InternetofThings(IoT)SecurityandPrivacyRecommendationsABROADBANDINTERNETTECHNICALADVISORYGROUP

TECHNICALWORKINGGROUPREPORT

AUniformAgreementReport

Issued:

November2016

Copyright/LegalNotice

Copyright©BroadbandInternetTechnicalAdvisoryGroup,Inc.2016.Allrightsreserved.

ThisdocumentmaybereproducedanddistributedtootherssolongassuchreproductionordistributioncomplieswithBroadbandInternetTechnicalAdvisoryGroup,Inc.’sIntellectualPropertyRightsPolicy,availableatwww.bitag.org,andanysuchreproductioncontainstheabovecopyrightnoticeandtheothernoticescontainedinthissection.ThisdocumentmaynotbemodifiedinanywaywithouttheexpresswrittenconsentoftheBroadbandInternetTechnicalAdvisoryGroup,Inc.

Thisdocumentandtheinformationcontainedhereinisprovidedonan“ASIS”basisandBITAGANDTHECONTRIBUTORSTOTHISREPORTMAKENO(ANDHEREBYEXPRESSLYDISCLAIMANY)WARRANTIES(EXPRESS,IMPLIEDOROTHERWISE),INCLUDINGIMPLIEDWARRANTIESOFMERCHANTABILITY,NON-INFRINGEMENT,FITNESSFORAPARTICULARPURPOSE,ORTITLE,RELATEDTOTHISREPORT,ANDTHEENTIRERISKOFRELYINGUPONTHISREPORTORIMPLEMENTINGORUSINGTHETECHNOLOGYDESCRIBEDINTHISREPORTISASSUMEDBYTHEUSERORIMPLEMENTER.

TheinformationcontainedinthisReportwasmadeavailablefromcontributionsfromvarioussources,includingmembersofBroadbandInternetTechnicalAdvisoryGroup,Inc.’sTechnicalWorkingGroupandothers.BroadbandInternetTechnicalAdvisoryGroup,Inc.takesnopositionregardingthevalidityorscopeofanyintellectualpropertyrightsorotherrightsthatmightbeclaimedtopertaintotheimplementationoruseofthetechnologydescribedinthisReportortheextenttowhichanylicenseundersuchrightsmightormightnotbeavailable;nordoesitrepresentthatithasmadeanyindependentefforttoidentifyanysuchrights.

AbouttheBITAG

TheBroadbandInternetTechnicalAdvisoryGroup(BITAG)isanon-profit,multi-stakeholderorganizationfocusedonbringingtogetherengineersandtechnologistsinaTechnicalWorkingGroup(TWG)todevelopconsensusonbroadbandnetworkmanagementpracticesandotherrelatedtechnicalissuesthatcanaffectusers’Internetexperience,includingtheimpacttoandfromapplications,contentanddevicesthatutilizetheInternet.

TheBITAG’smissionincludes:(a)educatingpolicymakersonsuchtechnicalissues;(b)addressingspecifictechnicalmattersinanefforttominimizerelatedpolicydisputes;and(c)servingasasoundingboardfornewideasandnetworkmanagementpractices.SpecificTWGfunctionsalsomayinclude:(i)identifying“bestpractices”bybroadbandprovidersandotherentities;(ii)interpretingandapplying“safeharbor”practices;(iii)otherwiseprovidingtechnicalguidancetoindustryandtothepublic;and/or(iv)issuingadvisoryopinionsonthetechnicalissuesgermanetotheTWG’smissionthatmayunderliedisputesconcerningbroadbandnetworkmanagementpractices.

TheBITAGTechnicalWorkingGroupanditsindividualCommitteesmakedecisionsthroughaconsensusprocess,withthecorrespondinglevelsofagreementrepresentedonthecoverofeachreport.EachTWGRepresentativeworkstowardsachievingconsensusaroundrecommendationstheirrespectiveorganizationssupport,althoughevenatthehighestlevelofagreement,BITAGconsensusdoesnotrequirethatallTWGmemberorganizationsagreewitheachandeverysentenceofadocument.TheChairofeachTWGCommitteedeterminesifconsensushasbeenreached.InthecasethereisdisagreementwithinaCommitteeastowhetherthereisconsensus,BITAGhasavotingprocesswithwhichvariouslevelsofagreementmaybemoreformallyachievedandindicated.FormoreinformationpleaseseetheBITAGTechnicalWorkingGroupManual,availableontheBITAGwebsiteatwww.bitag.org.

BITAGTWGreportsfocusprimarilyontechnicalissues,especiallythosewiththepotentialtobeconstruedasanti-competitive,discriminatory,orotherwisemotivatedbynon-technicalfactors.Whilethereportsmaytouchonabroadrangeofquestionsassociatedwithaparticularnetworkmanagementpractice,thereportsarenotintendedtoaddressoranalyzeinacomprehensivefashiontheeconomic,legal,regulatoryorpublicpolicyissuesthatthepracticemayraise.BITAGwelcomespubliccomment.Pleasefeelfreetosubmitcommentsinwritingviaemailatcomments@bitag.org.

i

ExecutiveSummary

Inthepastfewyears,manyofthenewdevicesconnectedtotheInternethavenotbeenpersonalcomputers,butratheravarietyofdevicesembeddedwithInternetconnectivityandfunctions.ThisclassofdeviceshasgenerallybeendescribedastheInternetofThings(IoT)andhasbroughtwithitnewsecurityandprivacyrisks.

Theterm“IoT”haspotentiallybroadscope.IoTcanrefertodeploymentsinhomes,businesses,manufacturingfacilities,transportationindustries,andelsewhere.Thus,IoTcanrefertomuchmorethansimplyconsumer-orienteddevices.Forthepurposesofthisreport,weusethetermIoTtorefersolelytoconsumer-orienteddevicesandtheirassociatedlocalandremotesoftwaresystems,thoughsomeorallofourrecommendationsmaybemorebroadlyapplicable.Thisreportisconcernedwithscenarioswhereconsumersareinstalling,configuring,andadministeringdevicesthattheyleaseorown.

ThenumberanddiversityofconsumerIoTdevicesisgrowingrapidly;thesedevicesoffermanynewapplicationsforendusers,andinthefuturewilllikelyofferevenmore.ManyIoTdevicesareeitheralreadyavailableorarebeingdevelopedfordeploymentinthenearfuture,including:

• sensorstobetterunderstandpatternsofdailylifeandmonitorhealth• monitorsandcontrolsforhomefunctions,fromlockstoheatingandwatersystems• devicesandappliancesthatanticipateaconsumer’sneedsandcantakeactionto

addressthem(e.g.,devicesthatmonitorinventoryandautomaticallyre-orderproductsforaconsumer)

Thesedevicestypicallyinteractwithsoftwarerunningelsewhereonthenetworkandoftenfunctionautonomously,withoutrequiringhumanintervention.Inaddition,whencoupledwithdataanalysisandmachinelearning,IoTdevicesmaybeabletotakemoreproactiveactions,revealinterestingandusefuldatapatterns,ormakesuggestionstoendusersthatmayimprovetheirhealth,environment,finances,andotheraspectsoftheirlives.

AlthoughconsumersfacegeneralsecurityandprivacythreatsasaresultofanyInternet-connecteddevice,thenatureofconsumerIoTisuniqueinthatitcaninvolvenon-technicaloruninterestedconsumers,challengingdevicediscoveryandinventoryonconsumerhomenetworksasthenumberandvarietyofdevicesproliferate,impactsontheInternetaccessserviceofboththeconsumerandothersthatrunonsharednetworklinks,andeffectsonotherservicesinthatwhenIoTdevicesarecompromisedbymalwaretheycanbecomeaplatformforunwanteddatatraffic–suchasspamanddenialofserviceattacks–whichcaninterferewiththeprovisionoftheseotherservices.

Severalrecentreportshaveshownthatsomedevicesdonotabidebyrudimentarysecurityandprivacybestpractices.Insomecases,deviceshavebeencompromisedandallowedunauthorizeduserstoperformsurveillanceandmonitoring,gainaccessorcontrol,inducedeviceorsystemfailures,anddisturborharassauthorizedusersordeviceowners.

ii

Potentialissuescontributingtothelackofsecurityandprivacybestpracticesinclude:lackofIoTsupplychainexperiencewithsecurityandprivacy,lackofincentivestodevelopanddeployupdatesaftertheinitialsale,difficultyofsecureover-the-networksoftwareupdates,deviceswithconstrainedorlimitedhardwareresources(precludingcertainbasicor“common-sense”securitymeasures),deviceswithconstrainedorlimiteduser-interfaces(whichifpresent,mayhaveonlyminimalfunctionality),anddeviceswithmalwareinsertedduringthemanufacturingprocess.

TheemergenceofIoTpresentsopportunitiesforsignificantinnovation,fromsmarthomestosmartcities.Inmanycases,straightforwardchangestodevicedevelopment,distribution,andmaintenanceprocessescanpreventthedistributionofIoTdevicesthatsufferfromsignificantsecurityandprivacyissues.BITAGbelievesthatfollowingtheguidelinesoutlinedinthisreportmaydramaticallyimprovethesecurityandprivacyofIoTdevicesandminimizethecostsassociatedwiththecollateraldamagethatwouldotherwiseaffectbothendusersandISPs.Inaddition,unlesstheIoTdevicesector—thesectoroftheindustrythatmanufacturesanddistributesthesedevices—improvesdevicesecurityandprivacy,consumerbacklashmayimpedethegrowthoftheIoTmarketplaceandultimatelylimitthepromiseIoTholds.

Observations.FromtheanalysismadeinthisreportandthecombinedexperienceofitsmemberswhenitcomestoInternetofThingsdevices,theBITAGTechnicalWorkingGroupmakesthefollowingobservations:

• SecurityVulnerabilities:SomeIoTdevicesship“fromthefactory”withsoftwarethateitherisoutdatedorbecomesoutdatedovertime.OtherIoTdevicesmayshipwithmorecurrentsoftware,butvulnerabilitiesmaybediscoveredinthefuture.Vulnerabilitiesthatarediscoveredthroughoutadevice’slifespanmaymakeadevicelesssecureovertimeunlessithasamechanismtosubsequentlyupdateitssoftware.

• InsecureCommunications:Manyofthesecurityfunctionsdesignedformoregeneral-purposecomputingdevicesaredifficulttoimplementonIoTdevicesandanumberofsecurityflawshavebeenidentifiedinthefield,includingunencryptedcommunicationsanddataleaksfromIoTdevices.

o UnauthenticatedCommunications:SomeIoTdevicesprovideautomaticsoftwareupdates.Withoutauthenticationandencryption,however,thisapproachisinsufficientbecausetheupdatemechanismcouldbecompromisedordisabled.Inaddition,manyIoTdevicesdonotuseauthenticationinthecourseofcommunicating.

o UnencryptedCommunications:ManyIoTdevicessendsomeoralldataincleartext,ratherthaninanencryptedform.Communicationsincleartextcanbeobservedbyotherdevicesorbyanattacker.

iii

o LackofMutualAuthenticationandAuthorization:Adevicethatallowsanunknownorunauthorizedpartytochangeitscodeorconfiguration,ortoaccessitsdata,isathreat.Thedevicecanrevealthatitsownerispresentorabsent,facilitatetheinstallationoroperationofmalware,orcauseitscoreIoTfunctiontobefundamentallycompromised.

o LackofNetworkIsolation:Thesedevicesalsocreatenewrisksandaresusceptibletoattacksinsidethehome.Becausemanyhomenetworksdonot,bydefault,isolatedifferentpartsofthenetworkfromeachother,anetwork-connecteddevicemaybeabletoobserveorexchangetrafficwithotherdevicesonthesamehomenetwork,thusmakingitpossibleforonedevicetoobserveoraffectthebehaviorofunrelateddevices.

• DataLeaks:IoTdevicesmayleakprivateuserdata,bothfromthecloud(wheredataisstored)andbetweenIoTdevicesthemselves.

o LeaksfromtheCloud:Cloudservicescouldexperienceadatabreachduetoanexternalattackoraninsiderthreat.Additionally,ifusersrelyonweakauthenticationorencryptionmethodsforthesecloud-hostedservices,userdatamayalsobecompromised.

o LeaksfromandbetweenDevices:Insomecases,devicesonthesamenetworkoronneighboringnetworksmaybeabletoobservedatafromotherdevicessuchasthenamesofpeopleinahome,theprecisegeographiclocationofahome,oreventheproductsthataconsumerpurchases.

• SusceptibilitytoMalwareInfectionandOtherAbuse:MalwareandotherformsofabusecandisruptIoTdeviceoperations,gainunauthorizedaccess,orlaunchattacks.

• PotentialforServiceDisruption:ThepotentiallossofavailabilityorconnectivitynotonlydiminishesthefunctionalityofIoTdevices,butalsomaydegradethesecurityofdevicesinsomecases,suchaswhenanIoTdevicecannolongerfunctionwithoutsuchconnectivity(e.g.,ahomealarmsystemdeactivatingifconnectivityislost).

• PotentialThatDeviceSecurityandPrivacyProblemsWillPersist:IoTdevicesecurityissuesarelikelytopersistbecausemanydevicesmayneverreceiveasoftwareupdate,eitherbecausethemanufacturer(orotherpartyintheIoTsupplychain,orIoTserviceprovider)maynotprovideupdatesorbecauseconsumersmaynotapplytheupdatesthatarealreadyavailable.

o ManyIoTDevicesWillNeverBeFixed:Deployingsoftwareupdatesthatpatchcriticalsecurityvulnerabilitiesisdifficultingeneral.Manydevicevendorsandmanufacturersdonothavesystemsorprocessestodeploysoftwareupdatestothousandsofdevices,anddeployingover-the-network

iv

updatestodevicesthatareoperatinginconsumerhomesisdifficult,asupdatescansometimesinterruptserviceandsometimeshavethepotentialto“brick”thedevice,ifdoneimproperly.Additionally,somedevicesmaynotevenbecapableofsoftwareupdates.

o SoftwareUpdatesAddressMoreThanJustBugs:Softwareupdatesarenotsimplyintendedtofixsecurityorprivacybugs.Theymayalsobeintendedtointroducemajornewfunctions,orimproveperformanceandsecurity.

o ConsumersAreUnlikelytoUpdateIoTDeviceSoftware:Fewendusersconsistentlyupdatedevicesoftwareoftheirownaccord;itisbesttoassumethatmostenduserswillnevertakeactionontheirowntoupdatesoftware.

• DeviceReplacementMaybeanAlternativetoSoftwareUpdates–forInexpensiveor“Disposable”Devices:Insomecases,replacingadeviceentirelymaybeanalternativetosoftwareupdates.CertainIoTdevicesmaybesoinexpensivethatupdatingsoftwaremaybeimpracticalornotcost-effective.

Recommendations.TheBITAGTechnicalWorkingGroupalsohasthefollowingrecommendations:

• IoTDevicesShouldUseBestCurrentSoftwarePractices:o IoTDevicesShouldShipwithReasonablyCurrentSoftware:BITAG

recommendsthatIoTdevicesshouldshiptocustomersorretailoutletswithreasonablycurrentsoftwarethatdoesnotcontainsevere,knownvulnerabilities.

o IoTDevicesShouldHaveaMechanismforAutomated,SecureSoftwareUpdates:Softwarebugsshouldbeminimized,buttheyareinevitable.Thus,itiscriticalforanIoTdevicetohaveamechanismforautomatic,securesoftwareupdates.BITAGrecommendsthatmanufacturersofIoTdevicesorIoTserviceprovidersshouldthereforedesigntheirdevicesandsystemsbasedontheassumptionthatnewbugsandvulnerabilitieswillbediscoveredovertime.TheyshoulddesignsystemsandprocessestoensuretheautomaticupdateofIoTdevicesoftware,withoutrequiringorexpectinganytypeofuseractionorevenuseropt-in.

o IoTDevicesShouldUseStrongAuthenticationbyDefault:BITAGrecommendsthatIoTdevicesbesecuredbydefault(e.g.passwordprotected)andnotusecommonoreasilyguessableusernamesandpasswords(e.g.,“admin”,“password”).

o IoTDeviceConfigurationsShouldBeTestedandHardened:SomeIoTdevicesallowausertocustomizethebehaviorofthedevice.BITAGrecommendsthatmanufacturerstestthesecurityofeachdevicewitharangeofpossibleconfigurations,asopposedtosimplythedefaultconfiguration.

v

• IoTDevicesShouldFollowSecurity&CryptographyBestPractices:BITAGrecommendsthatIoTdevicemanufacturerssecurecommunicationsusingTransportLayerSecurity(TLS)orLightweightCryptography(LWC).Ifdevicesrelyonapublickeyinfrastructure(PKI),thenanauthorizedentitymustbeabletorevokecertificateswhentheybecomecompromised,andmanufacturersshouldtakecaretoavoidencryptionmethods,protocols,andkeysizeswithknownweaknesses.Additionalencryptionbestpracticesinclude:o EncryptConfiguration(Command&Control)CommunicationsByDefaulto SecureCommunicationsToandFromIoTControllerso EncryptLocalStorageofSensitiveDatao AuthenticateCommunications,SoftwareChanges,andRequestsforDatao UseUniqueCredentialsforEachDeviceo UseCredentialsThatCanBeUpdatedo CloseUnnecessaryPortsandDisableUnnecessaryServiceso UseLibrariesThatAreActivelyMaintainedandSupported

• IoTDevicesShouldBeRestrictiveRatherThanPermissiveinCommunicating:Whenpossible,devicesshouldnotbereachableviainboundconnectionsbydefault.IoTdevicesshouldnotrelyonthenetworkfirewallalonetorestrictcommunication,assomecommunicationbetweendeviceswithinthehomemaynottraversethefirewall.

