Lax IoT security: Smart TVs and wearables are paving the way for massive privacy breaches

However secure a connected device is when consumers buy it, there's little guarantee of its safety in the long haul, which is one of the reasons why internet-of-things vendors are being told they need industry guidelines.
Written by Toby Wolpe, Contributor on

Manufacturers and retailers are paying little heed to longer-term privacy and security as they pump intelligent consumer devices into the market, according to industry group the Online Trust Alliance.

With members including Microsoft, Symantec, ADT, AVG, Target, TRUSTe and Verisign, the alliance this week issued guidelines for IoT manufacturers, developers and retailers for use with connected devices.

The guidelines, on which the alliance is inviting public and industry comment, address the issue of sustainability, as well as more widely-publicised security and privacy concerns.

According to the alliance, without addressing sustainability, devices that may have been secure off the shelf will become more susceptible to breaches over time.

"This could lead to hackers remotely opening garage doors and turning on baby monitors that are no longer patched, to infiltrating fitness wearables to spy on health vitals, or creating mayhem by sabotaging connected appliances," the alliance said in a statement.

Earlier this year there was an outcry over the possibility that Samsung's SmartTV was listening to consumers' conversations and sharing data with third parties. This month, reports from the Black Hat conference suggested flaws exist in a popular standard used by IoT devices.

Online Trust Alliance executive director and president Craig Spiezle said connected products are appearing in increasing numbers, yet important capability gaps in privacy and security design remain.

"For example, with a fitness tracker, does the user know who may be collecting and sharing the data? When you purchase a smart home, what is the long-term support strategy of patching devices after the warranty has expired? How do manufacturers protect against intrusions into smart TVs and theft of data collected from device cameras and microphones? What is the collective impact on the smart grid for our first responders should large numbers of these devices be compromised at once?" he said in a statement.

Included in the proposed IoT Trust Framework guidelines are a number of measures such as making privacy policies available before purchase, encrypting or hashing all personally identifiable data at rest and in motion, and disclosing upfront a device's data collection policies, as well as the impact on the device's features if consumers choose not to share data.

The guidelines also suggest it should be made clear to users whether they can remove or make anonymous all personal data when they stop using the device or when it reaches the end of its life. Publishing a timeframe for support after the device or application is discontinued or replaced by newer versions is also among the proposals.

Other commonsense measures cover making the privacy policy readable, disclosing all personally identifiable data types and attributes collected, and limiting any default personal data-sharing to third parties that agree to confidentiality and usage for specified purposes.

There is also a duty on manufacturers to conduct penetration testing on their products and to tell consumers about vulnerabilities, which they must be able to remedy.

Technical measures include prompting for default passwords to be uniquely generated or changed on first use. Related websites must adhere to SSL best practices and HTTPS encryption by default.

On top of the best practices, the alliance is working on developing testing tools and methodologies to allow products to be scored against the IoT Trust Framework, together with a voluntary Code of Conduct and, eventually, a certification program.

The alliance is inviting comments on its list of best practices until September 14, 2015.

More on the internet of things

Editorial standards