Welcome [] · 11:30 Overview of Online Trust Audit - IoT Segment performance 11:45 IoT Security research - Geoff Noakes - Symantec 12:00 Lunch - Glenn Derene, Editor Consumer Reports

© 2015. All rights reserved. Online Trust Alliance (OTA)

1

Welcome

• Security

• Privacy

• Sustainability

11:00 Introductions, Who You Are? Why do you care?

Goals - Thea Singer Spitzer, Principle, Critical-change

11:30 Overview of Online Trust Audit - IoT Segment performance

11:45 IoT Security research - Geoff Noakes - Symantec

12:00 Lunch - Glenn Derene, Editor Consumer Reports Magazine

1:00 Review of draft framework / Breakouts

4:00 Breakouts report back to group

5:00 Considerations of a possible seal / certification program

5:45 Wrap Up & Reception

Agenda

• Chatham House Rule

• Introductions

▫ Who are You & Why do You Care?

• Listen, Learn + Collaboration = Innovation

Reminders


2

501c3 charitable organization with a mission to enhance online

trust, while promoting innovation and the vitality of the

internet.

• Goal to help educate businesses, policy makers and stakeholders

while developing and advancing best practices and tools to

enhance the protection of users' security, privacy and identity.

• OTA supports collaborative public-private partnerships, benchmark

reporting, meaningful self-regulation and data stewardship.

OTA

© 2015. All rights reserved. Online Trust Alliance (OTA) Slide 4

Focused On Collaboration

© 2015. All rights reserved. Online Trust Alliance (OTA) Slide 6

http://www.ebay.com/

http://www.ebay.com/

http://www.getresponse.com/

http://www.getresponse.com/

http://www.trustsphere.com/

http://www.trustsphere.com/


3

What Do We Want to Achieve Today

• Review framework progress to date

• How can we collaborate with others?

• Critique, validate and prioritize criteria

▫ What are we missing?

▫ How can it be validated and measured

▫ Is it applicable for all device categories?

Working Group Goals

1. Provide guidance to manufacturers and developers to help reduce attack surface and

vulnerabilities, and adopt responsible privacy and data stewardship practices.

2. Drive the adoption of best practices; embracing “privacy and security by design”, as a

model for the development of a voluntary, yet enforceable code of conduct.

3. Provide positive affirmation and recognition to companies, products, and retailers who

embrace the code of conduct and meet minimum standards.

4. Provide retailers / commerce sites criteria to aid in their product merchandising and

promotion decisions.

5. Where possible, apply existing standards from NIST, NTIA, ISO and other industry

working groups.

6. Encourage collaboration, sharing of best practices and threat intelligence.

7. Evaluate and identify gating issues and considerations which may lead to the

development of a seal or certification program which could become an incentive to adopt

best practices.

Unique IoT Challenges

1. Highly personal, dynamic, persistent

collection and transfer of data.

2. Reliance on a combination of devices,

apps, platforms and cloud services.

3. Multiple data flows.

4. Multiple touch points and disclosures.

5. Sustainability / lifecycle issues.

6. Lack of defined standards.

7. Non-traditional market players and rush

to market.


4

Concerns

1. Unknown and future secondary data usages; unintended consequences

2. Unique devices which impact disclosures

3. Compatibility; ability to roll back updates and patches?

4. Impact to core functionality of the product purchased of changes in policies

5. Product warranty / support, beyond traditional guarantees (aka auto recalls vs repairs)

6. Reliance on installers / third parties. What are they doing and setting on behalf of the consumer?

7. Similarity to PCI, If you handle, touch, store or transfer cc info you must be compliant

8. AV for IoT? They will be hacked and compromised!

9. Consent; does it transfer with home ownership?

10.What happens to my data? Portability, compatibility with other devices. Can I retract my data?

User Device

Cloud Service

Mobile App

Connected Device

Mobile Platform

Services Provider(s)

?

Multi-Dimension Landscape & Issues

• Data Security

• Privacy

• Sustainability

▫ Lifecycle issues

▫ Supportability

▫ Data retention / ownership

• Data In use, transit & rest

Security – Top 10 OWASP

1. Insecure Web Interface

2. Insufficient Authentication/Authorization

3. Insecure Network Services

4. Lack of Transport Encryption

5. Privacy Concerns

6. Insecure Cloud Interface

7. Insecure Mobile Interface

8. Insufficient Security Configurability

9. Insecure Software/Firmware

10. Poor Physical Security

The Open Web Application Security Project (OWASP), https://www.owasp.org

https://www.owasp.org/


5

Working Group Review & Priorities

Key Questions/topics from working paper Possible Dimension to measure/validate

Possible

metric/value/score

Is measurement most

l ikely an objective

test or a vendor

assertion doc?