• IoTDevicesShouldContinuetoFunctionifInternetConnectivityisDisrupted:BITAGrecommendsthatanIoTdeviceshouldbeabletoperformitsprimaryfunctionorfunctions(e.g.,alightswitchorathermostatshouldcontinuetofunctionwithmanualcontrols),evenifitisnotconnectedtotheInternetbecauseInternetconnectivitymaybedisruptedduetocausesrangingfromaccidentalmisconfigurationtointentionalattack.IoTdevicesthathaveimplicationsforusersafetyshouldcontinuetofunctionunderdisconnectedoperationtoprotectthesafetyofconsumers.

• IoTDevicesShouldContinuetoFunctionIftheCloudBack-EndFails:Manyservicesthatdependonoruseacloudback-endcancontinuetofunction,evenifinadegradedorpartiallyfunctionalstate,whenconnectivitytothecloudback-endisinterruptedortheserviceitselffails.

• IoTDevicesShouldSupportAddressingandNamingBestPractices:ManyIoTdevicesmayremaindeployedforanumberofyearsaftertheyareinstalled.Supportingthelatestprotocolsforaddressingandnamingwillensurethatthesedevicesremainfunctionalforyearstocome.

o IPv6:BITAGrecommendsthatIoTdevicessupportthemostrecentversionoftheInternetProtocol,IPv6.

vi

o DNSSEC:BITAGrecommendsthatIoTdevicessupporttheuseorvalidationofDNSSecurityExtensions(DNSSEC)whendomainnamesareused.

• IoTDevicesShouldShipwithaPrivacyPolicyThatisEasytoFind&Understand:BITAGrecommendsthatIoTdevicesshipwithaprivacypolicy,butthatpolicymustbeeasyforatypicalusertofindandunderstand.

• DiscloseRightstoRemotelyDecreaseIoTDeviceFunctionality:BITAGrecommendsthatifthefunctionalityofanIoTdevicecanberemotelydecreasedbyathirdparty,suchasbythemanufacturerorIoTserviceprovider,thispossibilityshouldbemadecleartotheuseratthetimeofpurchase.

• TheIoTDeviceIndustryShouldConsideranIndustryCybersecurityProgram:BITAGrecommendsthattheIoTdeviceindustryorarelatedconsumerelectronicsgroupconsiderthecreationofanindustry-backedprogramunderwhichsomekindof“SecureIoTDevice”logoornotationcouldbecarriedonIoTretailpackaging.Anindustry-backedsetofbestpracticesseemstobethemostpragmaticmeansofbalancinginnovationinIoTagainstthesecuritychallengesassociatedwiththefluidnatureofcybersecurity,andavoidingthe“checklistmentality”thatcanoccurwithcertificationprocesses.

• TheIoTSupplyChainShouldPlayTheirPartInAddressingIoTSecurityandPrivacyIssues:EndusersofIoTdevicesdependupontheIoTsupplychain,frommanufacturertoretailer,toprotecttheirsecurityandprivacy,andsomeorallpartsofthatIoTsupplychainplayacriticalrolethroughouttheentirelifecycleoftheproduct.Inadditiontootherrecommendationsinthissection,BITAGrecommendsthattheIoTsupplychaintakesthefollowingsteps:

o PrivacyPolicy:Devicesshouldhaveaprivacypolicythatisclearandunderstandable,particularlywhereadeviceissoldinconjunctionwithanongoingservice.

o ResetMechanism:DevicesshouldhavearesetmechanismforIoTdevicesthatclearsallconfigurationforusewhenaconsumerreturnsorresellsthedevice.Thedevicemanufacturersshouldalsoprovideamechanismtodeleteorresetanydatathattherespectivedevicestoresinthecloud.

o BugReportingSystem:Manufacturersshouldprovideabugreportingsystemwithawell-definedbugsubmissionmechanismsanddocumentedresponsepolicy.

o SecureSoftwareSupplyChain:Manufacturersshouldprotectthesecuresoftwaresupplychaintopreventintroductionofmalwareduringthemanufacturingprocess;vendorsandmanufacturersshouldtakeappropriatemeasurestosecuretheirsoftwaresupplychain.

vii

o SupportIoTDeviceforEntireLifespan:ManufacturersshouldsupportanIoTdevicethroughoutthecourseofitslifespan,fromdesigntothetimewhenadeviceisretired,includingtransparencyaboutthetimespanoverwhichtheyplantoprovidecontinuedsupportforadevice,andwhattheconsumershouldexpectfromthedevice’sfunctionattheendofthedevice’slifespan.

o ClearContactMethods:Manufacturersshouldprovideclearmethodsforconsumerstodeterminewhotheycancontactforsupportandmethodstocontactconsumerstodisseminateinformationaboutsoftwarevulnerabilitiesorotherissues.

o ReportDiscoveryandRemediationofVulnerabilities:Manufacturersshouldreportdiscoveryandremediationofsoftwarevulnerabilitiesthatposesecurityorprivacythreatstoconsumers.

o ClearVulnerabilityReportingProcess:Manufacturersshouldprovideavulnerabilityreportingprocesswithawell-defined,easy-to-locate,andsecurevulnerabilityreportingform,aswellasadocumentedresponsepolicy.

viii

TableofContents

1 Introduction 1

2 WhatisTheInternetofThings? 2o 2.1ScopeLimitations 2o 2.2IoTDevicesThatUsersHaveModified 3

3 WhyIoTSecurityandPrivacyisofParticularInterest 3o 3.1Non-technicaloruninterestedconsumers. 3o 3.2Challengingdevicediscoveryandinventory. 3o 3.3EffectsonInternetaccessservice. 3o 3.4Effectsonotherservices. 4

4 ManyDevicesDoNotFollowSecurityandPrivacyBestPractices 4o 4.1Lackofincentivestodevelopanddeployupdatesaftertheinitialsale 5o 4.2Difficultyofsecureover-the-networksoftwareupdates 5o 4.3Deviceswithconstrainedresources 5o 4.4Deviceswithconstrainedinterfaces 5o 4.5Deviceswithmalwareinsertedduringmanufacturing. 5o 4.6Lackofmanufacturerexperiencewithsecurityandprivacy 5o 4.7Risksduetovulnerabledevices 6

5 ObservationsonIoTSecurityandPrivacyIssues 7o 5.1InsecureNetworkCommunications 8o 5.2DataLeaks 11o 5.3SusceptibilitytoMalwareInfectionandOtherAbuse 12o 5.4PotentialforInterruptionofService 13o 5.5PotentialThatDeviceSecurityandPrivacyProblemsWillPersist 14o 5.6DeviceReplacementMayBeAnAlternativetoSoftwareUpdates 16

6 APossibleRoleforIn-HomeNetworkTechnology 16

7 Recommendations 18o 7.1IoTDevicesShouldUseBestCurrentSoftwarePractices 18o 7.2IoTDevicesShouldFollowSecurity&CryptographyBestPractices 19o 7.3IoTDevicesShouldBeRestrictiveRatherThanPermissiveinCommunicating 21o 7.4IoTDevicesShouldContinuetoFunctionifInternetConnectivityisDisrupted 21o 7.5IoTDevicesShouldContinuetoFunctionIftheCloudBack-EndFails 22o 7.6IoTDevicesShouldSupportAddressingandNamingBestPractices 22o 7.7IoTDevicesShouldShipwithaPrivacyPolicyThatisEasytoFind&Understand22o 7.8DiscloseRightstoRemotelyDecreaseIoTDeviceFunctionality 22o 7.9TheIoTDeviceIndustryShouldConsideranIndustryCybersecurityProgram 23

ix

o 7.10TheIoTSupplyChainShouldPlayTheirPartInAddressingIoTSecurityandPrivacyIssues 23

8 OtherGroupsFocusedonThisIssue 24

9 References 26

10 DocumentContributorsandReviewers 31

1

1 IntroductionInthepastfewyears,manyofthenewdevicesconnectedtotheInternethavenotbeenpersonalcomputers,butratheravarietyofdevicesembeddedwithInternetconnectivityandfunctions.Examplesofsuchdevicesincludethermostats,smartplugs,andnetworkedcameras.ThisclassofdeviceshasgenerallybeendescribedastheInternetofThings(IoT),anditisclearthatthisnewclassofdevicewillseestronggrowthinthecomingyears,withvaryingestimatesfromdifferentsources,butallforecastingmanybillionsofsuchdevicesby2020[1].

ThenumberanddiversityofIoTdevicesisgrowingrapidly;thesedevicesoffermanynewapplicationsforendusers,andinthefuturewillofferevenmore.ManyIoTsolutionsareeitheralreadyavailableorarebeingdevelopedfordeploymentinthenearfuture,including:

• sensorstobetterunderstandpatternsofdailylifeandmonitorhealth• monitorsandcontrolsforhomefunctions,fromlockstoheatingandwatersystems• devicesandappliancesthatanticipateaconsumer’sneedsandcantakeactionto

addressthem(e.g.,devicesthatmonitorinventoryandautomaticallyre-orderproductsforaconsumer)

Inaddition,whencoupledwithdataanalysisandmachinelearning,IoTdevicesmaybeabletotakemoreproactiveactions,exposeinterestingdatapatterns,ormakesuggestionstoendusersthatmayimprovetheirhealth,environment,finances,andotheraspectsoftheirlives.

TheemergenceofIoTpresentsopportunitiesforsignificantinnovation,fromsmarthomestosmartcities.Unfortunately,manyIoTdeviceshaveshippedwithserioussecurityandprivacyflaws[2];Section3discussesmanyrecentexamplesindetail.TheseflawsputendusersthatpurchasethedevicesatriskinanumberofwaysandcanaffecttheInternetaccessserviceofboththeuserofthedevicesandotheruserswhosetrafficrunsoverthesamesharedInternetlinks.Theflawsalsocreatebroadersecurityandmitigationissuesfortargetsofattacks,InternetServiceProviders(ISPs),aswellasotherserviceproviders—forexamplesearchengineservices,web-basedemail,andgamingsites—andimportantlyintroducenewsupportandmitigationcosts(whicharetypicallypassedontoendusers)[3].Additionalcostsmayalsobeimposedonthedevicemakersthemselves,whomayneedtotakestepstomitigatetheseproblems.

Inmanycases,straightforwardchangestodevicedevelopment,distribution,andmaintenanceprocessescanpreventthedistributionofIoTdevicesthatsufferfromsignificantsecurityandprivacyissues.BITAGbelievesthatfollowingtheguidelinesoutlinedinthisreportmaydramaticallyimprovethesecurityandprivacyofIoTdevicesandminimizethecostsassociatedwiththecollateraldamagethatwouldotherwiseaffectbothendusersandISPs.Inaddition,unlesstheIoTdevicesector—thesectoroftheindustrythatmanufacturesanddistributesthesedevices—improvesdevicesecurityandprivacy,consumerbacklashmayimpedethegrowthoftheIoTmarketplaceandultimatelylimitthepromiseIoTholdsforendusers.

2

2 WhatisTheInternetofThings?TheInternetofThings(IoT)comprisesdevicesthatfunctionassensors,actuators,controllers,andactivityrecorders.Thesedevicestypicallyinteractwithsoftwarerunningelsewhereonthenetwork,suchasonamobilephone,ageneralpurposecomputingdevice(e.g.,alaptop),amachineonthepublicInternet(e.g.,in“thecloud”),oracombinationofthese.IoTdevicesoftenfunctionautonomously,withoutrequiringhumanintervention.

Theterm“IoT”haspotentiallybroadscope.IoTcanrefertodeploymentsinhomes,businesses,manufacturingfacilities,transportationindustries,andelsewhere.Thus,IoTcanrefertomuchmorethansimplyconsumer-orienteddevices.

Forthepurposesofthisreport,thetermIoTisusedtorefersolelytoconsumer-orienteddevicesandtheirassociatedlocalandremotesoftware1systems,thoughsomeorallofourrecommendationsmaybemorebroadlyapplicable.Thisreportisconcernedwithscenarioswhereconsumersareinstalling,configuring,andadministeringdevicesthattheyleaseorown.

2.1 ScopeLimitationsThereportdoesnotdirectlyconsiderdevicesintendedforindustrialorbusiness-to-businesssettings,suchassensorsinhotelsorairportnetworks,smartcities,industrialautomation,commercialbuildingcontrol,ormanufacturinginventorycontrol.Inthesesettings,customersoftenhavetheresourcesandincentivestospecifyandmanagethesecurityandprivacyfeaturesoftheproductstheypurchase.Inaddition,manyofthesedevicesusecommercialwirelessconnectionsthatdonotprovidefullaccesstoandfromtheInternet.Thatbeingsaid,someofthesameissuesaddressedinthisreportmaybepresentinthoseenvironmentsaswell.

ThescopeofthisreportisalsolimitedtoIoTdevicesthateitheroriginateorterminateadataflow.Morespecifically,thereportdoesnotfocusondevicesthatpassthroughtrafficthatmayhappentocontaindatagoingtoorcomingfromIoTdevices,amongothertraffic,suchasahomegateway,wirelessaccesspoint,orrouter.

Additionally,thereportfocusesonlyondevicesandsystemsthatusetheInternetProtocol(IP),whetherIPv4orIPv6orboth.AvarietyofIoTdevicesuseothertransportmechanisms,suchasZigbee1.0[4],X10[5],andsoon.ThesedevicescannotbeconnectedtotheInternetotherthanthroughadevicethatperformsprotocolconversion.Theyoperateonanisolatednetwork.However,therecommendationshereinstillapplytothedevicethatperformstheprotocolconversion(e.g.,homeautomationhuborgateway).

ThisreportfocusesonissuesthatarespecifictodevicesonalocalIPnetworkthatcancommunicateovertheInternet.Privacyandsecurityproblemsthatoccuronisolated

1WhenBITAGusestheterm“software”,itisintendedtoincludedevicefirmware,whichisaformofsoftware,andallothertypesofsoftware.

3

networksthatdonothaveconnectivitytothepublicInternetareoutofscopeforthisreport.

2.2 IoTDevicesThatUsersHaveModifiedSomedevicescanhavetheirsoftwareupdatedorreplacedwithsoftwareotherthanthatwhichthemanufacturerintended,inmanysensescreatinganewproduct.Forexample,ausermayinstallopen-sourcesoftwareonadevice,insteadofusingthevendor-suppliedsoftware.Theresultingproductmaybesubjecttotheconsiderationsandrecommendationsofthisreport,butinthiscasethedeviceshouldbeviewedasadistinctproductforwhichtheuserisresponsible.

3 WhyIoTSecurityandPrivacyisofParticularInterestIoTdevicesfacethesametypesofsecurityandprivacychallengesthatmanyconventionalend-userdevicesface.IoTdevices,ontheotherhand,typicallyofferneitherclearcontrolsnordocumentationtoinformauseraboutrisksintroducedwhenthesedevicesaredeployed.Further,studieshaveshownthatrelyingontheenduserforsecurityandprivacydecisionsispronetofailure[6,7,8].

