A tech industry working group convened and drafted an IoT security and privacy framework for locking down home automation, and consumer health and fitness wearable devices with standard security best practices:
The framework calls for IoT makers to have the ability to fix bugs quickly and reliably via remote updates or other notifications to consumers — or even device replacement, if needed. And that item comes with this caveat: “It is recognized that some embedded devices’ current design may not have this capability and it is recommended such update/upgradability capabilities be clarified to the consumer in advance of purchase.”
Time is another factor with IoT devices. Networked thermostats, garage-door openers, and other in-home devices change hands when the house does, but the former residents could still have access. And what happens after a warranty expires on smart device and there’s a breach, Spiezle says.
“We talk about not just security, privacy, and disclosure of the data that’s collected, but also the lifecycle issues. How do they support [these devices] over time and beyond the warranty,” he says.
The working group plans to finalize a formal IoT framework — which includes some 22 minimum requirements plus a dozen optional additional measures — and program around mid-November, after gathering input from Congress, the White House, Federal Trade Commission, and other entities.
Interestingly, Intel, a company championing IoT, was absent from this working group.
Disclosure: I work for Intel Security.