Raising the Bar: new resources and examples for improving consumer IoT security

Today, the Cybersecurity Tech Accord is re-launching a section of our website to support manufacturers in developing more secure internet of things (IoT) devices for consumers. These devices include billions of connected products on the market today – including everything from watches to doorbells, refrigerators and TVs. In addition to numerous benefits, like tracking and analyzing health data, improving device efficiency, and allowing for remote operation, they also come with cyber risk. Consumer IoT devices have been prominent targets for developing botnets and they increasingly have access to sensitive personal information that should be protected. These new challenges have required new thinking from across sectors – including manufacturers, consumers and regulators.

Thankfully, there is emerging consensus around what baseline expectations should be reflected across all consumer devices to improve security. Earlier this year, the Cybersecurity Tech Accord partnered with consumer advocates and security researchers to launch a joint statement highlighting five of these consensus capabilities – i) no universal default passwords, ii) adopting a vulnerability disclosure policy, iii) keeping software updated, iv) securing data, and v) securing communications. These five capabilities are each reflected in over 100 different standards around the world, and should be the highest priorities for device manufacturers and vendors to adopt to keep consumers safe. The statement itself has now been endorsed by over 100 multistakeholder organizations around the world – including prominent government cybersecurity agencies.

The Cybersecurity Tech Accord is committed to seeing wider adoption of these five security practices by manufacturers, and to accountability for a more safe and secure consumer IoT ecosystem. That is why today’s website refresh is focused on consumer IoT device security and built around the five security capabilities highlighted in our joint statement. The new resource hub is intended for device manufacturers, providing resources, good guidance and examples from Cybersecurity Tech Accord signatories to support the adoption of these five security capabilities. The resource hub is starting today by providing content and resources for the first three of these capabilities – “no universal default passwords,” “adopt a coordinated vulnerability disclosure policy,” and “keep software updated” – with additional materials for the other capabilities being added in the months ahead.

These new subsections focus on explaining both why each security feature needs to be a top priority for IoT manufacturers, as well as how they can begin to be adopted in a variety of different contexts. The resource hub showcases viable alternatives to universal default passwords, and how some of the Cybersecurity Tech Accord signatories have approached planning for keeping software updated via respective secure development lifecycles. We are also showcasing the over 100 examples of coordinated vulnerability disclosure policies that have been adopted by Cybersecurity Tech Accord signatories, to lead by example. No matter what kind of technology company you are, or what products you make, we are confident there will are valuable insights and resources for you in this new hub to leverage.

In the months ahead, we will continue to build-out the resources and examples on the website to support best practices for consumer IoT security. And beyond these five capabilities, the IoT subsection also serves as a repository for broader government guidance and standards for consumer IoT device security, and resources provided by Cybersecurity Tech Accord signatories. It also features expert guidance for consumers themselves seeking to optimize the security of the most common IoT products.