3.1 Non-technicaloruninterestedconsumers.EndusersdonothavethetechnicalexpertisetoevaluatetheprivacyandsecurityimplicationsofanyparticularIoTdevice,ortheymaylackinterestindoingso[9].Additionally,moreoftenthannot,thedeployeddeviceslackautomatedmechanismstoperformsecureupdatesorenforcesecuritypolicy[9,10].

3.2 Challengingdevicediscoveryandinventory.Consumersalreadyhavedifficultyidentifyingandtroubleshootingthedevicesthatarecurrentlyconnectedtotheirhomenetworks[11].IoTdeviceswillexacerbatethissituation,asconsumersconnectanincreasinglywidevarietyofdevicestotheirhomenetworks.UserswilllikelylosetrackofwhatdevicesareconnectedtotheInternetovertime,whichwillmakesecuringthemevenmorechallenging.Inaddition,ISPswillhavedifficultyhelpingconsumersidentifythesourcesofsecurityproblems.AlthoughISPsmaybeabletodeterminethatsomedeviceonacustomer’shomenetworkiscompromised,theymaybeunabletoidentifythespecificcompromiseddevice,duetotechnologiessuchasnetworkaddresstranslation(NAT)andothertechnologiesthatmayobscuretheidentityofindividualdevices.

3.3 EffectsonInternetaccessservice.IoTdevicescompromisedbymalware(seeSections4.5and5.3)canaffecttheInternetaccessserviceofboththeuserofsuchIoTdevicesandotheruserswhosetrafficrunsoverthesamesharedInternetlinks.Thesedevicesmayalsopresentathreattotheuserandothertargetsofthemalware[12].ThismalwarecanbeusedtolaunchDDoSattacks[13],

4

sendspam,attackotherdevicesontheuser'snetwork,orotherwisemaliciouslyinterferewiththeuser'sInternetaccessservice.

TheseproblemsincreasethecostsincurredbytheISP,whomustspendeffortmitigatingtheseattacks,providinghelpdesksupportforuserswhoareunabletodeterminewhytheirInternetaccessserviceisbehavingpoorlyorabnormally,andevendisablingtheInternetaccessserviceofuserswhosedevicesareperformingmaliciousnetworkactivity.Theproblemsalsoincreasecoststotheconsumerbydegradingperformanceandcreatingthepotentialforlossofcredentials.Finally,theyimposecostsonthetargetofanysuchattacksandtheIoTdevicemanufacturersthemselves(orotherpartsoftheIoTsupplychain),whomayneedtotakestepstomitigatetheseproblems.

3.4 Effectsonotherservices.IoTdevicesthatarecompromisedbymalwarecanbecomeaplatformforunwantedtraffic,suchasspamanddenialofserviceattacks—includingreflectionandamplificationattacks,wherebyanattackersendstraffictoadevicewiththespoofedsourceaddressofavictim,causingthedevicetosendlargeamountsoftraffictowardsthevictim)[14]—whichcaninterferewithaserviceprovider’sabilitytodeliveraservice[15].Compromiseddevicesmayalsobeusedtoeavesdroponlocalnetworktrafficoras“steppingstones”toattackotherdevicesandservicesonthecustomer’slocalnetwork,creatingthepotentialfordataleaks.Providerswhoofferservicessuchassearchengines,web-basedemail,andgamingsitesmustinvestresourcestomitigatetheseattacks.Thevictimsoftheseattackswillalsobearfinancialandprivacycosts.CompromisedIoTdevicescanalsooccasionallyaffectthebusinessmodelofaserviceprovider.OneexampleistheDNSChangermalware,whichallowedattackerstoinserttheirownadvertisementsintovictims’webpages[16].

4 ManyDevicesDoNotFollowSecurityandPrivacyBestPracticesIoTdeviceshavealreadybecomeaplatformforabuseandattacks.ManytechnologistshaveuncoveredvarioussecurityandprivacyrisksassociatedwithIoTdevicesthatareavailablenow[17,18,19,20,21,22,23,24].TensofmillionsmoreIoTdeviceswilllikelybedeployedinthenextfewyears,creatingthepotentialtobecomealargeplatformforlaunchingattacks—bothonotherdevicesintheuser’shomeandontheInternetatlarge—andforsurreptitiouslycollectingprivateinformationaboutspecificendusersorgroupsofusers.Inadditiontothelossesthatconsumersmayexperience,ISPsmaysustainanincreaseintechnicalsupportcallsandattackincidences,raisingthecostofoperationsthatarepassedontoconsumers.

SeveralrecentreportshavestudiedthesecurityandprivacycharacteristicsofIoTdevicesandfoundthatsomedevicesdonotabidebyrudimentaryprivacyandsecuritybestpractices[25,26,27,28,29,30,31].Insomecases,deviceshavebeencompromised[32].

5

Potentialissuescontributingtothislackofprivacyandsecuritybestpracticesinclude:

4.1 LackofincentivestodevelopanddeployupdatesaftertheinitialsaleForconsumerIoTdevicessoldthroughretailchannels,devicevendorsmayhavelittleincentivetodeliversoftwareupdatesaftertheinitialsale.Iftherevenueforadevicecomessolelyfromtheinitialsale,thenanymaintenanceofthedeviceerodesthatinitialrevenue,decreasingprofit.Thisstructurecanencourageplannedobsolescence,wherevendorsprioritizesellingnewdevicesoversupportingexistingones.

4.2 Difficultyofsecureover-the-networksoftwareupdatesIoTdevicesmaynotbedesignedandconfiguredtoreceivesecuresoftwareupdatesoverthenetwork,leadingtocumbersomeupdateprocesses.

4.3 DeviceswithconstrainedresourcesIoTdevicessoldinalow-marginconsumerenvironmentmaybedesignedwithlimitedhardwareresources.Asaresult,certainbasicsecuritymeasuressuchasencryption,softwaresignatureverification,andsecuredaccesscontrolarenotfeasible.Thus,designsthatlimitadevice’sprocessingandmemorycapabilitymayprecluderunninghost-basedsecuritysoftwareorpreventitfrombeingsecurelyupgraded.Section5.1discussesthisissueinmoredetail.

4.4 DeviceswithconstrainedinterfacesManytypesofIoTdeviceshavelimitedornon-existentuserinterfaces.Evenwhenadeviceexposesauserinterfaceviaasecondarydevice(e.g.,asmartphoneapp),itsfunctionalitymaybeminimal.Asaresult,taskssuchasconfiguringalocalfirewallordisablingremoteservicesmaybeimpossible.Devicesmayalsolackthecapacitytodisplaymeaningfulerrorconditionsandalertstothoseuserswhomayuseerrorinformationtobetterprotectadevice.

4.5 Deviceswithmalwareinsertedduringmanufacturing.Malwarecanbeinsertedintodevicesattimeofmanufactureorpackagingbyemployeesofthemanufacturerorotherswithaccesstothemanufacturingorpackagingenvironment.Acompromiseddevicemayoftenappeartobefunctioningnormally,inwhichcasethesecurityorprivacybreachmaypersistuntilthecompromiseisdetected.Firewallsandnetworkisolationcannotdefendagainstattackslaunchedbysuchcompromiseddevicesonotherdevicesinternaltotheisolatednetwork.Forknownexamplesofsuchcompromiseddevicesandadditionaldiscussionoftheeffectsofmalware,seeSection5.3.

4.6 LackofmanufacturerexperiencewithsecurityandprivacyManyIoTdevicemanufacturers(andotherpartsoftheIoTsupplychain)havenopriorexperiencedesigning,developing,ormaintainingInternetconnecteddevicesor

6

handlingconsumerdata.Thesemanufacturerslacksecuredevelopmentlifecycles,incidentresponseteams,andexperiencewithprivacyandsecurityengineeringingeneral.

4.7 RisksduetovulnerabledevicesThefollowingexamplesillustratethescopeandextentoftheproblemsthatarepossiblewhenIoTdevicesbecomevulnerabletoattacksonsecurityandprivacy.Anunauthorizedusermaybeableto:

• Performunauthorizedsurveillanceandmonitoring.o knowwhetheraspecificpersonishome,whatroomthey

occupy,andwhentheyenterthehome

o knowwhatotherdevicesareconnectedtothehomenetwork,andhowusersareinteractingwiththem

o remotelyactivateamicrophoneoracameraonadevicetoeavesdroporspyonsomeone[33]

o discoverwhetheradoororgaragehasrecentlybeenopenedandclosedtodeterminewhethersomeoneishome,toaidinaphysicalbreak-in

o installmalwareonanIoTcameratoaccessthecamera’svideofeed[34]

• Gainunauthorizedaccessorcontrol.o turnathermostatoffduringwintermonthstocausewaterpipes

toburst,damagingahome

o turnlightsonoroff,suchasturningoffperimeterlightingtoaidinaphysicalbreak-in

o unlockdoorstoaidinaphysicalintrusion

o suppressinganalarmfromadoororwindowsensor

o repurposeadeviceforillicituse(e.g.,asaBitcoinminer[35])

• Inducedeviceorsystemfailures.o activateresidentialairconditioningsystemstocreatean

unexpectedsurgeonapowergridinanattempttocreatebrownoutorblackoutconditions

o subverthealthdatacollectionsensorstomodifyhealthdatasuchasbloodpressure,bloodsugar,orweightinformationthatmaybetransmittedtoahealthmonitoringserviceormedicaldevice(suchasaninsulinpump)

7

o emulatethedevice’smanagementsoftwaresothatitappearstobeoperatingnormally,butinsteaddisableimportantfunctionalityormakeotheroperatingchanges,resultinginequipmentorhardwaresystemsfailinginimportantways[36]

o preventathermostatfromcontrollingbuildingheatingorcooling,resultinginextremeheatorcold

• Disturborharassusers.o remotelyactivateaspeakerandengageinverbalthreatsor

harassment

o activatesmokeorothersecurityalarms

AllofthesescenarioscreateseriousprivacyandsecurityrisksforendusersandfortheInternetasawhole.Someendusersecurityandprivacyriskscouldalsoenableanewformofdigitalharassment.Inextremecases,subversionofhealthdatacollectioncouldleadtoinjuryordeath.Forwidelydeployeddevices,securityriskscanbecompoundedacrosshundredsorthousandsofdevicestocreatedistributedattacksoncriticalinfrastructure.

SecurityandprivacyproblemswithIoTdevicescouldultimatelyconstrainthefuturegrowthoftheIoTsector.Asmallnumberofhigh-profileincidentsmaycurtaildemandforIoTdevicesorotherwiseconstrainthegrowthandpotentialofIoT.Thus,itiscriticaltheseissuesbeaddressedtosupportthelong-termhealth,vibrancy,andgrowthoftheIoTmarketplace.

5 ObservationsonIoTSecurityandPrivacyIssuesItisunrealistictoexpectmanufacturerstocreatesoftwareproductsthatarebug-free;allsoftwarehasbugs,andproducingsoftwarefreeofsuchflawsremainsanunsolvedproblem.Asaresult,someIoTdevicesship“fromthefactory”withsoftwarethateitherisoutdatedorbecomesoutdatedovertime.Thisisnotamatterofshippingbuggysoftware,whichisarguablyunavoidable;rather,theconcernisthatmanufacturersmayshipdeviceswithobsoletesoftwarethatcontainsmanysignificant,documentedsecurityvulnerabilities,someofwhichmaybeimmediatelyexploitablewhenthedeviceisfirstconnectedtotheInternet[37].

OtherIoTdevicesmayshipwithmorecurrentsoftwarethatcontainsnomajorknownsecurityvulnerabilitiesatthetimeofshipping.Eveninthesecases,vulnerabilitiesmaybediscoveredinthefuture,whichmaymakeadevicelesssecureovertimeunlessithasamechanismtosubsequentlyupdateitssoftware.Unfortunately,manyIoTdeviceslacksecure,automatedsoftwareupdatemechanismsthatcanpatchvulnerabilitiesoncedevices

8

havebeenshippedanddeployed.2Withoutwidespreadadoptionofsecure,automatedsoftwareupdatemethods,thenumberofinsecureandcompromisedIoTdevicesarelikelytoincreasedramaticallyinthecomingyears.

IoTdevicesthatshipwithsecurityandprivacyissuesorthatdevelopthemovertimecancreateanewpopulationofdevicesthatcanbeusedbymalicioushackers,forexampletoconductreflectionandamplificationattacks[41].Notonlydothesedevicesposerisksforthedeviceownersthemselves,buttheycanalsobeexploitedtoabuseotherparties.ThesecurityofIoTdevicesisthusofinterestnotonlytothemanufacturers(andotherpartsoftheIoTsupplychain)andcustomersofIoTdevices,butalsototheInternetatlarge.

Finally,althoughthisreportprovidesmanyexamplesofIoTdevicesthateitherhaveorpreviouslyhavehadsecurityorprivacyissues,inmanycasestheexampleshighlightedheremayhavebeenaddressedbyrelevantpartiespriortopublicationofthisreport.

5.1 InsecureNetworkCommunicationsIoTdevicesingeneralcanbequiteresource-constrained,lackingthecomputationalpowerandbandwidthofmoreconventionalcomputingdevicessuchasmobilephones,laptops,anddesktopcomputers,asdiscussedinSection4.Asaresult,manyofthesecurityfunctionsdesignedformoregeneral-purposecomputingdevicesaremoredifficulttoimplementonIoTdevices.Forexample,publickeyencryption—whichunderliesmodernsecurecommunicationsbasedonTransportLayerSecurity(TLS)[42]andDatagramTransportLayerSecurity(DTLS)[43]—maybedifficulttoimplementoncertainresource-constrainedIoTdevices.Forinstance,ArduinoandRaspberryPidevicescantakemanysecondstoperformanasymmetricencryptionordecryptionoperation[44,45].

BeyondtheinherentlimitationsofIoTdevicesandtheIoTplatformsonwhichtheyrun,anumberofsecurityflawshavebeenidentifiedinthefield,includingunencryptedcommunications,dataleaksfromIoTdevices,andnegativeeffectstothenetworkwheretheIoTdeviceisattached[25,26,27,46,47].

Forexample,certainTLSserverimplementationsarevulnerabletoso-called“downgrade”attacks,wherebyanattackercanforceaservertouseanolderversionoftheTLSprotocol,whichmayhaveknownsecurityissues,suchasvulnerabilitiestoman-in-the-middleattacks.Inthesescenarios,thecommunicationbetweenanIoTdeviceandthecloud-hostedservicethatsupportsitcouldbecompromised.

§ UnauthenticatedCommunicationsSomeIoTdevicesprovideautomaticsoftwareupdates.Withoutauthenticationandencryption,however,thisapproachisinsufficient,sincetheupdatemechanismcouldbecompromisedordisabled[48].Theupdatemechanismitselfandanyassociatedcommand

2TheIoTcameracitedintherecentlarge-scaleDDoSagainstthekrebsonsecurity.comwebsitewasmadebyDahuaSecurity.Thatcompanyissuedanadvisory[38]andsuggesteddeviceownersdownloadandupdatetheirfirmware[39],aswellastakeadditionalstepstosecuretheirdevices(notdonebydefaultbyDahuaSecurity)[40].

9

andcontroltrafficshouldbeauthenticatedandencrypted,andtheintegrityofcommunicationsbetweenthedeviceandotherendpointsshouldbeprotected.3Unfortunately,manyIoTdevicesdonotuseauthenticationinthecourseofcommunicating.Forexample,theLightwaveRFSmarthubsenttraffictoaremoteserveronthenetworkeachtimeitrestartedandsubsequentlyeveryfifteenminuteswhencheckingforsoftwareupdates[29].Iftheconnectionisnotsecured,itisnotdifficultforanattackerwithnetworkaccesstoconductaman-in-the-middleattack.

§ UnencryptedCommunicationsManyIoTdevicessendsomeoralldataincleartext,ratherthaninanencryptedform.Thismeansthatthedatacan“leakout”andbeobservedbyotherdevicesorbyanattacker.

Asaresult,someIoTdevicesleakuserinformation(suchastoanobserverofthenetworktraffic),andthiscanidentifytheIoTdevice(s)thatarebeingused,aswellasrevealcurrentuseractivityandbehavior[17].4Forexample:

• Adigitalphotoframecarriestheuser’semailaddressincleartextduringwhensynchronizingphotos,andcurrentuseractivityisalsoshownintheclear[10].

• Awebcamerasendsvideofilesincleartext[29].

• Anaudiopersonalassistantcarriesuseraudiocommands,sensorreadings,anduseremailaddressesincleartext[29].

