
Internet of Things Security and Privacy Recommendations [pdf] - Animats
http://www.bitag.org/documents/BITAG_Report_-_Internet_of_Things_(IoT)_Security_and_Privacy_Recommendations.pdf
======
Animats
The recommendations are weak:

\- "IoT Devices Should Ship with Reasonably Current Software" (Vague)

\- "[Vendors] should design systems and processes to ensure the automatic
update of IoT device software, without requiring or expecting any type of user
action or even user opt-in." (Do not attempt to disconnect Big Brother.)

\- "IoT devices be secured by default (e.g. password protected) and not use
common or easily guessable user names and passwords (e.g., “admin”,
“password”)." (Well, duh.)

\- "When possible, devices should not be reachable via inbound connections by
default." (Reasonable enough.)

\- "An IoT device should be able to perform its primary function or functions,
even if it is not connected to the Internet." (Nest had some problems with
this.)

\- "Devices Should Continue to Function If the Cloud Back-End Fails" (They
just assume there's a "cloud" back end, not a local server.)

\- "Devices Should Ship with a Privacy Policy That is Easy to Find &
Understand". (But it can be as intrusive as desired by the vendor.)

\- IPv6 / DNSSEC. (Yes, definitely IPv6; way too many devices for IPv4.)

\- "If the functionality of an IoT device can be remotely decreased by a third
party, such as by the manufacturer or IoT service provider, this possibility
should be made clear to the user at the time of purchase." (But it's OK if you
tell the user.)

\- "The IoT Device Industry Should Consider an Industry Cybersecurity Program"
and "The IoT Supply Chain Should Play Their Part In Addressing IoT Security
and Privacy Issues" (The devil is in the details.)

