Online Trust Alliance Releases Consumer IoT Security & Privacy Checklist

In support of National Cybersecurity Awareness Month, Online Trust Alliance (OTA), a not-for-profit organization with the mission to enhance online trust, has released its OTA Consumer IoT Security & Privacy Checklist. The checklist includes steps that consumers should take to help increase their own security, privacy and safety in the Smart Home and with connected and wearable technology, and other IoT devices.

“In this increasingly complex world of connected devices, consumers cannot take it for granted that their devices remain safe, secure and private year after year,” said Craig Spiezle, Executive Director, Online Trust Alliance.  “As people acquire more devices, the long term risks to their family and community rise exponentially.”

Not unlike changing the batteries on a smoke detector once a year, consumers should tune up and optimize IoT device settings regularly, OTA recommends. The Alliance said it hopes that by having consumers play an active role in smart device security and privacy, consumers will not only have better security and privacy protections, but also more confidence and trust in their devices and the IoT industry.

“Millions of consumers are the victims of identity theft and online scams each year, and many may not realize that the smart devices that make their lives easier can also make them more vulnerable,” said Bob Ferguson, Attorney General, Washington State. “OTA’s recommendations are an important step toward helping people protect their privacy and personal safety.”

Following are the OTA’s consumer security and privacy recommendations:

1. Inventory all devices within your home and workplace that are connected to the Internet and network. Router reports can help determine what devices are connected to your network. Disable unknown and unused devices.
2. Contact your ISP to update routers and modems to the latest security standards. Change your router service set identifier (SSID) to a name which does not identify you, your family or the device.
3. Check that contact information for all of your devices is up-to-date, including an email address regularly used to receive security updates and related notifications.
4. Confirm devices and their mobile applications are set for automatic updating to help maximize protection. Review their sites for the latest firmware patches.
5. Review all passwords, create unique passwords and user names for administrative accounts and avoid using the same password for multiple devices. Delete guest codes no longer used. Where possible, implement multi-factor authentication to reduce the risk of your accounts being taken over. Such protection helps verify who is trying to access your account—not just someone with your password.
6. Review the privacy policies and practices of your devices, including data collection and sharing with third parties. Your settings can be inadvertently changed during updates. Reset as appropriate to reflect your preferences.
7. Review devices' warranties and support policies. If they are no longer supported with patches and updates, disable the device’s connectivity or discontinue usage of the device.
8. Before discarding, returning or selling any device, remove any personal data and reset it to factory settings. Disable the associated online account and delete data.
9. Review privacy settings on your mobile phone(s) including location tracking, cookies, contact sharing, Bluetooth, microphone and other settings. Set all your device applications to prompt you before turning on and sharing data.
10. Back up your files, including personal documents and photographs to storage devices, that are not permanently connected to the Internet.

Nearly 100 organizations, including private businesses, consumer and privacy advocates, international testing organizations, academic institutions, and U.S. governmental and law enforcement agencies, contributed to the Checklist.