• Athermostatcarrieslocalweatherdatawithpreciseuserlocationinformationincleartext,andisclearlyidentifiableasaspecificbrand’sthermostatbasedontheportsutilized.5

• AnIoTdevicehubhasacleartexttrafficprofilewhichissoregularandspecificthatthedevicehubcanbeidentifiedmerelybyfingerprintingthepatternofcleartexttraffic[29].

• SomeIoT-enabledpacemakersuseunencryptedcommunicationchannels[52].

Sendingtrafficincleartextisnottherecommendedmodelfornewdeploymentsandcreatesissueswherepersonalorotherinformationleaksoveralocalnetwork,orovertheInternet.Onthisissue,forexample,theInternetArchitectureBoard(IAB)hasrecentlystated,“TheIABurgesprotocoldesignerstodesignforconfidentialoperationbydefault…[w]estronglyencouragedeveloperstoincludeencryptionintheirimplementations,andtomakethemencryptedbydefault.”[53]3Messageintegrityallowsanendpointthatreceivesamessagetoverifythatthemessagehasnotbeenmodifiedintransitbetweenthesenderandreceiver.4Itisnotnecessarilynegativethatadevicecanbeidentifiedorthatuseractivityandnormalbehaviorcanbeidentified.Theremaybelegitimatesecurityreasonsforthisthatprovidebenefitstoendusersandimprovesecurityandprivacygenerally.5InarecentcaseinvolvingtheNestthermostat,thisbugwasfixedaftertheresearchersreportedittoNest.TheNestthermostatcandoautomaticsoftwareupdates[49,50].Unfortunately,automatedupdateshavethemselvesintroducedadifferentsetofissues[51].

10

§ LackofMutualAuthenticationandAuthorizationManyattacksoriginatefrombehindafirewallatanetworkborder,inthehomeorelsewhere.Asaresult,communicationsbehindafirewallshouldnotnecessarilybeconsideredtrustworthy.Thus,adeviceneedstoestablishtrustbetweendevices,regardlessofwhetheritisonalocalareanetworkortheInternet;itshouldassumethatotherdevicesareuntrustedbydefaultandshouldbeexplicitlyauthenticatedandauthorized.Adevicethatallowsanunknownorunauthorizedpartytochangeitscodeorconfiguration,ortoaccessitsdata,isathreat;thedevicecanrevealthatitsownerispresentorabsent,facilitatetheinstallationoroperationofmalware,orcauseitscoreIoTfunctiontobefundamentallycompromised.

Fortunately,incontrasttogeneral-purposecomputingdevicessuchaslaptops,whichmaycommunicatewithmanyInternetdestinations,IoTdevicesoftencommunicatewithasmallnumberofwell-defineddestinations.Forexample,adevicemaycommunicateregularlyonlywithacontrolorupdateserverthathasawell-knownDNSnameorIPaddress;substantialcommunicationwithotherdestinationsmaybecauseforconcern.

§ LackofNetworkIsolationInadditiontothesecurityandprivacyrisksthatIoTdevicesintroduceoutsideofthehomenetworkwheretheIoTdeviceitselfisinstalled(seeSection4),thesedevicesalsocreatenewrisksandaresusceptibletoattacksinsidethehome.Becausemanyhomenetworksdonot,bydefault,isolatedifferentpartsofthenetworkfromeachother,anetwork-connecteddevicemaybeabletoobserveorexchangetrafficwithotherdevicesonthesamehomenetwork,thusmakingitpossibleforonedevicetoobserveoraffectthebehaviorofunrelateddevices.

Althoughitiscommonpracticetousefirewallstoisolatedevicesonanetworkfromoneanother,firewallsalonecannotalwaysdefendagainstdevicecompromisesordataleaks,andtheycannotdefendagainstmalwareondevicesalreadyinsidethehomenetwork.Atypicalhomenetworktodayofferslittleornoisolationbetweendevices.Section6discussesfirewallsandothernetworkisolationmechanismsinmoredetail.

Thislackofisolationposesathreattosecurityandprivacyofalldevicesonthenetwork,bothasaresultofspecificmanufactureractions(oractionsbyotherpartiesintheIoTsupplychain)andasaconsequenceofdevicecompromise[27,54,55].Specifically,anattackermaybeabletocollectintelligenceorpersonalinformationfromotherdevicesonthesamenetwork.Typically,eachdeviceonahomenetworkcanseethetrafficfromotherdevicesthatareonthesamenetwork.Ifdevicestransmittrafficincleartext,onedevicemaybeabletodiscoverthedetailsofanotherdevice’sactivity.Recentworkhasshownthateventheabilitytoobservemore“coarse”details,suchasDNSlookupsandchangesintrafficvolumes,mayrevealinformationaboutdeviceactivityanduserbehavior[56].Anattackerthatcompromisesonedevicemaythusbeabletoinfersignificantinformationaboutanenduser,suchasthetimesofentryandexitfromthehomeviacompromiseddoorsensorsoraudioandvideorecordingsfrommicrophonesandvideocamerasembeddedinIoTdevices.Thesecuritydesignofmanyhomewirelessnetworksenable“steppingstone”attacks[57],wherebyanattackermaycompromiseonevulnerableIoTdeviceandusethat

11

compromiseasamechanismtogainaccesstootherconnecteddevicesfromtheinsideofthenetwork.Examplesinclude:

• AsmartwatchproductincludedafunctioningDNSserverthatexternalattackerscouldusetoattackotherdevicesonthenetworkthatthesmartwatchwasconnectedto.Thesameproducthadavulnerabilitythatallowedlocalnetworktraffictobeviewedbyexternalnetworkattackers[27].

• Asmartlightbulbcouldbetrickedintosendingwirelessnetworkcredentialswhichexternalattackerscouldthenusetocontrolthelightsandviewlocalnetworktraffic[54].

• SomedevicemanufacturersandISPshaveexposedinsecureremotemanagementinterfacesofmillionsofdevicesandcustomerpremisesequipment(e.g.,modems,homerouters)thatallsharedthesameknownprivatekey,exposingthesedevicestobothpassiveandactiveman-in-the-middleattacks[55].

• VulnerabilitiesinacertainmodelofVoIPphonewouldallowalocalnetworkattackertoprovidemaliciousfirmwareupgradestothephone[58].

• AmanufacturerofWi-Fisecuritycamerasdesignedtheirproductswithpeer-to-peernetworkingsoftwarethatwould“punch”multipleholesthroughthelocalnetworkfirewallandcouldnotbeeasilydeactivated.Thissoftwareallowedattackerstonotonlycompromisethecameraitselffromawidevarietyofendpoints,butalsolaunchattacksonotherdevicesonthelocalnetwork[31].

5.2 DataLeaksInstallingIoTdevicesinthehomecreatesthepotentialforthesedevicestoleakprivateuserdata,bothfromthecloud(wheredataisstored)andbetweenIoTdevicesthemselves.

§ LeaksFromtheCloudMuchofthedatathatIoTdevicescollectiscurrentlystoredincloudservicesoutsidethehome;thesecloudservicescouldexperienceadatabreachduetoanexternalattackoraninsiderthreat.

Additionally,ifusersrelyonweakauthenticationorencryptionmethodsforthesecloud-hostedservices,userdatamayalsobecompromised.

Afewexamplesinclude:

• Awebapplicationassociatedwithateddybear(whichcontainsasmallcameraonitsnose)containedasecurityvulnerabilitythatleftchildren’sidentitiesexposed[59].

• Thedollsentencryptedchatsbetweenthedollandthecloud-hostedserversusingaversionofTLSthatwasvulnerabletoadowngradeattack,makingitpossibletoeavesdroponchildren’srecordings[60].

12

• Adatabreachatachildren’stoymakerexposedthepersonaldataofmorethansixmillionchildren[61].

• WeaknessesintheconfigurationoftheWi-FiaccesspointonamotorvehiclesresultedinmanyvehiclelocationsbeingtrackedonwebsitesthatharvestthenamesofWi-Fiaccesspointsandtheirlocations[62].

• Acarmaker’ssystemsentfueleconomystatistics,precisegeographiccoordinates,speed,direction,anddestinationincleartexttoacentralserver[63].

Manyotherexamplesofdatabreachesfromthesedevicesexist[25,28,30,32,64,65,66,67].DataleaksfromthecloudarenotneworspecifictoIoTdevices,yettheprevalenceofdataleakvulnerabilitiesincloud-hostedservicesisespeciallyproblematicforconsumerIoTdevices,whicharenotonlyincreasinglypervasivebutalsoincreasinglycollectpersonalandprivatedata.

§ LeaksFromandBetweenDevicesIoTdevicesfromavarietyofdifferentmanufacturers,runningmanydifferentsoftwareapplications,mayallresideonthesamelocalareanetwork.AlthoughstandardWi-Fiencryptiontechniquescanprotecttheconfidentialityofdatatransmissionsonthelocalareanetwork,encryptionalonedoesnotensureuserprivacy.

Insomecases,devicesonthesamenetworkoronneighboringnetworksmaybeabletoobservedatafromotherdevices.Forexample,adevicemay“leak”datatonearbydevicesorusers(eitheronthesamelocalareanetwork,Wi-Finetwork,orsimplynearby).EvenwithWi-Fiencryption,onedevicecanstillobservethepresenceofotherdevicesonthesamelocalareanetwork,andtheotherdevice’shardwareaddresses—whichcanoftenrevealthetypeofdevice—arealsotypicallyvisibleincleartext.Thislevelofvisibilitycould,forexample,makeitpossibleforsoftwareonadigitalphotoframetomonitorauser’sinteractionswithotherdevicesonthesamenetwork.

Datathatleaksfromonedevicetoanothermayincludeinformationsuchasthenamesofpeopleinahome,theprecisegeographiclocationofahome,oreventheproductsthataconsumerpurchases.Forexample,arecentstudydiscoveredthatathermostatwasleakingprecisegeographicinformationfromthehome[17].Inanotherrecentstudy,researcherswereabletodetermineauser’sATMPINbasedonaccelerometerdataleakedoverBluetoothfromafitness-trackingdevice[68].

5.3 SusceptibilitytoMalwareInfectionandOtherAbuseMalware,whichismalicioussoftwareinstalledonauserdevicethattypicallydisruptsoperations,gainsunauthorizedaccess,orlaunchesattacks,caninfectIoTdevicesthroughavarietyofmechanisms.Aswell,otherformsofabusecanoccur.Someexamplesinclude:

• Themanufacturermaynotadequatelysecurethesoftwaresupplychain[69]andtherebyallowmalwaretobeplacedontheinitially-shippedsoftwareoftheIoTdevice[34],asnotedinSection4.5.

13

• Devicesmayshipwithout-of-datesoftwarethatcontainsknownvulnerabilities.Whenauserconnectsthedevicetothenetwork,thedeviceimmediatelybecomesatargetforattackers.Paststudiesdemonstratethatthe“survivaltime”(i.e.,thetimethatadeviceisconnectedtothenetworkbeforeitisinfected)caninsomecasesbelessthantenminutes[70].6Ifadeviceshipswithout-of-datesoftwareanddoesnotimmediatelycheckforsoftwareupdates,itrisksbecominginfectedimmediately.

• Thesoftwareupdatemechanismsmaynotincludeauthenticationofsoftwareloadstoensurethesoftwareisfromatrustedsource.Throughsocialengineering,theusercanbeinfluencedorinducedintoloadingcompromisedsoftwareontoanIoTdevice.

• Thesoftwaremayincludecommand-linecapabilitiesorApplicationProgrammingInterfaces(APIs)thatcanbeexploited(withorwithoutuserinvolvement)toloadmalwareontoanIoTdevice.

• Thedevicehasunnecessaryportsleftopenandunsecured,suchastelnet.Theseunnecessaryportshavebeenusedtocompromiseadevice,forexampleinstructingthedevicetoaccessadestinationinordertodownloadmalware[71,72,73]. Unnecessaryportscanalsobeusedinamplificationattacks.

• Thedeviceusesweakdefaultauthentication,suchascommonoreasilyguessableusernamesandpasswords(e.g.,“admin”,“password”)[74].Inaddition,authenticationforremoteaccessmaynothavebeensecured,enablingotherswhoarenotphysicallypresentinthehometologintothedeviceandinstallmalwareontoit[13,75,76,77,78].

5.4 PotentialforInterruptionofService

OneimportantaspectofIoTdevicesecurityisserviceavailabilityinthefaceofdevicefailureandattack.ThepotentiallossofavailabilityorconnectivitynotonlydiminishesthefunctionalityofIoTdevices,butalsomaydegradethesecurityofdevicesinsomecasessuchaswhenanIoTdevicecannolongerfunctionwithoutsuchconnectivity(e.g.ahomealarmsystemdeactivatingifconnectivityislost).AnIoTdevicecanexperienceserviceinterruptioninseveralways.

• Lossofsupportfromacloud-hostedapplication.Ifthedevicedependsoncommunicationwithacloudservice,thedevicemayfailtofunctionwhenitlosesconnectivitywiththecloudservice.Suchdisconnectionmightoccurforavarietyofreasons,includinginterruptionofInternetconnectivity,bugsinthecloudsoftwareservice,avendorormanufacturergoingoutofbusiness,oraconsumer’sdecisiontodiscontinueaservicesubscription.

6Thepresenceofafirewallisnotnecessarilyadefenseagainstthissortofcompromise.Section6discussesfirewallsandothernetworkisolationmechanismsinmoredetail.

14

• Lossofconnectivitytothenetwork.Connectivitywithinahomenetworkmaybeinterrupted,perhapsduetoanunpluggedpowercable,radiointerferencewithWi-Fi,orafirewalldecidingtorestrictaccess,forexample.

• Damagetothedevice.Adevicecouldbecomephysicallydamaged,oritssoftwarecouldbecomecorruptedorotherwiseinoperable(sometimesreferredtoas“bricking”adevice).

A"bricked"device—onethatisphysicallyorlogicallydamaged—maybeunrecoverable,whileadevicethatdependsoncommunicationwithacloud-hostedservicemaybecomeoperableagainwhencommunicationisrestored.

Outagestocertainservicescandamagepropertyandplaceusersindanger.Forexample,asoftwarebuginanIoTthermostatresultedininoperablehomeheatingsystems,and(asaresult)frozenpipesinhomes[51].Malfunctioningheatingandcoolingsystemscanresultinfatalities.WhenIoTdevicesareresponsibleforeverythingfrompersonalhealthtohomesecurity,thestakesforusersafetyarehigh.

5.5 PotentialThatDeviceSecurityandPrivacyProblemsWillPersistThissectionbrieflydiscusseswhythesecurityissuesoutlinedintheprevioussectionarelikelytopersist.OnecouldexpectthatmanysuchIoTdevicesmayneverreceiveasoftwareupdate,eitherbecausethemanufacturer(orotherpartyintheIoTsupplychain,orIoTserviceprovider)maynotprovideupdatesorbecauseconsumersmaynotapplytheupdatesthatarealreadyavailable.Therearemanyexamplesofthiswithsimilartypesofdevices[79,80,81,82].

§ ManyIoTDevicesWillNeverBeFixedDeployingsoftwareupdatesthatpatchcriticalsecurityvulnerabilitiesisdifficultingeneral,yetIoTdevicesposeuniquechallenges.First,manydevicevendorsandmanufacturersdonothavesystemsorprocessestodeploysoftwareupdatestothousandsofdevices(ormore).Second,deployingover-the-networkupdatestodevicesthatareoperatinginconsumerhomesisdifficult,asupdatescansometimesinterruptserviceandsometimeshavethepotentialto“brick”thedevice,ifdoneimproperly.Additionally,somedevicesmaynotevenbecapableofsoftwareupdates[83].

Threesoftwareupdateapproacheshaveemergedintheconsumerelectronicsindustry,twoofwhichrelyonuserstotakeaction(afundamentalflaw)whilethethirdisautomaticwithnouseractionrequired.Theeffectivenessofeachofthesevariesinpractice.Theseapproachesareasfollows:

• User-initiatedsoftwareupdates.Thisapproachrequiresthelocaladministratorofthedevicetomanuallyinitiateacheckandinstallationforanysoftwareupdatestoadevice.Anexampleofthismodelisinthetypicalretailhomegatewayorrouterdevicemarket.Someofthosedevicesrequiretheusertodownloadanewsoftwareimagefromthemanufacturer’swebsite,thenaccessalocaldeviceadministrationwebpage,findtheinterfaceforsoftwareupgradesanduploada

15

file.Thisprocessisnotonlytime-consumingbutcanbedauntingfornon-technicalorcasualusersforwhichadevicemaystillbeworking“wellenough.”

