Connected home devices may be secure enough off the shelf but this doesn't mean this will always be the case, tech firms have warned.
The security of smart home devices must become sustainable to keep consumers safe, the Online Trust Alliance has warned.
The Internet of Things (IoT) and the concept of the connected home is an emerging industry. IoT devices can make our daily lives more efficient, but manufacturers are yet to get up to speed when it comes to security -- and a constant stream of research concerning smart systems has revealed just how easy it can be to exploit vulnerabilities and manipulate these kinds of devices.
Formed in January this year, the 100 member-strong Online Trust Alliance (OTA)'s Working Group -- counting members including antivirus firm AVG, Microsoft, Symantec and Target -- believes that an industry-based set of guidelines may push designers and manufacturers in the right direction, and begin to view security as a critical part of the production process.
Security, privacy and the often-overlooked area of sustainability are of particular interest to the OTA. According to the group, sustainability and how devices are kept secure after circumstances change and warranty expires.
OTA says that unless sustainability becomes part of the IoT security question, devices which may have been secure at the time of purchase will eventually become flawed over time -- and could become more susceptible to outside influence.
This, in turn, could lead to attackers being able to "remotely control these devices. This is a persistent concern, first demonstrated with baby monitors, just recently by infiltration of fitness wearables to spy on health vitals, and will likely be again soon, perhaps through general mayhem caused by sabotaging connected appliances," according to the non-profit.
As a result, the OTA has developed and released the Internet of Things Trust Framework, a set of guidelines designed to "address IoT risks comprehensively." The guidelines are focused on IoT manufacturers and retailers designing and marketing connected devices in the home automaton and consumer health markets, including smart home systems and wearable technologies.
The OTA includes a number of proposed best practices for IoT security and sustainability within the framework. Among the guidelines, the OTA suggests that privacy policies should be made readily available for review available for purchase, all personally identifiable information should be encrypted or hashed, and companies should be ready to disclose data collection practices prior to the purchase of connected device products.
In addition, OTA says IoT manufacturers should disclose whether or not users have the ability to delete or make anonymous such data once a device reaches its end-of-life or is discontinued -- an important facet when you consider how home circumstances can change.
"The rapid growth of the Internet of Things now includes thousands of connected products, yet it's shocking how little planning there has been for these devices becoming part of everyday life," said Craig Spiezle, Executive Director and President of OTA.
"For example, what if someone sells a house with a smart thermostat or garage door? How do you ensure the old owner doesn't access the devices once the new owner moves in? Or what if a hacker find a vulnerability to activate your smart TV's camera or microphone? We also need to look at the collective impact when hundreds of thousands of these devices are compromised at once, impacting critical infrastructure and the smart grid, and diverting first responders."
The OTA is also in the midst of creating a voluntary code of conduct for IoT manufacturers to join.
On 6 August, critical flaws were discovered in the ZigBee standard, a popular backbone system used by IoT device manufacturers ranging from Samsung to Philips. The vulnerabilities potentially allow cyberattackers to take over any device connected to a ZigBee-based controller hub.
This story was originally posted as 'Internet of Things device security degrades over time' on ZDNet.
Updated at 6:25 p.m. PT to correct first reference to Online Trust Alliance