Every vulnerability or privacy issue reported for consumer connected home and wearable technology products since November 2015 could have been easily avoided, according to the Online Trust Alliance (OTA).
“In this rush to bring connected devices to market, security and privacy is often being overlooked,” said Craig Spiezle, OTA Executive Director and President. “If businesses do not make a systemic change we risk seeing the weaponization of these devices and an erosion of consumer confidence impacting the IoT industry on a whole due to their security and privacy shortcomings.”
The most significant failures
To come up with its findings, OTA researchers analyzed publicly reported device vulnerabilities from November 2015 through July 2016. The researchers found the most glaring failures were attributed to:
1. Insecure credential management including making administrative controls open and discoverable.
2. Not adequately and accurately disclosing consumer data collection and sharing policies and practices.
3. The omission or lack of rigorous security testing throughout the development process including but not limited to penetration testing and threat modeling.
4. The lack of a discoverable process or capability to responsibly report observed vulnerabilities.
5. Insecure or no network pairing control options (device to device or device to networks).
6. Not testing for common code injection exploits.
7. The lack of transport security and encrypted storage including unencrypted data transmission of personal and sensitive information including but not limited to user ID and passwords.
8. Lacking a sustainable and supportable plan to address vulnerabilities through the product lifecycle including the lack of software/firmware update capabilities and/or insecure and untested security patches/updates.
Full Article. Are all IoT vulnerabilities easily avoidable? - Help Net Security
“In this rush to bring connected devices to market, security and privacy is often being overlooked,” said Craig Spiezle, OTA Executive Director and President. “If businesses do not make a systemic change we risk seeing the weaponization of these devices and an erosion of consumer confidence impacting the IoT industry on a whole due to their security and privacy shortcomings.”
The most significant failures
To come up with its findings, OTA researchers analyzed publicly reported device vulnerabilities from November 2015 through July 2016. The researchers found the most glaring failures were attributed to:
1. Insecure credential management including making administrative controls open and discoverable.
2. Not adequately and accurately disclosing consumer data collection and sharing policies and practices.
3. The omission or lack of rigorous security testing throughout the development process including but not limited to penetration testing and threat modeling.
4. The lack of a discoverable process or capability to responsibly report observed vulnerabilities.
5. Insecure or no network pairing control options (device to device or device to networks).
6. Not testing for common code injection exploits.
7. The lack of transport security and encrypted storage including unencrypted data transmission of personal and sensitive information including but not limited to user ID and passwords.
8. Lacking a sustainable and supportable plan to address vulnerabilities through the product lifecycle including the lack of software/firmware update capabilities and/or insecure and untested security patches/updates.
Full Article. Are all IoT vulnerabilities easily avoidable? - Help Net Security