• Automatedsoftwareupdatechecks,withuserapproval.Thesedevicesperiodicallycheckfornewsoftwareupdates.Whenanupdateisavailable,thedevicepresentstheuserwithapromptthatasksforpermissiontoproceedwiththeupdate.SmartTVandconsolegamingdevicesoftenusethisapproach.Inthesescenarios,applyinganyparticularsoftwareupdatemaytakeseveralminutes—orlonger—whichiswhytheuserispresentedwiththeoptionofdeferringinstallation.

• Fullyautomatedsoftwareupdates.Somedeviceswillperiodicallychecktoseeifnewsoftwareisavailable;ifitis,theywilldownloadthesoftwareandinstallitwithoutuserintervention[84,85].Insomecases,thedevicemayapplytheupdateataparticulartimeofday,suchaslateatnightorwhentherehasbeennoactivitypertainingtothedeviceforsomeperiodoftime,tominimizeuserdisruption.Unfortunately,automatedsoftwareupdatescanalsoposechallengesforsomeuserswhohavedatacaps(whereapplicable),andwhentheupdatesthemselvesintroducenewbugs[51].

Thecommonapproachesforsoftwareupdatesareeitheruser-initiatedoruser-approved,bothofwhichtendtoleadtorelativelylowupdaterates[86].Asaresult,millionsofCustomerOwnedAndMaintained(COAM)homegatewayswilllikelyneverreceiveasoftwareupdate.Forexample,somemodelsofNetGearhomegatewayshippedwithasoftwarebugthatcausedthesedevicestorandomlyfloodISPDNSserverswiththousandsofDNSrequestspersecond,addinguptomillionsperday,orafloodofNTPqueriestoNTPservers[87,88,89,90].Whilethisspecificsoftwarebughasbeenreportedformanyyears,networkoperatorsneverthelessstillobservethesedevicesrunningoldersoftwareandmisbehavingonthenetwork,inadvertentlyperformingDDoSattacksduetosoftwarebugs.

§ SoftwareUpdatesAddressMoreThanJustBugsItisalsoworthbearinginmindthatsoftwareupdatesarenotsimplyintendedtofixsecurityorprivacybugs.Theymayalsobeintendedtointroducemajornewfunctions.Inaddition,theymaybemoregenerallyrelatedtoperformanceandsecurity,suchassupportorbugfixesrelatedtoIPv6addressing,DNSSecurityExtensions(DNSSEC)validation,andTCPbuffercontrol(e.g.,“bufferbloat”)orActiveQueueManagement(AQM).

§ ConsumersAreUnlikelytoUpdateIoTDeviceSoftwareFewendusersconsistentlyupdatedevicesoftwareoftheirownaccordunlesstheyareconstantlyandobtrusivelyremindedtodosobythedevice’sgraphicaluserinterface(GUI)(i.e.,aregularpop-upwindowonaPC,acounterinamobileappstore,abouncingapplicationicon,etc.),alessonunderstoodwellinthedisciplineofhuman-computerinteraction[86].Otherrecentworksuggeststhatusersforegoapplyingsoftwareupdatesonbothfixedandmobiledevicesforavarietyofreasons,rangingfromthedisruptionoftheirworkcycletothedatacostsassociatedwithsoftwareupdates[86].

16

Althoughnoin-depthstudiesonusersoftwareupdatingbehaviorhavebeenundertakenforIoTdevices,thestateofaffairsislikelyworsethanforconventional,ornon-IoT,devices.Addingtousers’alreadyriskybehaviorwithrespecttosoftwareupdates,manyIoTdeviceslackaGUIorotherindicatorthatnewsoftwareisavailableornecessary.Additionally,theproliferationofdevices—bothinnumberandindiversity—maketrackingsoftwareupdatesanunwieldytaskforthetypicalInternetconsumer.

Thus,forIoTdevices,itisbesttoassumethatmostenduserswillnevertakeactionontheirowntoupdatethesoftwareonthedevice.

5.6 DeviceReplacementMayBeAnAlternativetoSoftwareUpdatesInsomecases,replacingadeviceentirelymaybeanalternativetosoftwareupdates.CertainIoTdevicesmaybesoinexpensivethatupdatingsoftwaremaybeimpracticalornotcost-effective.Forexample,perhapsachargingadapterthatcosts$0.99hassomelimitedIoTfunction.Atthatunitcost,updatingadevicemaynotbeeconomical;rather,itmaymakemoresensetorecyclethedeviceandpurchaseareplacement.However,thisapproachrequiresthefollowingelementstoprovideasecurealternativetosoftwareupdates:

• Awaytoidentifywhenoneormoreaccumulatedvulnerabilitiesinadevicehavecompromisedittothepointthatitshouldbereplaced.

• Awaytodisablecommunicationwiththedeviceonceitisdeterminedtobevulnerable.Examplesofpotentialmethodsincluderemotelydisablingthedevicefromthenetwork,orblockingaccesstothedevicefromahomegateway.

• Awaytonotifyusersthatcommunicationwiththedevicehasbeendisabled.Eveninthesecases,ofcourse,usersmaybereluctanttostopusingadeviceaslongasitcontinuestofunctioninpart.Aslongasthedevice’sabilitytocommunicatehasbeendisabled,however,continueduseshouldnotpresentasecurityvulnerability.

6 APossibleRoleforIn-HomeNetworkTechnologyDevicemanufacturerssecuringtheirdevicesbydefaultconstitutesanimportantstepforimprovingIoTsecurityandprivacy,butitisbynomeanssufficient.EvenIoTdevicesthatarenotinfectedwithmalwaremaystilleavesdroponotherhomenetworktraffic(e.g.,viamanufacturer-installedorthird-partysoftware),compromisinguserprivacy.Ahomeisoftenconsideredafirewalledorisolatedenvironment,andmultipleunrelatedIoTdeviceswilltypicallyhaveunrestrictedaccessbehindthisfirewall.Furthermore,asmentionedinSection3.4and5.1,asingleinsecureorcompromiseddeviceinthehomenetworkmayleadtostepping-stoneattacks,so“defenseindepth”[91]iscritical.

Recentstudiesandreportshavesuggestedthat,inthefuture,theremaybesomeroleforahomenetworkappliancetocontrolandmanagethetrafficthatIoTdevicesexchangewitheachotherandwiththerestoftheInternet[92].Possiblecapabilitiesforsuchanetworkdeviceinclude:

17

• Automaticdiscoveryandinventoryofin-homeInternetconnecteddevices[93].

• Mechanismsforpresentingtheuserwithclearinformationabout(1)whatdatathedeviceissendingtotherestoftheInternetand(2)whatotherdevicesinthehomethedeviceistalkingto,ashasbeendoneinthepastforsmartphonesandbrowsers[94,95].

• MechanismsthatprovidetheuserwithsimplewaystopreventordisablecommunicationofasingledevicewithotherIoTdevicesonthehomenetwork,orwithstorageserversinthecloud,withoutimpairingtheprimaryfunctionalityofthedevice.OnerecentstudywasabletoachievethiswithtwoexampleIoTdevices,aPhilipsHuelightbulbandaNestthermostat[92].

Networktechnologytoimprovesecurityandprivacymayultimatelytakeoneofseveralforms.Ahomenetworkgateway,eitherseparate(e.g.,anIoThuborseparatehomerouter)orintegratedwithISP-providedequipment,couldperformmeasurementswithinthenetworkthathelpusersunderstandthecomplexdataflowsbothbetweenIoTdevicesinthehomeandbetweenthesedevicesandthird-partysitesandservicesoutsideofthehome.Inthissense,networktechnologyinthehomethatmonitorsdevicetrafficmayultimatelyhelpimprovethetransparencyofthebehavioroftheseIoTdevices.

ThereissomeconflictbetweenmonitoringandmanagingIoTtrafficbyahubandtheend-to-endsecurityofthetrafficitself.Itisworthnotingthatevenifnetworktraffictoandfromthesedevicesisencryptedend-to-end,certaincharacteristics,suchastheotherdevicesandlocationsthatanyparticulardeviceiscommunicatingwith,willstillbeevidentfromthistraffic.StandardizationtoallowcooperativetrafficclassificationandprotectionwithsuchanIoThubwouldallowthedevicetobearecognizedandauthenticatedpartoftheecosystem,providingthatmanagementwithfine-grainedcontrolavailabletothetrafficoriginatoronanopt-inbasis.

Inadditiontosimplyhelpingvisualizethesetrafficflows,suchagatewaycouldenforcereasonabledefaultsettingstoimprovethesecurityandprivacyoftheconnectedIoTdevices.Forexample,recentresearchsuggeststhatahomenetworkfirewallcanpreventcertaindevicesfromexfiltratinglogsandotherinformationtothird-partycloudproviderswithoutcripplingthefunctionalityofthedeviceitself[92].Anopenquestioninvolvesidentifyingreasonabledefaultfirewallsettingsthatcouldbeinstalledatsuchagatewaytoimprovesecurityandprivacy.Giventhatsuchahomenetworkfirewallmightinstigatea“privacyarmsrace”(e.g.,onecouldimagineadevicemanufacturernotprovidingsecurityupdatestoauserwhoblocksthedevice’strackingcapabilities),oneaspectofdevicecertificationformanufacturersandvendorsmayultimatelyinvolveensuringthatconsumersretaininformedchoiceastohowthesedevicescommunicatewitheachotherandwiththird-partysitesandservices.

Finally,interactionbetweenIoTdevicesmayrequiremorecomplexmediation.Forexample,whileausermaynotgenerallydesirecertaindevicescommunicatingorinteractingwithoneanother,theremaybespecificusecasesthatpermitcommunicationorinteractionbetweendevicesforspecifictasks.Asonepossibleexample,considerascenariowhereausermightwanttoautomaticallydimthelightswhenwatchingamovieinthe

18

home.Inthiscase,theapplicationmightinvolvemediatedcommunicationbetweenastreamingdevice(e.g.,aRokuorAppleTV)andthesmartplugsandswitches(e.g.,aBelkinWeMoswitch).Ontheotherhand,ingeneral,ausermaynotwantthesedevicestointeract,oreventoobserveeachother’straffic.Thus,thenetworkgateway,coupledwiththeappropriateuserinterface,mayultimatelyprovidebetteropportunitiesforthistypeofcomplexmediatedinteraction.

Recentreportssuggestthatmanyofthesegoalsarelikelywithinreach.Forexample,researchersusedahomenetworkfirewalltopreventaNestthermostatfromsendingitsstatuslogstothecloud,withoutimpairingthedeviceitself[92].Becausethetypicaluserisunlikelytoconfigurefirewallrules,however,suchfirewallingfunctionsmustbemoreusable—and,ifpossible,automated—beforetheycanbeconsideredpractical.

7 RecommendationsThissectionofthereportpresentsrecommendationsoftheBITAGTechnicalWorkingGroup(TWG).Althoughearliersectionsofthisreporthavediscussedthepotentialoflonger-term,forward-lookingsolutions(e.g.,theroleofin-homenetworktechnologytomitigatedeviceinsecurity),thissectionfocusesonrecommendationsthatBITAGbelievesareactionableintheshorttermusingexistingtechnology.

7.1 IoTDevicesShouldUseBestCurrentSoftwarePractices

§ IoTDevicesShouldShipwithReasonablyCurrentSoftware

BITAGrecommendsthatIoTdevicesshouldshiptocustomersorretailoutletswithreasonablycurrentsoftwarethatdoesnotcontainsevere,knownvulnerabilities.However,softwarebugsaresomewhatofa“factoflife”anditisnotuncommonfornewvulnerabilitiestobediscoveredwhiledevicesareontheshelf.HenceitiscriticalforanIoTdevicetohaveamechanismbywhichdevicesreceiveautomatic,securesoftwareupdates(seenextbullet).

§ IoTDevicesShouldHaveaMechanismforAutomated,SecureSoftwareUpdates

Softwarebugsshouldbeminimized,but—asnotedabove—theyareinevitable.Thus,itiscriticalforanIoTdevicetohaveamechanismforautomatic,securesoftwareupdates,asdiscussedinSection5.5.

BITAGrecommendsthatmanufacturersofIoTdevicesorIoTserviceprovidersshouldthereforedesigntheirdevicesandsystemsbasedontheassumptionthatnewbugsandvulnerabilitieswillbediscoveredovertime.TheyshoulddesignsystemsandprocessestoensuretheautomaticupdateofIoTdevicesoftware,withoutrequiringorexpectinganytypeofuseractionorevenuseropt-in.

19

Althoughsuchupdatesshouldbeautomaticandmandatoryforendusers,ifforsomereasontheupdatesystemmustallowforachoiceofeitheropt-outoropt-in,thenbasedonhuman-computerinteractionstudies,anysuchsystemshouldbeopt-outsothatupdateswilloccurautomaticallybydefaultandwithoutanyuserintervention,userapproval,orotherenduseraction.Theabilityforausertoconfigurethenatureofsoftwareupdatesmaybeimportanttosomeend-users,suchasthoserunningdevicesinresource-constrainedsettings(e.g.,satelliteconnections,orotherplaceswheredatacostsarehigh).

Insomecases,in-homenetworkdevicesmightinteractwithconsumerstoraiseperiodicalertstofacilitatemeaningfullyinformeddecision-making(e.g.,pollingtheuserwithquestionstheycanunderstandabouthowtheywantdevicestointeract).Incorporatingthistypeoffunctionrequiresextremecareindesign,toensurethatthesealertstotheuseraremeaningfulandthatthevolumeofupdatesisnotoverwhelming.Thissortoffunctionalitycanbecomplicatedtoimplementreliably.

§ IoTDevicesShouldUseStrongAuthenticationbyDefault

BITAGrecommendsthatIoTdevicesbesecuredbydefault(e.g.passwordprotected)andnotusecommonoreasilyguessableusernamesandpasswords(e.g.,“admin”,“password”).Finally,authenticationforremoteaccessshouldbesecured,asitpotentiallyallowsotherswhoarenotphysicallypresentinthehometomonitorandcontrolaspectswithinthehome(e.g.,changingclimatecontrols,monitoringuseractivity).Authenticationcredentialsshouldbeuniquetoeachdevice.

Possibledefaultauthenticationmethodsthatsatisfythesecriteriainclude:(1)shippingeachdevicewithafixeddefaultpasswordbutrequiringtheusertochangeitaspartoftheinstallationprocess(i.e.,beforethedevicewillfunction);and(2)shippingeachdevicewithauniquepasswordforeachunitandprintingthepasswordonalabelthatisaffixedtothedevice.

§ IoTDeviceConfigurationsShouldBeTestedandHardened

SomeIoTdevicesallowausertocustomizethebehaviorofthedevice.BITAGrecommendsthatmanufacturerstestthesecurityofeachdevicewitharangeofpossibleconfigurations,asopposedtosimplythedefaultconfiguration.Adevice’sinterfaceshouldprevent—oratleastactivelydiscourage—usersfromconfiguringthedeviceinawaythatmakesitlesssecure.

7.2 IoTDevicesShouldFollowSecurity&CryptographyBestPracticesBITAGrecommendsthatIoTdevicemanufacturerssecurecommunicationsusingTransportLayerSecurity(TLS)orLightweightCryptography(LWC)[96,97,98].Somedevicescanperformsymmetrickeyencryptioninnear-realtime.Inaddition,LightweightCryptography(LWC)providesadditionaloptionsforsecuringtraffictoandfromresource-

20

constraineddevices.Ifdevicesrelyonapublickeyinfrastructure(PKI),thenanauthorizedentitymustbeabletorevokecertificateswhentheybecomecompromised,aswebbrowsersandPCoperatingsystemsdo[99,100,101,102,103,104,105].Cloudservicescanstrengthentheintegrityofcertificatesissuedbycertificateauthoritiesthrough,forexample,participatinginCertificateTransparency[106].Finally,manufacturersshouldtakecaretoavoidencryptionmethods,protocols,andkeysizeswithknownweaknesses.Vendorswhorelyoncloud-hostedsupportforIoTdevicesshouldconfiguretheirserverstofollowbestpractices,suchasconfiguringtheTLSimplementationtoonlyacceptthelatestTLSprotocolversions.

