(Manually synced mirror of GDoc; to comment, file an issue)

Open IoT Certification Mark Principles – October 18th 2017

Draft edited by Alexandra Deschamps-Sonsino (@iotwatch)

Contributors: Mark Simpkins (@marksimpkins)

The company should make sure customers are able gain access to information about the use of their data (e.g how the data is processed, insights generated from the data). The company offers customers the right to delete their data and metadata. Customers are given the ability to selectively withdraw permissions of use of their data (entitlements) temporarily or permanently. In response to this, the company can selectively withdraw access to select services to consumers based on the entitlement level that a consumer provided.

Assessment criteria: GDPR policy is published on the company website / a simple checklist is completed. Use our checklist. The company website publishes a form where a customer can request the deletion of their account and history. The company website offers customers the choice to switch on or off core or secondary functionalities and are clear about the impact of those choices.

Assessment criteria: ICA compliant (registration number)

Contributors: Andy Stanford-Clark (@andysc), Boris Adryan (@borisadryan), Peter Robinson (@nullr0ute), Bob van Luijt (@bobvanluijt), Thomas Amberg (@tamberg)

Assessment criteria: The company provides URL(s) of publicly accessible documentation of the backend Application Programming Interface (API) for all of the following aspects:

• Endpoints (e.g. api.example.com)
• API (e.g. GET /things, e.g. described with Swagger)
• Protocol (e.g. HTTP, MQTT, ...)
• Data format (e.g. JSON, XML; clearly defined data types)
• Data model / information model (e.g. service topics, how to measure temperature) The company provides a way to apply for access rights (e.g. by issuing an API key)

Assessment criteria: The assessor collects complaints (e.g. including screenshots or other "proof") filed by 3rd parties.

Assessment criteria: The company provides URL(s) of publicly accessible documentation for all of the following aspects of the device "API"

• Device "API" (e.g. Bluetooth Profile)
• Protocol (e.g. CoAP, MQTT)
• Data format (e.g. binary encoding)

Contributors: Thomas Amberg (@tamberg)

Assessment criteria: Files are accessible on inspection. We recommend using MIT License or Apache 2 or GPLv3 licenses for the source code or at least a license compliant with the Open Source Definition (https://opensource.org/docs/osd).

Assessment criteria: Files are accessible on inspection.These may include but not limited to schema files, PCB layouts, and any other materials that would support the recreation of the product by the end user. We recommend using a license compliant with the Open Source Hardware Definition (https://www.oshwa.org/definition/).

Contributors: Dr. Alison Powell, Mark Simpkins (@marksimpkins), Selena Nemorin (@digiteracy)

Assessment criteria: Labelling is applied on packaging or product and online presence indicating in plain language the data flow. Use our suggested labelling system.

Assessment criteria: The dependancy label is included on product or packaging as well as the company’s online present. Use our suggested labelling system.

Assessment criteria: List of core functionality vs. secondary functionality. Access to all commercially accessible versions of products for testing. Test the core functionality on audit.

Contributors: Martin Dittus (@dekstop), Mark Simpkins (@marksimpkins), Selena Nemorin (@digiteracy)

Assessment criteria: Your website publishes a form where customers can request a change of ownership (change of user associated with the hardware), data export and service provider change.

Contributors: Pilgrim Beart (@pilgrimbeart)

Assessement criteria: Include on product or packaging. Use our labelling system.

Assessement criteria: Include on product or packaging. Use our labelling system.

Assessment criteria: Terms & conditions changes are communicated to customers and their permission is sought explicitly.

Contributors: Mark Carney (@LargeCardinal), Graham Markall (@gmarkall), Jan-Peter Kleinhans (@JPKleinhans)

The company’s customers should be protected and the security of their products should be a priority in the development cycle.

Backend Service Systems:

Assessment criteria: The product will be tested to check the following:

• FDE
• TLSv1.2 on all web-based endpoints
• Secure hashing
  • E.g. Salted bcrypt/scrypt
• Secure PII storage
  • Only necessary ports are exposed to the internet (e.g. no access to debug ports like SSH/Telnet/etc., hadoop ports not open, SMB ports not open, NoSQL/SQL server ports not open, etc. etc.)
  • Relevant Cookie flags and security headers (web) present where applicable (see OWASP guidelines)

Assessment criteria: The product will be tested to check the following:

• Minimal compliance with OWASP Top 10 (2017) and SANS Top 25 which includes:
  • No SQLi - adequate protections/query parameterisation/filtering present
  • Good protection against XSS - adequate filtering present
  • Strong session management
  • Good authentication management
  • Random CSRF tokens that are strongly enforced based on last-issued token
• Web Server users should not be running as root/admin
• Principle of Least Privilege: API service users should have limited access
• Managed access to data: Do DB users need to write to a DB they only search in? Do DB users have access to DB’s they shouldn’t do?

