The Broadband Internet Technical Advisory Group – an alliance formed by Google, Microsoft, Intel, Verizon and others in the tech industry – has laid out guidelines for improving security on Internet of Things devices.
The group, also known as BITAG, was formed in 2010 to produce best practices for broadband security and published its recommendations for IoT manufacturers yesterday.
In the document, BITAG warned that “the nature of consumer IoT is unique because it can involve non-technical or uninterested consumers; challenging device discovery and inventory on consumer home networks,” adding that IoT devices can be hijacked to create “Distributed Denial of Service (DDoS) attacks, perform surveillance and monitoring, gain unauthorized access or control, induce device or system failures, and disturb or harass authorized users or device owners.”
To avoid such exploits, BITAG makes a number of recommendations for manufacturers, including:
- Shipping products with up-to-date software
- Including a mechanism for automated and secure software updates
- Providing “Strong authentication”, such as password protection, by default
- Conducting security tests on a number of configurations
- Following security and cryptography best practices
- Ensuring devices remain functional even if the cloud back-end fails
BITAG also suggested that, when possible, IoT devices should not be reachable via inbound connections by default. As an advisory group, however, BITAG can’t legally enforce any of its recommendations on IoT device manufacturers.
In October, an IoT exploit was a major contributor in an internet blackout in the US, which affected huge parts of the country. You can watch our own Gary Sims detail some of the concerns surrounding IoT security in this video.