The Special Interest Group (SIG) have published a ‘Problem Statement’ document for Secure Usable Browser Connections for Intranet Scenarios:
Almost all consumer networking devices and many IoT devices support local HTTP/S connections for management. This browser based interface is the typical default mechanism for managing, configuring and provisioning the device.
If the management interface is hosted on HTTP, then all content will be transmitted in clear text. This includes the transmission of the administration password. Any device hosting their management interface on an HTTP connection, is therefore announcing the users passwords on the internal network.
The alternative is to host the management interface on a HTTPS connection. This option provides the assurances of encryption (the password is not passed in the clear), but the solution is unusable for most consumers because of the warnings generated.
The SIG are looking for organisations and people from the IoT ecosystem value/supply chain to help define requirements and develop solutions to address this and other IoT cybersecurity problems. If you would like to learn more and join the SIG please contact us.