Home / News

BITAG Outlines Steps to Dramatically Improve the Security and Privacy of IoT Devices

Broadband Internet Technical Advisory Group (BITAG) today released a report outlining a set of guidelines it believes could dramatically improve the security and privacy of IoT devices and minimize the costs associated with the collateral damage that would otherwise affect both end users and ISPs. The report has also warned that unless manufacturers and distributors of IoT devices improve device security and privacy, consumer backlash may impede the growth of the IoT marketplace and ultimately limit the promise IoT holds.

Other observations made in the report include:

  • Insecure Communications: Many of the security functions designed for more general-purpose computing devices are difficult to implement on IoT devices and a number of security flaws have been identified in the field, including unencrypted communications and data leaks from IoT devices.
  • Data Leaks: IoT devices may leak private user data, both from the cloud (where data is stored) and between IoT devices themselves.
  • Potential for Service Disruption: The potential loss of availability or connectivity not only diminishes the functionality of IoT devices, but also may degrade the security of devices in some cases, such as when an IoT device can no longer function without such connectivity (e.g., a home alarm system deactivating if connectivity is lost).
  • Device Replacement May be an Alternative to Software Updates—for Inexpensive or “Disposable” Devices: In some cases, replacing a device entirely may be an alternative to software updates. Certain IoT devices may be so inexpensive that updating software may be impractical or not cost-effective.

BITAG Technical Working Group has provided a number of recommendations which including:

  • IoT Devices Should Be Restrictive Rather Than Permissive in Communicating: When possible, devices should not be reachable via inbound connections by default. IoT devices should not rely on the network firewall alone to restrict communication, as some communication between devices within the home may not traverse the firewall.
  • IoT Devices Should Continue to Function if Internet Connectivity is Disrupted: IoT device should be able to perform its primary function or functions (e.g., a light switch or a thermostat should continue to function with manual controls), even if it is not connected to the Internet.
  • IoT Devices Should Continue to Function If the Cloud Back-End Fails: Many services that depend on or use a cloud back-end can continue to function, even if in a degraded or partially functional state when connectivity to the cloud back-end is interrupted or the service itself fails.
  • IoT Devices Should Support Addressing and Naming Best Practices: Many IoT devices may remain deployed for a number of years after they are installed. Supporting the latest protocols such as IPv6 for addressing and naming will ensure that these devices remain functional for years to come. IoT devices should also support the use or validation of DNS Security Extensions (DNSSEC) when domain names are used.

The lead editors of were Jason Livingood, Vice President of Technology Policy & Standards at Comcast and Nick Feamster, Professor of Computer Science at Princeton University. Douglas Sicker, Executive Director of BITAG, Chair of BITAG’s Technical Working Group, Department Head of Engineering and Public Policy and a professor of Computer Science at Carnegie Mellon University, chaired the review itself.

By CircleID Reporter

CircleID’s internal staff reporting on news tips and developing stories. Do you have information the professional Internet community should be aware of? Contact us.

Visit Page

Filed Under


Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



Domain Names

Sponsored byVerisign

Threat Intelligence

Sponsored byWhoisXML API

IPv4 Markets

Sponsored byIPv4.Global

Brand Protection

Sponsored byCSC

New TLDs

Sponsored byRadix


Sponsored byVerisign


Sponsored byDNIB.com