The IoD project is primarily focused on the consumers of IoD devices and their safety, security and privacy. We are consumers too and have an interest in the concerns as well.
We make no judgements about how, where, when or with whom anyone uses these devices. We just look at them as hardware and software devices with internet connection capabilities that can create security and privacy concerns.
We also are not here to make recommendations, certify anything, or do any of those Underwriters Labs type things. We are just trying to do what we can as security researchers to make things better in this under scrutinised industry.
One part of the IoD project is to establish bridges to the vendors of these devices and educate them on security, privacy and best practices, thus raising the security bar on the industry as a whole. The other part is to educate consumers about choosing devices responsibly to protect themselves. This involves what they should look for in products and from vendors to safeguard their privacy and security.
Recommended Consumer Questions
Here are some questions that consumers of IoD devices should ask of themselves, about the devices and about the vendors.
Does this device include remote control capabilities?
Am I comfortable with any data from my remote usage being passed through the companies servers, even if encrypted?
Am I comfortable with any intimate data being sent over the internet regardless of the security measures in place?
Does the devices software require an email address, phone number or other personally identifying information to register or otherwise use the software?
Am I comfortable with the vendor knowing this personally identifying information along with any other data that may be sent to their servers such as usage data?
Does the vendors website use SSL/TLS (encryption) by default, even outside of their online store? (This is a good indicator of security awareness on their part)
Is the vendor listed as a Partner Vendor on the IoD website? (This means they have done enough to ensure their commitment to your security and privacy that they have earned the projects respect enough to be listed)
Partner vendors will adhere to the vendor code of conduct and be accountable and transparent to their customers in how they collect, use and potentially disclose any data associated with their devices. Is this code of conduct enough to make you comfortable with using the product?
We are hoping that the IoD project will become the high bar of security and that our trusted partners are the most trustworthy (security wise) in the industry. That said, it is still up to you as a consumer to make decisions about your comfort with their actions. Hopefully the openness and transparency we are trying to have them adopt will make that decision easy for you.
In the end, your safety, security and privacy require your active participation. We can't do it all for you. Ask questions, educate yourself, and don't be afraid to get in there and test things for yourself (If you do, please follow the Researcher Code Of Conduct).
By simply having curiosity, taking an interest, and having a desire to make things better, you can change the world in ways big and small.