The Internet of Things Needs Food Safety-Style Ratings for Privacy and Security
Consumer Reports is the first to integrate privacy and security in reviews in a bid to fix the internet of broken things.
By now, we’re all intimately-familiar with the comically-bad security and privacy standards that plague most modern, internet-connected devices in the internet of things era.
Thanks to companies and evangelists that prioritize profits over privacy and security, your refrigerator can now leak your gmail credentials, your kids' Barbie doll can now be used as a surveillance tool, and your Wi-Fi-enabled tea kettle can open your wireless network to attack.
The paper-mache grade security on many of these devices also makes it trivial to quickly compromise and integrate them into botnets, resulting in the rise in historically-unprecedented DDoS attacks over the last few years. Security is so lacking, many devices can be hacked and integrated into botnets in a matter of just minutes once connected to the internet.
Security researchers like Bruce Schneier have dubbed this a sort of “invisible pollution.” Pollution, he notes, nobody wants to address because neither the buyer or seller in this chain of dysfunction tends to give much of a damn.
“The owners of those devices don't care,” notes Schneier. “Their devices were cheap to buy, they still work, and they don't even know (the victims of DDoS attacks). The sellers of those devices don't care: they're now selling newer and better models, and the original buyers only cared about price and features.”
In short the market has failed, creating millions of new potential attack vectors annually as an ocean of such devices are mindlessly connected to the internet.
One potential solution? To incorporate security and privacy grades in all product and service reviews moving forward.
“Until now, reviewers have primarily focused on how smart gadgets work, but not how they fail: it's like reviewing cars but only by testing the accelerator, and not the brakes,” activist and author Cory Doctorow told Motherboard.
“The problem is that it's hard to tell how a device fails,” Doctorow said. “‘The absence of evidence isn't the evidence of absence,’ so just because you don't spot any glaring security problems, it doesn't mean there aren't any.”
Countless hardware vendors field products with absolutely zero transparency into what data is being collected or transmitted. As a result, consumers can often find their smart cameras and DVRs participating in DDOS attacks, or their televisions happily hoovering up an ocean of viewing data, which is then bounced around the internet sans encryption.
Product reviews that highlight these problems at the point of sale could go a long way toward discouraging such cavalier behavior toward consumer welfare and a healthy internet, pressuring companies to at least spend a few fleeting moments pretending to care about privacy and security if they value their brand reputation.
To that end, Consumer Reports announced last year it would begin working with non-profit privacy research firm Ranking Digital Rights (RDR) and nonprofit software security-testing organization Cyber Independent Testing Lab (CITL) on a new open source standard intended to help make internet-connected hardware safer.
“If Consumer Reports and other public-interest organizations create a reasonable standard and let people know which products do the best job of meeting it, consumer pressure and choices can change the marketplace. We’ve seen this repeatedly over our 80-year history,” the group argued.
This week, those efforts began taking shape.
Consumer Reports’ latest rankings of mobile payment platforms is the first time security and privacy have factored into the organization’s ratings for any product or service. It’s a practice Geoffrey MacDougall, Consumer Reports' head of partnership and strategy, says will soon be expanded to the organization’s reviews of internet-connected products.
Such a practice being standardized in service and hardware reviews could go a long way in addressing things like “smart” televisions that spend as much time watching you as you do watching them, or internet-connected door locks that leave you less secure than the dumb alternatives they were supposed to supplant.
Doctorow calls the Consumer Reports’ effort both “welcome and long overdue,” but notes it needs to be the first step in a broader reform campaign.
Passing meaningful consumer privacy rules, like the FCC broadband protections killed by Congress last year, will also play a role. As will efforts to improve transparency, like the Princeton computer science department’s IOT Inspector, which provides the end user with more insight into what IoT devices are actually up to online.
Thwarting efforts by numerous companies to punish and intimidate security researchers also needs to be addressed, notes Doctorow.
“I think the next logical step is to start explicitly calling out companies that reserve the right to sue security researchers through laws like Section 1201 of the DMCA and the Computer Fraud and Abuse Act,” he said. “We know from long experience that just the possibility of retaliation
for criticizing products by pointing out their defects is enough to chill the speech of security researchers.”
For years the internet of things space has been the butt of justified jokes, as we collectively laugh at how we need to approve an overlong TOS just to use our shiny new oven, or the fact we can’t use our thermostat or TV because they were infected by ransomware.
But researchers like Schneier have warned that with millions of new attack vectors being introduced annually thanks to apathetic companies and oblivious consumers, it’s only a matter of time before this systemic dysfunction results in some massive, potentially fatal attacks on essential infrastructure.
With that understood, helping consumers better understand which companies couldn’t care less about privacy and security seems like the very least we can do.