Consumer Reports Proposes Open Source Security Standard To Keep The Internet Of Things From Sucking
from the Russians-hacked-my-toaster.-Again. dept
Thanks to a laundry list of lazy companies, everything from your Barbie doll to your tea kettle is now hackable. Worse, these devices are now being quickly incorporated into some of the largest botnets ever built, resulting in some of the most devastating DDoS attacks the internet has ever seen. In short: thanks to "internet of things" companies that prioritized profits over consumer privacy and the safety of the internet, we're now facing a security and privacy dumpster fire that many experts believe will, sooner or later, result in mass human fatalities.
Hoping to, you know, help prevent that, the folks at Consumer Reports this week unveiled a new open source digital consumer-protection standard that safeguards consumers’ security and privacy in the internet-of-broken things era. According to the non-profit's explanation of the new standard, it's working with privacy software firm Disconnect, non-profit privacy research firm Ranking Digital Rights (RDR), and nonprofit software security-testing organization Cyber Independent Testing Lab (CITL) on the new effort, which it acknowledges is early and requires public and expert assistance.
As it stands, most of the proposals are common sense and take aim at most of the common issues in the IOT space. For example, encouraging companies to spend a few minutes engaged in "penetration testing" of their products before shipping (a novel idea!). The standard also hopes to ensure companies notify consumers of what's being collected and who it's being shared with, and that devices aren't using default login credentials. But Consumer Reports also notes that it hopes to develop these standards with an eye on more broadly incorporating them into product reviews:
"The standard should be easy enough for consumers without a technical background to understand, yet sophisticated enough to guide testing organizations such as Consumer Reports as we develop precise testing protocols. We want to rate products on measures such as security, in much the same the way we currently assess products for physical safety and performance."
This isn't the first effort of this type. Both the Department of Homeland Security and the FCC have started pushing for some voluntary sort of consistent standards. Of course the problem is that these standards are voluntary, meaning that the kind of companies that cut corners in the first place to sell unsecured products, aren't likely to give much of a damn. It's why folks like Bruce Schneier have advocated for stronger regulations. But with government agencies already walking back even existing consumer privacy protections under Trump, that doesn't seem likely anytime soon. And even if they were open to it, does anyone actually think that federal bureaucrats would come up with reasonable, workable standards that didn't do more harm than good? Having prominent reviewers, such as Consumer Reports take this on through an open standard and reviews seems like a pretty good way of shaming companies into better behavior.
Consumer Reports is quick to acknowledge this is just the beginning of what they hope evolves into a more comprehensive standard:
"The standard as it’s now written is a first draft. We hope that everyone from engineers to industry groups to concerned parents will get involved in shaping future versions of it. We’ve placed the standards on GitHub, a website that’s widely used by software developers to share ideas and work on group projects. Because GitHub can be hard for newcomers to navigate, we’ve also built a website that has the same information."
Folks that are curious or want to lend their assistance can check out the full standard here.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: iot, open source, security, standard
Companies: consumer reports
Reader Comments
Subscribe: RSS
View by: Time | Thread
Uhm, no.
Because of *consumer apathy*, companies - which exist to make money for owners by serving customer desires - have not had any incentive to prioritize consumer privacy over any of the other consumer priorities.
Companies can not read minds. All these companies did was offer a product.
If you want companies to prioritize consumer privacy - and it will *never* top 'profits' as a company's number one priority - then you need to let them know (by not purchasing shit just because its shoveled in front of you) that its important to you.
Now, this open-source security standard is, IMO, a great idea - but it will only take off if consumers give a damn. If you're going to place blame, place it where it belongs.
The only other option is to get the government involved and there goes your open-source, quick-reacting-to-changing-circumstances, easy compliance standard and in comes your 'big-players-in-industry-lobbying for a standard and compliance documentation that they can afford the costs of but will drive small competitors out of business'.
Because, in the end, all companies are driven by the search for profits.
[ link to this | view in thread ]
Security isn't sexy. It's hard to sell security. It's kind of like the police--no one cares about it until there's a dead body in your lobby.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
1 size fits all
____________________
"Consumer Reports is quick to acknowledge this is just the beginning of what they hope evolves into a more comprehensive standard..."
well, ConsumerReports is a left-progressive organization that luvs government regulation and government mandates. Suspect they would eventually luv to see Federal mandatory "standards" for all the Internet-of-Things... dictating hardware & software design to all.
we all know how so very concerned the Feds are about citizen privacy and prevention of hacking --- the NSA/CIA/FBI/etc devote almost all their time protecting citizen electronic communications from surveillance and hacking ?
The Feds would never insist on IoT BackDoors ?