Rank Importance of

including in Seal

v1.0 1 = vi ta l , 2 =

good to have, 3 =

poss ible future

vers ions

Validation Type Home Wearables Rank

Is the privacy policy publically available to review prior to product purchase or

activation? (Is it visible on packaging, POS materials…)Yes/No

Testing

Is the privacy policy display optimized for the user interface. For example is a short-

layered notice applicable and discoverability and with access to the complete notice. Yes/No Review of policy

Is data sharing limited to third parties / service providers who agree to confidentiality

and limit usage to support product features/ functionality and or product improvement?

Yes/No Review of policy

Can a user opt-In for any third party data sharing; not contingent on utilizing of core

features or updates?Opt In/Opt Out/No Option Review of policy

Can the consumer see or request access to the data and analytics (and the specific data

attributes) that has been collected from their device? Are all data elements attributed to

a user clearly disclosed and explained? What is feasible to provide?

Testing

Is a data retention policy disclosed, including the provision of user information being

deleted upon termination of product usage or product end-of-life?Yes/No Review of policy

Does the vendor make a commitment to not transfer any consumer data if the company

is sold or liquidated unless the consumer is provided notice and gives express consent

(with the exception of data required to perform product support and functionality as

specified in the original product terms of use and privacy policy)?

Yes/No Review of policy

Is it COPPA compliant? Who is the user? When does it apply? Do user profiles need to be

created?Yes/No Review of policy

What steps are taken to help prevent anonymous data being from being re-identified?Review of policy

Can a consumer return a product without any charge after reviewing the privacy practices

that might be presented during set up? (retailer or product policy).Yes/No

Can the company materially change privacy policies after the product is purchased? What

is the primary function of the device and how might it be impacted? Is the history of

changes available for review and or comparison?

Yes/No

Is the device compliant with regulations where the device is being sold or being used?

(US vs Canada, UK, Australia and or EU?

Does this i tem perta in to

Home Automation,

Wearables (check)?

IoT Trustworthy Framework - Privacy

What Consumers Need To Know

1. Does my device / application have a posted privacy policy which respects my data and

privacy?

2. Can I opt-in or opt-out and what will the impact be to the product functionality?

3. Does the manufacturer and app developer follow a Security Development Lifecycle (SDL).

4. Is my data protected at rest and in transit?

5. Does my device have a published support policy including end of life?

6. How will my device be upgraded to address security vulnerabilities? How will I be notified?

7. How can my data be deleted if the device is lost, stolen or sold?

8. How can I compare security and privacy practices as part of my purchase decision?

9. Does the manufacturer (and retailers) share or monetize my data?

10.What is the risk my personal data could be re-identified?

Online Trust Audit & Honor Roll

Craig Spiezle

Executive Director & President

Online Trust Alliance

https://otalliance.org/HonorRoll

https://otalliance.org/HonorRoll


6

BrandProtection

PrivacySecurity

Honor Roll Overview

• Analysis of ~1,000 web sites

▫ FDIC Banking 100

▫ Internet Retailer 500

▫ Top 50 Social

▫ Top 50 News/Media

▫ Top 50 Federal Gov’t

▫ OTA Members

▫ IoT 50 (Home automation, Wearables)

• Scoring

▫ Up to 100 points in each category

▫ Bonus points for emerging practices

▫ Penalty points for

Data loss incident

Fines/settlement

▫ Honor Roll = 80% of total points, 55% or better in each category

Privacy

• Base points

▫ Privacy policy

▫ Third-party trackers on site

• Bonus points

▫ Layered privacy policies

▫ Bilingual policies

▫ Use of Icons

▫ Do Not Track status, policy

▫ Tag mgmt. or privacy solution

• Penalty points

▫ WHOIS (if Private vs Public)

▫ Data Breach Incidents

▫ FTC / State Settlements

BrandProtection

PrivacySecurity

Italics = new in 2015

Consumer & Brand Protection

• Base points

▫ Email authentication

SPF and DKIM at top-level

and subdomains

▫ DMARC record and policy

• Bonus points

▫ TLS for email

▫ DMARC reject policy

• Penalty points

▫ Domain locking (not locked )

BrandProtection

PrivacySecurity


• Can the app or web site be spoofed fooling a consumer

to open or download an update, open an attachment or

simply open an email with a drive-by exploit?

• Does the site or app exercise best practice to help

prevent brand-jacking and domain abuse?


7

Infrastructure Security

• Base points

▫ Server & SSL implementation

• Bonus points

▫ EV SSL

▫ AOSSL

▫ DNSSEC

• Penalty points

▫ XSS / iFrame vulnerabilities

▫ Malware

▫ Malicious links

▫ Bot risk

BrandProtection

PrivacySecurity


Overall Achievement

Review By Segment


8

Top of The Class

#1 of all Online Retailers

Ranked #1

across all sectors

IoT - Highlights

Who Made The Grade for IoT?