§ EncryptConfiguration(Command&Control)CommunicationsByDefault

AsexplainedinSection5.1,usingunauthenticatedorcleartextcommunicationformanagingadeviceposesasignificantsecurityrisk.BITAGrecommendsthatallcommunicationfordevicemanagementtakeplaceoveranauthenticatedandsecuredchannel.

§ SecureCommunicationsToandFromIoTControllers

IfIoTdevicesuseacentralizedcontrollertofacilitateover-the-Internetcommunicationwithacloudservice,thenBITAGrecommendsthiscommunicationschannelbesecuredinbothdirections.

§ EncryptLocalStorageofSensitiveData

BITAGrecommendsthatanysensitiveorconfidentialdata(e.g.,privatekey,pre-sharedkey,userorfacilityinformation)resideinencryptedstorage.

§ AuthenticateCommunications,SoftwareChanges,andRequestsforData

BITAGrecommendsthatIoTdevicesauthenticatetheendpointstheycommunicatewith.Authenticatingcommunicationentailsverifyingtheendpoint’sidentity,whichinturnalsoinvolvesverifyingthatthecertificatetheendpointisusingissignedbyacertificateauthoritythatthedevicetrustsandthathasnotbeenrevoked.

§ UseUniqueCredentialsforEachDevice

BITAGrecommendsthateachdevicehaveuniquecredentials.Ifadeviceusespublic-keycryptography(e.g.,tosignmessages,exchangeasessionkey,orauthenticateitself)eachdeviceshouldhaveaunique,verifiablecertificate.Ifadeviceisusingsymmetrickeycryptography,pairsofendpointsshouldneversharethesymmetrickeywithotherparties.

§ UseCredentialsThatCanBeUpdated

BITAGrecommendsthatdevicemanufacturerssupportasecuremechanismbywhichthecredentialsusedbyadevicecanbeupdated.However,

21

implementingthisrecommendationsecurelyrequiresparticularcare,sinceanincorrectimplementationmayitselfintroduceanewattackvector.

§ CloseUnnecessaryPortsandDisableUnnecessaryServices

BITAGrecommendsthatdevicemanufacturerscloseunnecessaryports,suchastelnet,asunnecessaryportsmaybeunsecuredorcanotherwisebecomecompromised[107].Devicesshouldcloseordisableadministrativeinterfacesandfunctionsthatarenotbeingused.Devicesshouldalsonotshipwithdriversthatthedeviceisnotusing.

§ UseLibrariesThatAreActivelyMaintainedandSupported

Manyoftherecommendationsinthisreportrequireimplementingsecurecommunicationschannels.Yet,home-grownimplementationsofcryptographicprotocolsandsecurecommunicationschannelscanthemselvesintroducevulnerabilities.BITAGrecommendsthat,whenimplementingtherecommendationsinthisreport,devicemanufacturersuselibrariesandframeworksthatareactivelysupportedandmaintainedwheneverpossible.

7.3 IoTDevicesShouldBeRestrictiveRatherThanPermissiveinCommunicatingBITAGrecommendsthatIoTdevicescommunicateonlywithtrustedendpoints.Whenpossible,devicesshouldnotbereachableviainboundconnectionsbydefault.IoTdevicesshouldnotrelyonthenetworkfirewallalonetorestrictcommunication,assomecommunicationbetweendeviceswithinthehomemaynotnecessarilytraversethefirewall.

NotethataBITAGrecommendationtorestricttheconfigurationofIoTdevicecommunicationsshouldnotcomeatthecostofanopenecosystem.AusershouldbeabletoconfigurecommunicationsbetweenarbitraryIoTdevices,anddevicesthattrustoneanothershouldbeallowedtocommunicate.Securecommunicationscanbootstraprestrictedtrustliststhatreflectthesetofdeviceswithwhichanygivendeviceexpectstocommunicate.Theseinter-devicecommunicationsshouldonlybepermittedthroughtrustedmechanismsandsecurecommunicationchannels.

7.4 IoTDevicesShouldContinuetoFunctionifInternetConnectivityisDisruptedBITAGrecommendsthatanIoTdeviceshouldbeabletoperformitsprimaryfunctionorfunctions(forexample,alightswitchorathermostatshouldcontinuetofunctionwithmanualcontrols),evenifitisnotconnectedtotheInternet.ThisisbecauseInternetconnectivitymaybedisruptedduetocausesrangingfromaccidentalmisconfigurationorintentionalattack(e.g.,adenialofserviceattack);devicefunctionshouldberobustinthefaceofthesetypesofconnectivitydisruptions.

IoTdevicesthathaveimplicationsforusersafetyshouldcontinuetofunctionunderdisconnectedoperationtoprotectthesafetyofconsumers.Inthesecases,thedeviceorbackendsystemshouldnotifytheuseraboutthefailure.

22

Whenpossible,devicemanufacturersshouldmakeiteasyforuserstodisableorblock(e.g.,withafirewall)variousnetworktrafficwithouthamperingthedevice’sprimaryfunction.

7.5 IoTDevicesShouldContinuetoFunctionIftheCloudBack-EndFailsManyservicesthatdependonoruseacloudback-endcancontinuetofunction,evenifinadegradedorpartially-functionalstate,whenconnectivitytothecloudback-endisinterruptedortheserviceitselffails.Forexample,athermostatwhosesettingcanbealteredviaacloudserviceshouldintheworstcasecontinuetooperateusingeitherlast-knownordefaultsettings.Acloud-hostedhomesecuritycamerashouldbeaccessiblefromwithinthehome,evenwhenInternetconnectivityfails.

7.6 IoTDevicesShouldSupportAddressingandNamingBestPracticesManyIoTdevicesmayremaindeployedformanyyearsaftertheyareinstalled.Asaresult,IoTdevicesshouldsupportrelativelyrecent,thoughcurrent,bestpracticesforIPaddressingandtheuseoftheDomanNameSystem(DNS).Supportingthelatestprotocolsforaddressingandnamingwillensurethatthesedevicesremainfunctionalforyearstocome,thattheyperformwell,andthattheycansupportimportantDNS-basedsecurityfunctionality.

§ IPv6

BITAGrecommendsthatIoTdevicessupportthemostrecentversionoftheInternetProtocol,IPv6.

§ DNSSEC

BITAGrecommendsthatIoTdevicessupporttheuseorvalidationofDNSSecurityExtensions(DNSSEC)whendomainnamesareused.Forexample,ifanIoTdevicecommunicateswithacloudserviceusingtheexample.comdomain,thenthecloudprovidershouldbeabletosignthedomain,andtheIoTdeviceshouldbeabletovalidatethatsignature(orensurethatitsupstreamDNSresolverhasdonesoandindicatedthisinaDNSresponse).

7.7 IoTDevicesShouldShipwithaPrivacyPolicyThatisEasytoFind&UnderstandBITAGrecommendsthatIoTdevicesshipwithaprivacypolicy,butthatpolicymustbeeasyforatypicalusertofindandunderstand.

7.8 DiscloseRightstoRemotelyDecreaseIoTDeviceFunctionalityBITAGrecommendsthatifthefunctionalityofanIoTdevicecanberemotelydecreasedbyathirdparty,suchasbythemanufacturerorIoTserviceprovider,thispossibilityshouldbemadecleartotheuseratthetimeofpurchase.

23

7.9 TheIoTDeviceIndustryShouldConsideranIndustryCybersecurityProgramBITAGrecommendsthattheIoTdeviceindustryorarelatedconsumerelectronicsgroupconsiderthecreationofanindustry-backedprogramunderwhichsomekindof“SecureIoTDevice”logoornotationcouldbecarriedonIoTretailpackaging.SuchaprogrammaybeanalogoustothewaythattheWi-FiAllianceorothergroupsvalidatedevicesarecompliantwithvariousstandardsand/orbestpractices.

Anindustry-backedsetofbestpracticesseemstobethemostpragmaticmeansofbalancingtheinnovationinIoTagainstthesecuritychallengesassociatedwiththefluidnatureofcybersecurity,andavoidingthechecklistmentalitythatcanoccurwithcertificationprocesses.

7.10 TheIoTSupplyChainShouldPlayTheirPartInAddressingIoTSecurityandPrivacyIssues

Intoday’sfactorytoretailsupplychain,itisoftendifficulttodefinetherolesthateachpartyplaysovertime.Assuch,theyaredefinedheresimplyasthe“IoTsupplychain”.EndusersofIoTdevicesandothersdependupontheIoTsupplychaintoprotecttheirsecurityandprivacy,andsomeorallpartsofthatIoTsupplychainplayacriticalrolethroughouttheentirelifecycleoftheproduct.Inadditiontootherrecommendationsinthissection,BITAGrecommendsthattheIoTsupplychaintakesthefollowingsteps:

• Devicesshouldhaveaprivacypolicythatisclearandunderstandable,particularlywhereadeviceissoldinconjunctionwithanongoingservice.

• DevicesshouldhavearesetmechanismforIoTdevicesthatclearsallconfigurationforusewhenaconsumerreturnsorresellsthedevice.Thedevicemanufacturersshouldalsoprovideamechanismtodeleteorresetanydatathattherespectivedevicestoresinthecloud.

• Manufacturersshouldprovideabugreportingsystemwithawell-definedbugsubmissionmechanismsanddocumentedresponsepolicy.

• Manufacturersshouldprotectthesecuresoftwaresupplychaintopreventintroductionofmalwareduringthemanufacturingprocess;vendorsandmanufacturersshouldtakeappropriatemeasurestosecuretheirsoftwaresupplychain.

• ManufacturersshouldsupportforanIoTdevicethroughoutthecourseofitslifespan,fromdesigntothetimewhenadeviceisretired,includingtransparencyaboutthetimespanoverwhichtheyplantoprovidecontinuedsupportforadevice,andwhattheconsumershouldexpectfromthedevice’sfunctionattheendofthedevice’slifespan.

• Manufacturersshouldprovideclearmethodsforconsumerstodeterminewhotheycancontactforsupportandmethodstocontactconsumerstodisseminateinformationaboutsoftwarevulnerabilitiesorotherissues.

24

• Manufacturersshouldreportdiscoveryandremediationofsoftwarevulnerabilitiesthatposesecurityorprivacythreatstoconsumers.

• Manufacturersshouldprovideavulnerabilityreportingprocesswithawell-defined,easy-to-locate,andsecurevulnerabilityreportingform,aswellasadocumentedresponsepolicy.ManufacturersshouldconsidercompliancewithISO30111[108],astandardforvulnerabilityreporthandling.

8 OtherGroupsFocusedonThisIssueWhiletheBITAGhasauniquetakeonthisissueitisworthnotingthatseveralothergroupsarealsofocusedonvariousaspectsofthisaswell.Thosegroupsinclude:

• InternetProtocolforSmartObjectsAlliance(IPSO)[109]• InstituteofElectricalandElectronicsEngineers(IEEE)[110]• NationalInstitutesofStandardsandTechnology(NIST)[111]• InternetEngineeringTaskForce[112]

o LWIG(Light-WeightImplementationGuidance)[113]o 6Lo(IPv6overNetworksofResource-constrainedNodes)[114]o 6TiSCH(IPv6overtheTSCHmodeofIEEE802.15.4e)[115]o ROLL(RoutingOverLowpowerandLossynetworks)[116]o CoRE(ConstrainedRESTfulEnvironments)[117]o DICE(DTLSinConstrainedEnvironments)[118]o ACE(AuthenticationandAuthorizationforConstrainedEnvironments)[119]o COSE(CBORObjectSigningandEncryption)[120]o 6lowpanIPv6overLowpowerWPAN(closed)[121]

• GSMA:ConnectedLiving[122]• IRTF:InternetResearchTaskForce[123]

o T2TRG:Thing-to-ThingResearchGroup[124]• W3C:WorldwideWebConsortium[125]

o WoT:WebofThingsInterestGroup[126]• U.S.FederalTradeCommission(FTC)[127,128,129]• U.S.DepartmentofCommerce,NationalTelecommunications&Information

Administration(NTIA)[130,131]• InternetGovernanceForum(IGF)[132]• OnlineTrustAlliance[133]• InternationalOrganizationforStandardizationJointTechnicalCommittee1

(ISO/IECJTC1)[134]:CreatedtwoSpecialWorkingGroupsonManagementandtheInternetofThings;oneisadministeredbyANSI.

o InternationalElectrotechnicalCommission[135]:WhiletheIECisn’tlimitedonlytoIoTdevices(andworksonallelectrical/electronictechnologies),ithasdoneseveralresearchpapersonIoTthatmayhavestandardsinthem.

• InterNationalCommitteeforInformationTechnologyStandards(INCITS)[136]:AccreditedbyANSI,to“serveasthecentralU.S.technicaladvisorygroupforaglobaleffort.”

25

• TRUSTeMulti-stakeholderIoTPrivacyTechWorkingGroup[137]:AimingtodrawuptechnicalstandardstohelpcompaniesdevelopsolutionsneededtoprotectconsumerprivacyinIoT.

• InstituteofElectricalandElectronicEngineers(IEEE)P2413[138]:AnIEEEprojectregardingastandardforanarchitecturalframeworkfortheIoT.

• WirelessIoTForum[139]:“Notastandardsorganizationbutaimstodeliverrequirements…tostandardsbodieswheretherearealackofstandards(e.g.long-rangewirelessconnectivity),anddriveconsensuswheretherearecompetingstandards(e.g.homedevicediscovery).”

o Applicationsgroup:workinggroupthatreviewsstandardAPIso Connectivitygroup:workinggroupassessingradioaccess.o Regulatorygroup:workinggroupharmonizinggloballicense-exempt

regulationsandavailabilityoflicensedspectrum.• OpenConnectivityFoundation(previouslycalledtheOpenInterconnect

Consortium)[140]:OrganizationcreatedbyIntel,Cisco,andSamsungtocreateanopeninteroperablespecificationforIoT.AlsoacquiredUPnPForum.

• ObjectManagementGroup(OMG)[141]:Aninternationalnot-for-profittechnologystandardsconsortium,doingmajorworkonindustrialIoT.

o IndustrialInternetConsortium[142]:“…istheopenmembership,internationalnot-for-profitconsortium…settingthearchitecturalframeworkanddirectionfortheIndustrialInternet.”WorkingonacceleratingadoptionofwirelessWANtechnologiesdedicatedtotheIoTmarket.FoundedbyCISCO,includesAccenture,Arkessa,BTTelensaandWSN.

• oneM2M[143]:DevelopingtechnicalspecificationswhichaddresstheneedforacommonM2MServiceLayerthatcanbeembeddedwithinvarioushardwareandsoftware

• InternationalSocietyforAutomation(ISA)[144]:“Nonprofitprofessionalassociationthatsetsstandardforthosewhoapplyengineeringandtechnologytoimprovemanagement,safety,andcybersecurityofmodernautomationandcontrolsystems.”HasdonesomeresearchonIoT,thoughnoindicationsofaworkinggroup.

• OASIS[145]:“Nonprofitconsortiumthatdrivesthedevelopment,convergenceandadoptionofopenstandardsfortheglobalinformationsociety.”

o OASISAdvancedMessageQueuingProtocol(AMQP)TC:Definingaubiquitous,secure,reliableandopeninternetprotocolforhandlingbusinessmessaging.

o OASISMessageQueuingTelemetryTransport(MQTT)TC:Providingalightweightpublish/subscribereliablemessagingtransportprotocolsuitableforcommunicationinM2M/IoTcontextswhereasmallcodefootprintisrequiredand/ornetworkbandwidthisatapremium.

o OASISOpenBuildingInformationExchange(oBIX)TC:Enablingmechanicalandelectricalcontrolsystemsinbuildingstocommunicatewithenterpriseapplications.

• Hypercat[146]:AconsortiumandstandarddrivingsecureandinteroperableIoTforIndustryandcities.

• AllSeenAlliance[147]:CreatedAllJoyn,whichisa“collaborative,openecosystem”.

26

• ThreadGroup[148]:CreatedtheThreadprotocol,whichisaroyalty-freenetworkingprotocolfortheInternetofThings.Offersproductcertification.

