Connected home devices occupy the wild west in terms of security and privacy practices; there's little to no regulation in terms of the software that powers smart homes. BITAG says some IoT devices have security vulnerabilities relating to outdated software, unauthenticated and unencrypted communications, data leaks, malware, and service interruptions.
This isn't just speculation: IoT devices enabled two widely publicized DDoS attacks in October, one that took out the internet across the United States and another that disabled the website of security researcher Brian Krebs. The Krebs attack infiltrated an estimated 145,000 IoT devices, mainly security cameras and DVRs.
BITAG recommends a handful of security standards for IoT devices, including timely, automated and secure software updates, password protection, and increased testing of customization options. The group also suggests implementing encryption best practices, plus the ability for these devices, particularly home alarm systems, to function if internet connectivity or the cloud fails. BITAG even wants to establish an industry cybersecurity program that includes a seal for certified "secure" devices.
BITAG doesn't have any actionable power to enforce these recommendations, but its report can influence regulatory discussions in the future.