Top of the Class #1


9

Failing

IoT – Lowlights

Failing


10

Range & Median

Widest

Range

IoT Key Metrics

Privacy Scoring


11

Privacy Polices

Case Study – IoT Security

Geoffrey Noakes

Senior Director, Business Development

[email protected]

+1-415-370-5980

Many consumer products are now Internet-connected

33Oral-B / ndtv.com Smart Bra / philly.com

sensoriafitness.com

Co

pyr

igh

t ©

20

14

Sym

ante

c C

orp

ora

tio

n

Imgur.com


12

Remember the fridge that sends out spam?

Copyright © 2014 Symantec Corporation34

Co

pyr

igh

t ©

20

14

Sym

ante

c C

orp

ora

tio

n

The IoT device was behind a NAT router

A typical PC, infected with malware, was sending out spam

The fridge was behind the same NAT router

It is technically possible to have fridges send spam

35

Co

pyr

igh

t ©

20

15

Sym

ante

c C

orp

ora

tio

n

Let’s consider some "health wearables"

Co

pyr

igh

t ©

20

14

Sym

ante

c C

orp

ora

tio

n


13

123 BPM

23.56 KM

15.8

RISK RISK

RISK RISK

RISK

Where are the risks?

37

Co

pyr

igh

t ©

20

14

Sym

ante

c C

orp

ora

tio

n

IoT devices are Internet-connected and have all the same risks as typical PCs and smartphones

PII/LOGINCLEAR TEXT

20%*

NO PRIVACYPOLICY

52%

*Services that required a login

Symantec analysis of health apps

38

We analysed the top 100 free health applications

Co

pyr

igh

t ©

20

15

Sym

ante

c C

orp

ora

tio

n

APP ANALYTICS

AD NETWORKS

APP PROVIDER

SOCIAL MEDIA

APP FRAMEWORKS

CRM/MARKETING

UTILITY API

OS PROVIDER

MAX DOMAINSCONTACTED

14

AVG DOMAINSCONTACTED

5

Who do health apps share data with?

Each of these vendors could share your data again

Co

pyr

igh

t ©

20

15

Sym

ante

c C

orp

ora

tio

n


14

Your data is already being analysed

40

Jawbone: Who’s asleep during San Francisco earthquake 2014?

40

Co

pyr

igh

t ©

20

15

Sym

ante

c C

orp

ora

tio

n

The IoT is raising the interest of attackers

Infects routers

PHP vulnerabilities

Default passwords

LINUX.DARLLOZ

Mine cryptocurrencies

Many proof of concepts around, but attackers are currentlyfinding it difficult to make the activity profitable

Smart TVs

Set top boxes

IP/baby cams

Home automation

Light bulbs

OTHER DEVICES

Cars

Co

pyr

igh

t ©

20

15

Sym

ante

c C

orp

ora

tio

n

A very real example: Smart hub devices

• Unsigned firmware update (MITM attack possible)• Passwords sent in clear text (no SSL encryption)• 4-digit PIN code in the cloud enforced (blind SQL injection)

42

Co

pyr

igh

t ©

20

14

Sym

ante

c C

orp

ora

tio

n


15

Common issues we found when analysing devices

43

Weak authentication (or no password at all) No encryption Prone to web vulnerabilities (66% had OWASP vulnerabilities ) Privacy concerns Firmware updates: either missing or unsigned Full trust to any local device Insufficient security configurability Simple physical attacks are possible

Co

pyr

igh

t ©

20

15

Sym

ante

c C

orp

ora

tio

n

Brave New World of Smart Devices

Glenn Derene

Editor

Consumer Reports Magazine

INTERNET OF THINGSGlenn Derene

Director of Content Development

Consumer Reports


16

In the Privacy of Your Own Home (June 2015 Issue)

In the Privacy of Your Own Home (June 2015 Issue)

Even Mr. Coffee is

watching you

What makes an object “smart”?

• Sensors

• Internet connectivity

• A degree of autonomy

• Can be part of an ecosystem


17

Which of these is an IoT device?

Computer? Smartphone? Navigation Device?

Bluetooth Speaker? Amazon Echo?Game Console?

The landscape

of IoT devices

How big is the

Internet of Things?

• FTC report

estimates 25 billion

connected devices

this year

• By 2020, that

number is expected

to grow to 50 billion

What kinds of

data are

collected?

• Many IoT

devices are

meant to be

integrated into

the intimate

spaces of our

homes and lives.

