October 21 a recruited botnet Distributed Denial of Service (DDoS) attack on the DYN name server was a wake-up call. As a result of that attack, major internet sites including Twitter, GitHub, and Spotify were unavailable for large parts of the day because they were bombarded by requests from unprotected crib cams, smart thermostats, and garage door openers.
Internet-connected smart home devices are particularly vulnerable to outside snooping and control. The BITAG report states, “Although consumers face general security and privacy threats as a result of any Internet-connected device, the nature of consumer IoT is unique because it can involve nontechnical or uninterested consumers …”
The BITAG report, “Internet of Things (IoT) Security and Privacy Recommendations,” addresses six major areas of concern: security vulnerabilities in some IoT devices that ship with outdated software; insecure communications including a lack of encryption and data leaks; susceptibility to malware; potential for service disruption; persistent security and privacy threats from a lack of software updating; and devices that do not abide by best software and best security practices.
The report has additional recommendations to manufacturers that focus on device and communications robustness and security. Because the recommendations are just that, with no force of law, they are not enforceable. The guidelines are a start, however, and at some time in the future may form the basis of minimum good practices for market acceptance.