(Fed mandatory standards on car airbags really worked out great-- everybody is required to have an unstable Explosive-Device in front of their face when riding in a car. Brilliant; ConsumerReports luvs it)
[ link to this | view in thread ]
Re: 1 size fits all
Consumer Reports has a reputation in the general consumer market, and their recognition of the issue may go a long way in terms of marketing the actual threats presented by insecure IOT devices. Eventually, and hopefully sooner rather than later, other media will explain the issue to the populace.
Making the issue important to Joe Sixpack and his cousins is a better way to go, rather than regulation. But the market must become aware of the issue, and the issue must become important to them in order for anything to happen with the manufacturers. Otherwise, the government will do hamfistedly what the government does.
Other than that, your rant is meaningless.
[ link to this | view in thread ]
Re: 1 size fits all
[ link to this | view in thread ]
[ link to this | view in thread ]
Re:
There's something to what you say, though I suspect in many cases it's lack of knowledge rather than apathy. Most people I mention this kind of stuff to are surprised to learn just how vulnerable or intrusive this stuff can be.
Plus, it's not that simple - take "smart" TV's for example. Bought one a couple of years ago - big screen - in full knowledge of the abortion that is security and privacy on the things. Because I don't care? No, because my previous big screen died and you can't buy a NON-smart screen in this country now without paying double the price.
So my choices are; don't have a TV, pay a fortune, or buy the thing and make sure it's never anything than a dumb screen. Guess which is the only practical option? Also, for bonus points, guess how much response I got from the company for pointing out the insane cost of a screen with less in it and why I wanted one?
[ link to this | view in thread ]
Too late
[ link to this | view in thread ]
Re:
Victim blaming guy is at it again.
The only reason for bad products is because consumers want bad products, not because corps are bad at making shit.
[ link to this | view in thread ]
Consumer Reports on YOU, you mean.
Done and done.
[ link to this | view in thread ]
A few Bankruptcies will make IOT a lot more secure
The Internet of Things is so insecure and provides so many avenues into your information, that it is a nightmare happening right before our Eyes. The answer is to make the technology safe by making its sellers legally liable for security breaches.
Cars being hacked for assassinations is a simple and quick example things happening that require much better security. The people that allow communication with your equipment are held legally liable for both criminal and civil acts is the market way of making these careless bas**rds a little less careless. A few bankruptcies could make the IOT a lot better.
[ link to this | view in thread ]
About Time and Thank You Consumer Reports
As IOT is all over the market from wifi cameras to thermostats, remote door locks to that huggable (and fiercely insecure) child's toy I appreciate that consumer reports is stepping into the fray and providing some level of sanity and reason along with education.
Hopefully what they learn and what the standards move towards will be heard in the halls of congress or the house or lords or any government that wants to ensure the safety of their citizens.
For me, it's about long term goals.
IOT is about convenience, not necessity.
Right now I see IOT as a weapon being used to make everything insecure for nefarious purposes. How can I treat it otherwise?
I wouldn't buy anything IOT, I look for dumb television Monitors, not smart TVs, I'd never buy a wifi enabled device that controls any aspects of my home or business and wouldn't allow my child near an IOT teddybear. (Anyone remember the Barney doll that used on-air television whitespace to program and it ended up swearing at children).
IOT is like the latest model mobile device, shiny with rounded corners full of eye candy that steals your data, shares it with hostile governments which then use it to cash our your tax return. No Thanks... until standards are set, security is verified and we can trace the supply chain for all the parts used.
[ link to this | view in thread ]
"Smart" things
[ link to this | view in thread ]
internet of things
The standard should be easy enough for consumers without a technical background to understand, yet sophisticated enough to guide testing organizations such as Consumer Reports as we develop precise testing protocols
its thinkable
[ link to this | view in thread ]
Re:
If you put the onus for safety improvements at consumers' feet, you're never going to get safety improvements. What's easier, making safer cars, or teaching people to be better drivers?
You're suggesting consumers who don't know the difference between Windows and Office should be able to make a value judgement about whether or not the TV they're buying is going to spy on them. Okay. How do you propose to do that?
[ link to this | view in thread ]
Re: 1 size fits all
Funny you bring up cars, an industry where companies deliberately chose not to include safety features because they were too expensive, and only improved due to lawsuits and government regulation.
[ link to this | view in thread ]
Re: 1 size fits all
_Early automobiles had no locks or security at all_ We're not in the late 1800's anymore. Also criticizing airbags...
Repeating late 19th century mistakes is not what having a "free market" is supposed to entail.
Now little corporation, tell us where did the bad security regulation touch your profit ?
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
In this day and age of fears this can be a selling point.
[ link to this | view in thread ]
Re: "Smart" things
How sure can you be of that? Many of these have wi-fi, and if they're not receiving regular updates there are probably some exploitable video-parsing bugs. If you download the wrong video—or someone manages to embed it into a digital broadcast—the TV might end up connected to a neighbors wi-fi, reporting your viewing habits.
[ link to this | view in thread ]