9 References[1]JamesManikaetal.,TheInternetofThings:MappingtheValueBeyondtheHype,McKinseyGlobalInstitute,June2015,http://www.mckinsey.com/business-functions/business-technology/our-insights/the-internet-of-things-the-value-of-digitizing-the-physical-world.2[2]BrianKrebs,“IoTReality:Smartdevices,Dumbdefaults,”KrebsonSecurity,Blog,Feb.8,2016,http://krebsonsecurity.com/2016/02/iot-reality-smart-devices-dumb-defaults/.[3]KalevLeetaru,“HowtheInternetofThingswillTurnyourLivingRoomIntoTheFutureCyberBattleground,”Nov.6,2015,Forbes.com,http://www.forbes.com/sites/kalevleetaru/2015/11/06/how-the-internet-of-things-will-turn-your-living-room-into-the-future-cyber-battleground/(lastvisitedNov.18,2016).[4]IEEEStandardsAssociation,IEEE802.15:WirelessPersonalAreaNetworks(PANs),https://standards.ieee.org/about/get/802/802.15.html(lastvisitedNov.18,2016).[5]X10,https://www.x10.com/(lastvisitedNov.18,2016).[6]HewlettPackard,InternetofThingsResearchStudy:2015Report,HPEnterprise,2015,availableathttps://www.hpe.com/h20195/V2/GetPDF.aspx/4AA5-4759ENW.pdf.[7]JohnPescatore,SecuringtheInternetofThingsSurvey,SansInstituteAnalystSurvey,Jan.2014,availableathttps://www.sans.org/reading-room/whitepapers/analyst/securing-internet-things-survey-34785.[8]CharlieOsborne,“InternetofThingsdeviceslackfundamentalsecurity,studyfinds,”April8,2015,ZDNet,http://www.zdnet.com/article/internet-of-things-devices-lack-fundamental-security-study-finds/(lastvisitedNov.18,2016).[9]Ka-PingYee,"Aligningsecurityandusability."IEEESecurity&Privacy2.5(2004):48-55,availableathttp://zesty.ca/pubs/yee-sid-ieeesp2004.pdf.[10]Veracode,TheInternetofThings:SecurityResearchStudy,Whitepaper,2014,availableathttps://www.veracode.com/sites/default/files/Resources/Whitepapers/internet-of-things-whitepaper.pdf[11]RebeccaE.Grinter,etal.,"Theworktomakeahomenetworkwork."ECSCW2005.SpringerNetherlands,2005,availableathttp://www.cc.gatech.edu/~beki/c27.pdf.

[12]YinMinPaPa,etal.“IoTPOT:AnalysingtheRiseofIoTCompromises.”(2015),availableathttps://www.usenix.org/system/files/conference/woot15/woot15-paper-pa.pdf[13]Symantec,“IoTdevicesbeingincreasinglyusedforDDoSattacks,”SymantecSecurityResponse,September22,2016,availableat:http://www.symantec.com/connect/blogs/iot-devices-being-increasingly-used-ddos-attacks.[14]SteveRogerson,“IoTblamedfordenialofserviceattacks,”IoTMTMCouncil,April29,2015,availableathttp://www.iotm2mcouncil.org/serviceattacks.[15]EnerginJanina,“Distributeddenial-of-service(DDoS)attackknockedthefile-sharingsitePirateBayoffline,”May17,2012,ceoworld.biz,http://ceoworld.biz/ceo/2012/05/17/distributed-denial-of-service-ddos-attack-knocked-the-file-sharing-site-pirate-bay-offline.

[16]AngelaMoscaritolo,“FBIarrestssixinclick-fraudcyberscamthatnetted$14M,”SCMagazine,Nov.9,2011,http://www.scmagazine.com/fbi-arrests-six-in-click-fraud-cyber-scam-that-netted-14m/article/216399/

[17]SarthakGroverandNickFeamster,TheInternetofUnpatchedThings,PrivacyCon2016,https://www.ftc.gov/system/files/documents/public_comments/2015/10/00071-98118.pdf.[18]BruceSchneier,“TheInternetofThingsIsWildlyInsecure–AndOftenUnpatchable,”Wired,Jan.6,2014,https://www.schneier.com/essays/archives/2014/01/the_internet_of_thin.html.[19]BruceSchneier,“SurveillanceandtheInternetofThings,”Blog,May21,2013,https://www.schneier.com/blog/archives/2013/05/the_eyes_and_ea.html.[20]MattLoeb,“InternetofThingsSecurityIssuesRequireaRethinkonRiskManagement,”WallStreetJournal,Oct.14,2015,http://blogs.wsj.com/cio/2015/10/14/internet-of-things-security-issues-require-a-rethink-on-risk-management/.[21]ArikHesseldahl,“AHacker’s-EyeViewoftheInternetofThings,”Recode.net,Apr.7,2015,http://recode.net/2015/04/07/a-hackers-eye-view-of-the-internet-of-things/.[22]ArikHesseldahl,“TheInternetofThingsIstheHackers’NewPlayground,”Recode.net,July29,2014,http://recode.net/2014/07/29/the-internet-of-things-is-the-hackers-new-playground/.[23]JulieKnudson,“SecurityChallengesoftheInternetofThings:TheIoT’slackofstandardizedprotocolsandnewtrafficflowscomplicateadministrators’securityefforts,”EnterpriseNetworkingPlanet,May13,2015,http://www.enterprisenetworkingplanet.com/netsecur/security-challenges-of-the-internet-of-things.html.[24]Reddit,DiscussionListonPrivacy,“IboughtandreturnedasetofWiFiconnectedhomesecuritycameras,forgottodeletemyaccountandcannowwatchthenewowner,”https://www.reddit.com/r/privacy/comments/4ortwb/i_bought_and_returned_a_set_of_wifi_connected/(lastvisitedNov.18,2016).

27

[25]ChristinaCardoza,“PrincetontirestofindoutifyourIoTdevicesaresafe,”SDTimes,Jan.22,2016,availableathttp://sdtimes.com/princeton-tries-to-find-out-are-your-iot-devices-safe/.[26]ChristianDanckeTuen,“SecurityinInternetofThingsSystems,”MastersThesis,NorwegianUniversityofScienceandTechnology,DepartmentofTelematics,June2015,availableathttps://brage.bibsys.no/xmlui/bitstream/handle/11250/2352738/12892_FULLTEXT.pdf?sequence=1&isAllowed=y.[27]HewlettPackard,InternetofThingsSecurityStudy:Smartwatches,IoTResearchSeries2014,http://go.saas.hpe.com/l/28912/2015-07-20/325lbm/28912/69038/IoT_Research_Series_Smartwatches.pdf.[28]KimZetter,“HospitalNetworksareLeakingData,LeavingCriticalDevicesVulnerable,”June25,2014,https://www.wired.com/2014/06/hospital-networks-leaking-data/.[29]MarioBallanoBarcena&CandidWueest,InsecurityintheInternetofThings,Mar.12,2015,Symantec,https://www.symantec.com/content/en/us/enterprise/fact_sheets/b-insecurity-in-the-internet-of-things-ds.pdf.[30]KatieNatopoulos,“Somebody’swatching:howasimpleexploitletsstrangerstapintoprivatesecuritycameras,”Feb.3,2012,TheVerge,http://www.theverge.com/2012/2/3/2767453/trendnet-ip-camera-exploit-4chan.[31]BrianKrebs,“ThisisWhyPeopleFeartheInternetofThings,”Feb.8,2016,KrebsonSecurity,https://krebsonsecurity.com/2016/02/this-is-why-people-fear-the-internet-of-things/[32]BradyDale,“EightInternetofThingsSecurityFails:Changethepasswordsonyourrouterswhenyousetthemupforgoodnesssake,”Observer,July16,2015,http://observer.com/2015/07/eight-internet-of-things-security-fails/.[33]MichaelWinter,“Calif.youthadmitsMissTeenUSA‘sextortion’plot,”USAToday,Nov.12,2013,http://www.usatoday.com/story/news/nation/2013/11/12/miss-teen-usa-sextortion-guilty-plea/3510461/.[34]KevinTownsend,“MalwareFoundinIoTCamerasSoldbyAmazon,”SecurityWeek,April11,2016,http://www.securityweek.com/malware-found-iot-cameras-sold-amazon.[35]JohannesUllrich,“CoinMiningDVRs:Acompromisefromstarttofinish,”InternetStormCenter,SANSISCInfoSecForums,https://isc.sans.edu/forums/diary/Coin+Mining+DVRs+A+compromise+from+start+to+finish/18071/.[36]KimZetter,“AnUnprecedentedLookatSTUXNET,theWorld’sFirstDigitalWeapon,”WIRED,Nov.3,2014,https://www.wired.com/2014/11/countdown-to-zero-day-stuxnet/.[37]SwatiKhandelwal,“IoTBotnet–25,000CCTVCamerasHackedtolaunchDDoSAttack,”TheHackerNews,June28,2016,http://thehackernews.com/2016/06/cctv-camera-hacking.html.[38]Dahua,CyberSecurityStatement,PressRelease,Oct.1,2016,availableathttp://www.dahuasecurity.com/en/us/single.php?nid=274.[39]Dahua,DahuaSupportWikiMainPage,http://www.dahuawiki.com/Main_Page(lastvisitedNov.18,2016).[40]Dahua,HowtoCreateaMoreSecureSecuritySystem,http://www.dahuasecurity.com/en/us/best-practices.php(lastvisitedNov.18,2016).[41]BroadbandInternetTechnicalAdvisoryGroup(BITAG),SNMPReflectedAmplificationDDoSAttackMitigation,August2012,http://bitag.org/documents/SNMP-Reflected-Amplification-DDoS-Attack-Mitigation.pdf.[42]T.Dierks&E.Rescorla,“TheTransportLayerSecurity(TLS)Protocol1.2”,RFC5246,Aug.2008,https://tools.ietf.org/html/rfc5246.

[43]E.Rescorla&N.Modadugu,“DatagramTransportLayerSecurityVersion1.2”,RFC6347,Jan.2012,https://tools.ietf.org/html/rfc6347.[44]AaronArdiri,“Isitpossibletosecuremicro-controllersusedwithinIoT?”,EVOThings,Blogs/Tutorials,August27,2014,https://evothings.com/is-it-possible-to-secure-micro-controllers-used-within-iot/;[45]ReinhardSeiler,Blog,TruecryptbenchmarkforRaspberryPi,July20,2012,http://blog.rseiler.at/2012/07/truecrypt-benchmark-for-raspberry-pi.html.[46]DarleneStorm,“MEDJACK:Hackershijackingmedicaldevicestocreatebackdoorsinhospitalnetworks,”Computerworld,June8,2015,http://www.computerworld.com/article/2932371/cybercrime-hacking/medjack-hackers-hijacking-medical-devices-to-create-backdoors-in-hospital-networks.html.[47]KimZetter,“HowThievesCanHackandDisableYourHomeAlarmSystem,”WIRED,July23,2014,https://www.wired.com/2014/07/hacking-home-alarms/.[48]MarekMajkowski,“SayCheese:asnapshotofthemassiveDDoSattackscomingfromIoTcameras,”Oct.11,2018,CloudflareBlog,https://blog.cloudflare.com/say-cheese-a-snapshot-of-the-massive-ddos-attacks-coming-from-iot-cameras/(lastvisitedNov.18,2016).[49]Nest,“NestLearningThermostatsoftwareupdatehistory,”NestSupport,https://nest.com/support/article/Nest-Learning-Thermostat-software-update-history(lastvisitedNov.18,2016).[50]Nest,“HowdoIupdatethesoftwareonmyNestLearningThermostat,”NestSupport,https://nest.com/support/article/How-do-I-update-the-software-on-my-Nest-Learning-Thermostat(lastvisitedNov.18,2016).[51]NickBilton,“NestThermostatLeavesUsersintheCold,”Jan.13,2016,NYTimes,availableathttp://www.nytimes.com/2016/01/14/fashion/nest-thermostat-glitch-battery-dies-software-freeze.html.[52]CatalinCimpanu,“SecurityResearcherwithImplantedPacemakerSoundstheAlarmonIoTMedicalDevices,”Softpedia,Jan.5,2016,http://news.softpedia.com/news/security-researcher-with-implanted-pacemaker-sounds-the-alarm-on-iot-medical-devices-498448.shtml.[53]RussHousley,WordsfromtheIABChair:IABStatementonInternetConfidentiality,IETFJournalMarch2015,https://www.internetsociety.org/publications/ietf-journal-march-2015/words-iab-chair-12.

28

[54]JaneWakefield,“SmartLEDlightbulbsleakwi-fipasswords,”BBCNews,July8,2014,http://www.bbc.com/news/technology-28208905.[55]SECConsult,“HouseofKeys:Industry-WideHTTPSCertificateandSSHKeyReuseEndangersMillionsofDevicesWorldwide,”Blog,Nov.25,2015,http://blog.sec-consult.com/2015/11/house-of-keys-industry-wide-https.html(lastvisitedNov.18,2016).[56]ErikC.Davis,“ClusteringandOutlierDetection:MethodsandApplicationsinSmartHomeNetworks”,UndergraduateDissertation,OperationsResearchandFinancialEngineering.PrincetonUniversity.June2016.[57]YinZhang&VernPaxson,“DetectingSteppingStones”,USENIXSecuritySymposium,August2000,https://www.cs.utexas.edu/~yzhang/papers/stepping-sec00.pdf.[58]RobertVamosi,“CovertHackingofIoTTrivialSayResearchers,”Mocana,Feb.28,2014,https://www.mocana.com/blog/2014/02/28/covert-hacking-iot-trivial-say-researchers.[59]LorenzoFranceschi-Bicchierai,“Internet-ConnectedFisherPriceTeddyBearLeftKids’IdentitiesExposed,”Motherboard,Feb.2,2016,http://motherboard.vice.com/read/internet-connected-fisher-price-teddy-bear-left-kids-identities-exposed.[60]LorenzoFranceschi-Bicchierai,“Bugsin‘HelloBarbie’CouldHaveLetHackersSpyonChildren’sChats,”Motherboard,Dec.4,2015,http://motherboard.vice.com/read/bugs-in-hello-barbie-could-have-let-hackers-spy-on-kids-chats.[61]LorenzoFranceschi-Bicchierai,“HackedToymakerVTechAdmitsBreachActuallyHit6.3MillionChildren,”Motherboard,Dec.1,2015,http://motherboard.vice.com/read/hacked-toymaker-vtech-admits-breach-actually-hit-63-million-children.[62]BBC,“MitsubishiOutlanderhybridcaralarm‘hacked’,”BBCNews:Technology,June6,2016,http://www.bbc.com/news/technology-36444586.[63]DarleneStorm,“NissanLeafsecretlyleaksdriverlocation,speedtowebsites,”ComputerWorld,June14,2011,http://www.computerworld.com/article/2470123/endpoint-security/nissan-leaf-secretly-leaks-driver-location--speed-to-websites.html.[64]LeoKelion,“NissanLeafelectriccarsvulnerabilitydisclosed,”BBCNews:Technology,Feb.24,2016,http://www.bbc.com/news/technology-35642749.[65]ColinNeagle,“Smartrefrigeratorhackexposescredentials,”NetworkWorld,Aug.26,2015,http://www.networkworld.com/article/2976270/internet-of-things/smart-refrigerator-hack-exposes-gmail-login-credentials.html.[66]Newswise,“GeorgiaTechWarnsofThreatstoCloudDataStorage,MobileDevicesinLatest‘EmergingCyberThreats’Report,”PressRelease,Nov.6,2013,http://www.newswise.com/articles/georgia-tech-warns-of-threats-to-cloud-data-storage-mobile-devices-in-latest-emerging-cyber-threats-report[67]InstituteforInformationSecurity&Privacy,GeorgiaInstituteofTechnology,EmergingCyberThreatsReport2016,2016,availableathttp://www.iisp.gatech.edu/sites/default/files/documents/2016_georgiatech_cyberthreatsreport_onlinescroll.pdf.[68]Phys.Org,“YoursmartwatchisgivingawayyourATMPIN,”July6,2016,http://phys.org/news/2016-07-smartwatch-atm-pin.html(lastvisitedOct.7,2016).[69]RobertJ.Ellisonetal.,“EvaluatingandMitigatingSoftwareSupplyChainSecurityRisks,”SoftwareEngineeringInstitute,TechnicalNote,May2010,availableathttp://www.sei.cmu.edu/reports/10tn016.pdf.[70]InternetStormCenter,SurvivalTime:Summary,https://isc.sans.edu//survivaltime.html(lastvisitedNov.18,2016).[71]BrianKrebs,“KrebsOnSecurityHitwithRecordDDoS,”KrebsOnSecurity,Sept.21,2016,https://krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos/(lastvisitedOct.3,2016).[72]Flashpoint,“AttackofThings!”,BlogPost,Sept.17,2016,https://www.flashpoint-intel.com/attack-of-things/(lastvisitedNov.18,2016).[73]DrewFitzgerald,“HackersInfectArmyofCameras,DVRsforMassiveInternetAttacks,”WallStreetJournal,Sept.30,2016,http://www.wsj.com/articles/hackers-infect-army-of-cameras-dvrs-for-massive-internet-attacks-1475179428(lastvisitedOct.3,2016).[74]FederalTradeCommission,“ASUSSettlesFTCChargesThatInsecureHomeRoutersand“Cloud”ServicesPutConsumers’PrivacyAtRisk,”PressRelease,Feb.23,2016,availableathttps://www.ftc.gov/news-events/press-releases/2016/02/asus-settles-ftc-charges-insecure-home-routers-cloud-services-put.[75]NetworkWorld,“KrebsOnSecuritymovestoProjectShieldforprotectionagainstDDoSattackcensorship,”Ms.SmithBlog,Sept.25,2016,http://www.networkworld.com/article/3123806/security/krebsonsecurity-moves-to-project-shield-for-protection-against-ddos-attack-censorship.html(lastvisitedOct.3,2016).[76]BrianKrebs,“TheDemocratizationofCensorship,”KrebsOnSecurity,Sept.16,2016,https://krebsonsecurity.com/2016/09/the-democratization-of-censorship/(lastvisitedOct.3,2016).[77]TimGreene,“LargestDDoSattackeverdeliveredbybotnetofhijackedIoTdevices,”NetworkWorld,Sept.23,2016,http://www.networkworld.com/article/3123672/security/largest-ddos-attack-ever-delivered-by-botnet-of-hijacked-iot-devices.html(lastvisitedOct.3,2016).[78]DanGoodin,“Record-breakingDDoSreportedlydeliveredby>145khackedcameras,”ArsTechnica,Sept.28,2016,http://arstechnica.com/security/2016/09/botnet-of-145k-cameras-reportedly-deliver-internets-biggest-ddos-ever/(lastvisitedOct.3,2016).[79]DavidPlonka&ElisaBoschi,TheInternetofOldandUnmanaged,2016,availableathttps://down.dsg.cs.tcd.ie/iotsu/subs/IoTSU_2016_paper_25.pdf.[80]DavidPlonka,MeasurementandAnalysisfortheInternetofThings,July18,2016,availableathttps://www.ietf.org/proceedings/96/slides/slides-96-maprg-8.pdf.

