Mark Stanislav

The IoT Trust Framework: Finally Setting the Bar for IoT Security & Privacy

Blog Post created by Mark Stanislav Employee on Aug 13, 2015

Since I co-founded back in February, 2014, I've spent a lot of time thinking through, presenting on, and discussing what is currently wrong with IoT security. Most conversations around this typically lead to the same concerning conclusion -- "why isn't anyone building a standard for these devices?"  Well, today, that frustrating question has a friendly answer: somebody has. The Online Trust Alliance (OTA) recently released the first draft of their IoT Trust Framework, focused on bringing some sanity and minimum boundaries to the IoT security and privacy concerns plaguing this nascent ecosystem. Even better, OTA is welcoming feedback regarding this important document until September 14th, so nobody has to feel left out in providing their insights around this formidably large and complex topic.


Unlike other attempts to wrangle in IoT, OTA's effort is specifically focused around two areas: home automation and consumer health/fitness wearables. By scoping their focus, they are more apt to provide guidance that will be most relevant to these areas, rather than try to cover the entirety of what IoT could possibly encompass. Depending on whose definition of IoT you want to abide by, IoT could very well include everything from home routers to industrial machinery. By being specific with their scope, OTA will have a fighting chance to give guidance to vendors that will be actionable and valuable.


Another important decision by OTA is to not only focus on information security, but also privacy. Often, information security and privacy are treated like silos, which is very unfortunate. With OTA, however, the IoT Trust Framework brings a comprehensive approach, addressing each area through one set of guidance. The decision to call this a "trust" framework, rather than a privacy or security framework, is clearly purposeful.


What I appreciate most about this draft document is that the language used is clear, actionable, and effective -- there's no "legalese" or over-the-top technical phrasing for the sake of sounding complex. The document is quick to read through, could be made into a testing rubric that vendors can use, and will help to effect change rather than to exist purely to add a facade of improvement. Many standards are created for both information security/privacy topics, but few deliver guidance that will really make a difference to the daily user. I believe the IoT Trust Framework greatly improves on this notion.


What I Like So Far...

  • "All user sites must adhere to SSL best practices using industry standard testing mechanisms. For example the working group suggests sites score a minimum of 90% using industry benchmark testing tools."
    • I cannot tell you the number of times I have seen "must use SSL" in standards, but not aim towards any sort of goal for the implementation of SSL.
  • "Personally identifiable data must be encrypted or hashed at rest (storage) and in motion using best practices including connectivity to mobile devices, applications and the cloud utilizing Wi-Fi, Bluetooth and other communication methods."
    • Many transports I see with IoT devices are completely unencrypted currently, allowing for private data (e.g. video, PII) to creep across public networks and live in mobile devices.
  • "The term and duration of the data retention policy must be disclosed."
    • I've owned two IoT devices that I've performed research on that stated they had deleted my data, but I was still able to access the old URLs for months after the alleged deletion.
  • "Manufacturers must publish to consumers a time-frame for support after device/app is discontinued or replaced by newer version."
    • It concerns me when a vendor says, "oh, we no longer sell that device" as an excuse as to why Telnet is running with a backdoor password on my year-old purchase.
  • "All updates, patches, revisions, etc. must be signed/verified."
    • This is one area where vendors could use a lot of help... nearly no device I research does this, and if they do, they screw it up.


What's Next?

The OTA IoT Trust Framework is an important effort for a tough problem. OTA's working group has many large, powerful technology firms involved in this effort, as well as federal government agencies. The best thing we all can do for them, and us, is to contribute feedback before their September 14th deadline. Additionally, if you are an IoT vendor or otherwise deeply concerned about the future of IoT, consider having your organization join their working group for this document.


While the IoT Trust Framework is a big step in the right direction, one area that needs distinct help is the actual hands-on technical guidance that will ensure IoT improves and that all standards' guidance is implemented thoughtfully. Other avenues exist to help the Internet of Things, including the OWASP IoT Top 10 and At Rapid7, I'm fortunate to be able to advise IoT vendors in a professional capacity, but this doesn't scale to the size of IoT, unfortunately.


Solutions such as Brillo and Weave from Google, Thread, HomeKit from Apple, and Parse from Facebook each provide a component to improve on the subsystems and protocols supporting the current generation of IoT. As these technologies mature, having a standard to work against such as the IoT Trust Framework will be a critical anchor. Today, our IoT involves outdated Linux kernels, backdoor accounts, insecure network protocols, poorly designed cloud services, and a complete lack of privacy standards. If we're going to improve upon this anytime soon, new technologies and protocols must be leveraged and standards followed. The IoT is a Wild Wild West, desperately in need of a sheriff to come and "clean up town," so to speak.


Whether you perform security research on IoT devices, help contribute to ongoing standards development, or simply advocate for those that do, it's imperative that we all are thinking about this burgeoning wave of technology that is uniquely positioned to improve our lives -- as long as we secure it, and our data, in a meaningful and substantive way.