Assessment criteria: The product will be tested to check the following: User-land back-end service requirements (web or mobile apps - hosted):

Assessment criteria: The company’s sign in process encourages its customers to choose passwords which include alphanumeric characters, special symbols, and are of significant permitted length. These passports should be validated server side. Two factor authentication should be included & support for tokenized 2FA e.g. google authenticator. Device Specific Requirements:

Assessment criteria: Relevant compliance class number is published on packaging and online presence of the company.

Assessment criteria: The product will be tested to make sure it complies with

• Per Device Private Keys
• Use known-good cryptographic schemes such as:
  • AES256-CBC with random IV's
  • RSA based with key strength of 2048 (ideally 4096) bits
  • E.g. NaCl for public/private keys
• Use demonstrably cryptographically secure TRNG’s/PRNG’s

Assessment criteria: A product will be tested to see if its firmware is compliant with

• Usage of latest available SDK’s
• Monitor and patch with updates for core backend libraries (e.g. wifi libraries, web servers, XML parsers, etc. etc.), not just SDK updates.
• A known-good failsafe firmware should be available

Fair use of Hardware Security Module

• Use of on-chip cryptographic accelerators where available
• Use of secure storage options where available
• Usage of CRP where available

Secure Setup

• Only necessary ports open/available
• All services that handle sensitive data have adequate authentication
• No debug ports are available (ssh/telnet/etc.)
• No unnecessary services (e.g. FTP, TFTP, SMB, etc.)
• Documented moves to detect and block basic brute force attacks (e.g. password bruteforcing, WPS Pixie Dust, service bruteforcing, etc.)
• Remove Debug/Development headers from PCB (JTAG/UART/etc.)

Assessment criteria: An automated message should be generated or an alert to remind customers how to implement a change in firmware.

Assessment criteria: A clear and accessible message should be sent to a customer explaining the implications of doing this in clear language.

Assessment criteria: The product will be tested to make sure it is compliant with

• Ability and requirement to change Administrator/root access passwords
• Device-unique passwords should be loaded into each device at production
  • Where this is not possible, the admin/root password is to be changed on device first setup or admin first login, whichever happens first
• Specific account that hidden backdoor accounts are not to be included on production releases
• Limited number of large-scope administration accounts (such as Domain/Enterprise admin accounts)

Assessment criteria: ?

Assessment criteria: The product will be tested for the following:

• Restricted physical access to production systems
• A 'first-pentest' with a follow-up action plan for resolving the results of the pentest.
• Ability to lock devices to hardware security tokens e.g. yubikeys (This can act in place of per-device passwords/private keys)
• Strong physical security
• Ability to filter by source IP on device
• A working Disaster Recovery plan, Vulnerability Disclosure plan, and Breach Response Plan (Breach Response should have relevant technical, business, and legal contacts within it
• You should know if/when you were hacked
  • You should know what to do
  • Disclosure Response should exist, and have relevant technical, business, and legal contacts, as well as a workflow for how to raise tickets, assess severity, etc.
  • Disaster Recovery should be tested regularly e.g. to ensure backup restoration works) A planned introduction of monitoring software with alerts generated for the right people

Contributors: Alasdair Allan (@aallan), Chris Adams (@mchrisadams), Adrian McEwen (@amcewen), Dries De Roeck (@driesderoeck), Matthew Macdonald-Wallace (@mbconsultinguk), Joanna Montgomery (@joannasaurusrex), Gavin Starks (@agentGav)

Assessment criteria: Include on the packaging of the product and on the online presence of the company a clear statement of intended lifetime and support. Post-lifetime support should be clearly explained ( replacement part vendor list. An End of Life T&C’s and End of Life actions should be well defined - including in case of bankruptcy, takeover, etc.Should include ‘what happens to my data?’ and ‘what happens to my device(s)?’

Assessment criteria: Publicly available instructions and in an accessible format. STL files should be made available if the piece is expected to be 3D printed.

Assessment criteria: A clear and accessible form that a customer can fill in to request these part should be included as part of the packaging or online presence of the company.

Assessment criteria: A clear and accessible mention should be included as part of the packaging or online presence of the company.