• The data-

collection

becomes a

passive by-

product of our

interaction with

the device


18

The creepiness

factor.

• When consumers don’t know

what their devices are doing,

they freak out

• If data collection isn’t made

explicit, people jump to the

worst possible conclusions

about motive

The creepiness

factor.

• Samsung was caught off

guard by public reaction, and

had to respond to public

outcry

Hidden in the fine

print.

• The uproar hid a more

disturbing trend in the industry

• Many smart TVs are collecting

data on everything you watch

and sending it to third parties


19

Where, precisely, is

your data going?

• We investigated the data

stream from smart TVs

• Third-party companies most

consumers have never heard

of, such as Cognitive Networks

and Enswers

What does consent

look like?

• People don’t read privacy

policies

• It’s even more onerous to

expect them to do so for an

appliance

What’s the potential

harm?

• In 2014, hackers took over

baby monitors and screamed at

sleeping infants.

• We’ve discovered websites that

are search engines to

unprotected webcams—some

in people’s homes.


20

Where is this going?

• Amazon’s Dash program let’s

participants install buttons to

automatically order brand-

name supplies

• Eventually appliances will order

the goods themselves.

How much

information do we

owe companies?

• Diagnostics

• Usage data

• Firmware updates

• Interactions with other

appliances

• John Hancock Vitality

What is Consumer

Reports’ role?

Investigating partnerships with

• NYU Polytechnic

• Georgetown Law Center for

Privacy and Technology

• Carnegie Mellon University

CHIMPS/CUPS Lab


21

User Device

Cloud Service

Mobile App

Connected Device

Mobile Platform

Services Provider(s)

?

Multi-Dimension Landscape & Issues

• Data Security

• Privacy

• Sustainability

▫ Lifecycle issues

▫ Supportability

▫ Data retention / ownership

• Data In use, transit & rest

Working Group Update

• Security

• Sustainability

• Privacy Team Joanne

• Privacy Team Thea

Feedback

• Scope Changes

• Areas on consensus

• Open for debate

• Key Priorities


22

Seal Program Discussion

Program Considerations

ITWG Workshop

June 16, 2015

• Neal Feather

▫ President, SiteLock

• Joanne Furtsch

▫ Director of Product Policy, TRUSTe

Panelists

• Program scope definition• What do the criteria apply to• Are there multiple levels of certification or different criteria or

programs based on data type or role in eco-system

• Certification model• Third party validation or self-attested

• Review/testing methodologies• Automated and manual testing approaches• Device version changes

• Criteria validation among industry stakeholders• Device manufacturers, Industry trade organizations, Retailers,

Consumers, Regulators

• Criteria adoption and program brand recognition building

Starts with clear, consistent, verifiable criteria


23

• Seal usage guidelines• Where is the seal allowed to be displayed?

• Process to issue the seal

• Process to revoke seals

• Dispute process (manufacturer and consumer)• Define scope of dispute resolution

• Frequency of verification of criteria/renewal

• Survival• Controlling entity changes due to acquisition or merger

• Bankruptcy

Managing use of the Seal

• Seals must be dynamic • QR Code, RFID, hosted seal, or seal image

• Steps to prevent counterfeiting • Trademark protections

• Level of certification must be clear from seal

• Information on certification status accessible from the seal• Validation page

• Single, simple source with trusted chain of control for authenticity

• Ongoing monitoring of program compliance and proper seal usage

Trust in the Seal

Generalized certification process

• Review of device and

related Privacy Policies

Analyze

• Gap analysis of data

collection to

certification criteria

• Findings report

Advise

• Remediate identified gaps

Remedy

• Activate seals and

consumer validation pages

Award

• Ongoing monitoring for

compliance

• Consumer and

manufacturer feedback

loop and dispute

resolution

• Guidance on Emerging

Rules and Opportunities

Monitor


24

Analyze – scanning technology

Advise & Remedy: - Findings Report

Award & Monitor: Validation Page

72

Your Company


25

Certification is a business

Sales

Business Operations

Assessment/Service Delivery

Compliance Monitoring

Certification License Renewal

Tools and systems

are needed to

manage certification

lifecycle

Next Steps

• OTA IoT Initiative https://otalliance.org/IoT

▫ Send feedback to discussion draft by June 26th – [email protected]

July 1 – Member Working Group Call

Aug TBD

Nov 16 - DC Dinner with FTC / IoT Caucus

Nov 17 – Working meeting – DC

https://otalliance.org/IoT

mailto:[email protected]

Documents

Welcome [] · 11:30 Overview of Online Trust Audit - IoT Segment performance 11:45 IoT Security research - Geoff Noakes - Symantec 12:00 Lunch - Glenn Derene, Editor Consumer Reports