29

[81]LucianConstantin,“AttackershijackCCTVcamerastolaunchDDoSattacks,Computerworld,”Oct.22,2015,http://www.computerworld.com/article/2996079/internet-of-things/attackers-hijack-cctv-cameras-to-launch-ddos-attacks.html.[82]KashmirHill,“Thisguy’slightbulbperformedaDoSattackonhisentiresmarthouse,”Fusion.net,March3,2015,http://fusion.net/story/55026/this-guys-light-bulb-ddosed-his-entire-smart-house/.[83]TomSpring,“Insecurity:PinpointingtheProblems,”ThreatPost,July21,2016,https://threatpost.com/iot-insecurity-pinpointing-the-problems/119389/.[84]DirectTV,UserGuide:GenieandEarlierHDDVRReceivers,pg.107,http://www.directv.com/learn/pdf/System_Manuals/DIRECTV/DIRECTV_HDDVR_HR20-44.pdf.[85]Roku,“HowcanIupdatemysoftwareonmyRokuplayer?,”https://support.roku.com/hc/en-us/articles/208755668-How-can-I-update-the-software-on-my-Roku-player-(lastvisitedNov.18,2016).[86]AruneshMathur,etal.“TheyKeepComingBackLikeZombies’:ImprovingSoftwareUpdatingInterfaces,”USENIXSymposiumonUsableSecurityandPrivacy,2016,availableathttps://www.usenix.org/system/files/conference/soups2016/soups2016-paper-mathur.pdf.[87]DavidPlonka,FlawedRoutersFloodUniversityofWisconsinInternetTimeServer,July19,2006,http://pages.cs.wisc.edu/~plonka/netgear-sntp/.[88]Comcast,“SomeNetGearRoutersCausingFloodofDNSQueries,”ComcastDNSNews,May20,2013,http://dns.xfinity.com/index.php/entry/some-netgear-routers-causing-flood-of-dns-queries.[89]NetGearCommunityDiscussionList,“ThousandsofDNSRequestsPerSecond!?”,March2,2012,https://community.netgear.com/t5/General-WiFi-Routers/Thousands-of-DNS-Requests-Per-Second/td-p/414710.[90]BenoitPanizzon,DDOSAttackbyNetgearProductscausedbyCNAMEinsteadofArecord?,[SWINOG]DiscussionList,June27,2013,http://lists.swinog.ch/public/swinog/2013-June/005863.html.[91]NationalSecurityAgency,DefenseinDepth,Whitepaper,2010,availableathttps://citadel-information.com/wp-content/uploads/2010/12/nsa-defense-in-depth.pdf.[92]VijaySivaramanetal.“Network-LevelSecurityandPrivacyControlforSmart-HomeIoTDevices”,IEEEWirelessandMobileComputing,Networking,andCommunications.2015,https://www.researchgate.net/publication/281275810_Network-Level_Security_and_Privacy_Control_for_Smart-Home_IoT_Devices.[93]KonstantinosGrivas&SteliosZerefos,AugmentedHomeInventories,EuropeanConferenceonAmbientIntelligence,2015.[94]WilliamEnck,etal.“TaintDroid:AnInformation-FlowTrackingSystemforRealtimePrivacyMonitoringonSmartphones,”InProc.oftheUSENIXSymposiumonOperatingSystemsDesignandImplementation(OSDI),October2010,availableathttp://appanalysis.org/tdroid10.pdf.[95]Disconnect,DisconnectPrivacyTool,https://disconnect.me/(lastvisitedNov.18,2016).[96]MasanobuKatagiandShihoMoriai,LightweightCryptographyfortheInternetofThings,2011,https://www.iab.org/wp-content/IAB-uploads/2011/03/Kaftan.pdf.[97]GitHub,“SSLandTLSDeploymentBestPractices,”SSLLabsWiki,https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices(lastvisitedOct.3,2016).[98]Mozilla,“Security/ServerSideTLS,”MozillaWiki,https://wiki.mozilla.org/Security/Server_Side_TLS(lastvisitedNov.18,2016).[99]DanAuerbach,“2011InReview:Ever-ClearerVulnerabilitiesinCertificateAuthoritySystem,”ElectronicFrontierFoundation,Dec.27,2011,https://www.eff.org/deeplinks/2011/12/2011-review-ever-clearer-vulnerabilities-certificate-authority-system.[100]Wikipedia,RevocationList,https://en.wikipedia.org/wiki/Revocation_list(lastvisitedNov.18,2016).

[101]DennisFisher,“FinalReportonDiginatorHackShowsTotalCompromiseofCAServers,”ThreatPost,Oct.31,2012,https://threatpost.com/final-report-diginotar-hack-shows-total-compromise-ca-servers-103112/77170/.[102]EricMill,“CertificateAuthoritiesareActuallyaTremendousProblem,”BlogPost,June21,2013,https://konklone.com/post/certificate-authorities-are-actually-a-tremendous-problem(lastvisitedNov.18,2016).[103]ChesterWisniewski,“Anothercertificateauthorityissuesdangerouscertificates,NakedSecurity,”Nov.3,2011,https://nakedsecurity.sophos.com/2011/11/03/another-certificate-authority-issues-dangerous-certficates/(lastvisitedNov.18,2016).[104]GlennFleishman,“TheHugeWebSecurityLoopholeThatMostPeopleDon’tKnowAbout,AndHowIt’sBeingFixed,”FastCompany,availableathttp://www.fastcompany.com/3042030/tech-forecast/the-huge-web-security-loophole-that-most-people-dont-know-about-and-how-its-be.[105]SteveRoosa,“TheFlawedLegalArchitectureoftheCertificateAuthorityTrustModel,”FreedomtoTinker,Dec.15,2010,https://freedom-to-tinker.com/blog/sroosa/flawed-legal-architecture-certificate-authority-trust-model/(lastvisitedNov.18,2016).[106]Google,CertificateTransparencyProject,WhatisCertificateTransparency?,https://www.certificate-transparency.org/what-is-ct(lastvisitedNov.18,2016).[107]Level3ThreatResearchLabs,“AttackofThings!”,Level3Blog,http://blog.level3.com/security/attack-of-things/(lastvisitedNov.18,2016).[108]InternationalOrganizationforStandardization,ISO/IEC30111:2013:InformationTechnology–Securitytechniques–Vulnerabilityhandlingprocesses,2013,availableathttp://www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?csnumber=53231.[109]IPSOAlliance,http://www.ipso-alliance.org(lastvisitedNov.18,2016).[110]InstituteofElectricalandElectronicsEngineers(IEEE),https://www.ieee.org(lastvisitedNov.18,2016).[111]USDepartmentofCommerce,NationalInstituteofStandardsandTechnology,http://nist.gov(lastvisitedNov.18,2016).

30

[112]InternetEngineeringTaskForce(IETF),http://www.ietf.org(lastvisitedNov.18,2016).[113]InternetEngineeringTaskForce(IETF),Light-WeightImplementationGuideance(lwig)https://datatracker.ietf.org/wg/lwig/(lastvisitedNov.18,2016).[114]InternetEngineeringTaskForce(IETF),IPv6OverNetworksofResource-ConstrainedNodes(6lo),https://datatracker.ietf.org/wg/6lo/(lastvisitedNov.18,2016).[115]InternetEngineeringTaskForce(IETF),IPv6overtheTSCHmodeofIEEE802.15.4e(6tisch),https://datatracker.ietf.org/wg/6tisch/(lastvisitedNov.18,2016).[116]InternetEngineeringTaskForce(IETF),RoutingoverLowpowerandLossynetworks(roll),https://datatracker.ietf.org/wg/roll/(lastvisitedNov.18,2016).[117]InternetEngineeringTaskForce(IETF),ConstrainedRESTfulenvironments(core),https://datatracker.ietf.org/wg/core/(lastvisitedNov.18,2016).[118]InternetEngineeringTaskForce(IETF),DTLSinConstrainedEnvironments(dice),https://datatracker.ietf.org/wg/dice(lastvisitedNov.18,2016).[119]InternetEngineeringTaskForce(IETF),AuthenticationandAuthorizationforConstrainedEnvironments(ace),https://datatracker.ietf.org/wg/ace/(lastvisitedNov.18,2016).[120]InternetEngineeringTaskForce(IETF),CBORObjectSigningandEncryption(cose)https://datatracker.ietf.org/wg/cose/(lastvisitedNov.18,2016).[121]InternetEngineeringTaskForce(IETF),IPv6overLowpowerWPAN(6lowpan),https://datatracker.ietf.org/wg/6lowpan(lastvisitedNov.18,2016).[122]GroupeSpecialeMobileAssociation(GSMA),GSMAIoTSecurityGuidelines,http://www.gsma.com/connectedliving/future-iot-networks/iot-security-guidelines/(lastvisitedNov.18,2016).[123]InternetResearchTaskForce,http://irtf.org(lastvisitedNov.18,2016).[124]InternetResearchTaskForce,Thing-to-ThingResearchGroup,https://irtf.org/t2trg(lastvisitedNov.18,2016).[125]WorldWideWebConsortium(W3C),http://www.w3c.org(lastvisitedNov.18,2016).[126]WorldWideWebConsortium(W3C),WebofThingsInterestGroup,https://www.w3.org/WoT/IG/(lastvisitedNov.18,2016).[127]FederalTradeCommission,BureauofConsumerProtectionandOfficeofPolicyPlanning,InTheMatterofTheBenefits,Challenges,andPotentialRolesfortheGovernmentinFosteringtheAdvancemenetoftheInternetofThings,DocketNo.160331306-6306-01,CommentsofStaff,https://www.ftc.gov/system/files/documents/advocacy_documents/comment-staff-bureau-consumer-protection-office-policy-planning-national-telecommunications/160603ntiacomment.pdf.[128]FederalTradeCommission,InternetofThings:Privacy&SecurityinaConnectedWorld,StaffReport,January2015,https://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff-report-november-2013-workshop-entitled-internet-things-privacy/150127iotrpt.pdf.[129]DennisFisher,FTCWarnsofSecurityandPrivacyRisksinIoTDevices,June3,2016,https://www.onthewire.io/ftc-warns-of-security-and-privacy-risks-in-iot-devices/(lastvisitedNov.18,2016).[130]NationalTelecommunications&InformationAdministration,InternetofThings,https://www.ntia.doc.gov/category/internet-things(lastvisitedNov.18,2016).[131]NationalTelecommunications&InformationAdministration,U.S.DepartmentofCommerceSeeksCommentonPotentialPolicyIssuesRelatedtoInternetofThings,PressRelease,April5,2016,https://www.ntia.doc.gov/press-release/2016/us-department-commerce-seeks-comment-potential-policy-issues-related-internet-thi[132]InternetGovernanceForum,DynamicCoalitionontheInternetofThings,https://www.intgovforum.org/cms/documents/igf-meeting/igf-2016/827-dciot-2015-output-document-1/file.[133]OnlineTrustAlliance,InternetofThings,Sept.19,2016,https://otalliance.org/initiatives/internet-things(lastvisitedNov.18,2016).[134]InternationalOrganizationforStandardization(ISO),ISO/IECJointTechnicalCommitteeonInformationTechnology,http://www.iso.org/iso/standards_development/technical_committees/list_of_iso_technical_committees/iso_technical_committee.htm?commid=45020(lastvisitedNov.18,2016).[135]InternationalElectrotechnicalCommission(IEC),http://www.iec.ch/(lastvisitedNov.18,2016).[136]InternationalCommitteeforInformationTechnologyStandards,http://www.incits.org/(lastvisitedNov.18,2016).[137]TRUSTe,PrivacyRiskSummit2016,June8,2016,http://www.truste.com/events/privacy-risk/[138]InstituteofElectronicandElectricalEngineers(IEEE),P2413–StandardforanArchitecturalFrameworkfortheInternetofThings(IoT),https://standards.ieee.org/develop/project/2413.html(lastvisitedNov.18,2016).[139]WirelessIoTForum,http://www.wireless-iot.org/(lastvisitedNov.18,2016).[140]OpenConnectivityFoundation,https://openconnectivity.org/(lastvisitedNov.18,2016).[141]ObjectManagementGroup,http://www.omg.org/(lastvisitedNov.18,2016).[142]IndustrialInternetConsortium,http://www.iiconsortium.org/(lastvisitedNov.18,2016).[143]oneM2M,http://www.onem2m.org/(lastvisitedNov.18,2016).

31

[144]BillLydon,“InternetofThings:IndustrialautomationindustryexploringandimplementingIoT,”InTechMagazine,Mar-Apr2014,availableathttps://www.isa.org/standards-and-publications/isa-publications/intech-magazine/2014/mar-apr/cover-story-internet-of-things/.[145]OASIS,OASISCommitteeCategories:IoT/M2M,https://www.oasis-open.org/committees/tc_cat.php?cat=iot(lastvisitedNov.18,2016).[146]HYPERCAT,http://www.hypercat.io/(lastvisitedNov.18,2016).[147]AllSeenAlliance,https://allseenalliance.org/(lastvisitedNov.18,2016).[148]Thread,http://threadgroup.org/(lastvisitedNov.18,2016).

10 DocumentContributorsandReviewers

- FredBaker,CISCO- StevenBauer,MIT- RichardBennett- DonBowman,Sandvine- WilliamCheck,NCTA- kcclaffy,UCSD/CAIDA- DavidClark,MIT- ShaunCooley,CISCO- AmoghDhamdhere,UCSD/CAIDA- NickFeamster,PrincetonUniversity- FrancisFerguson,Level3- JosephLorenzoHall,CenterforDemocracy&Technology- KenKo,ADTRAN- JasonLivingood,Comcast- PatrickMcManus,Mozilla- ChrisMorrow,Google- DonaldSmith,CenturyLink- BarbaraStark,AT&T- DarshakThakore,CableLabs- MatthewTooley,NCTA- JasonWeil,CharterCommunications- GregWhite,CableLabs- ToddWhitenack,Cellcom- DavidWinner,CharterCommunications