New Open Source Standard Hopes To Cure The Internet Of Broken Things Of Some Awful Security Practices

from the come-together,-right-now dept

As we’ve pretty well documented, the internet of things is a security and privacy shitshow. Millions of poorly-secured internet-connected devices are now being sold annually, introducing massive new attack vectors and vulnerabilities into home and business networks nationwide. Thanks to IOT companies and evangelists that prioritize gee-whizzery and profits over privacy and security, your refrigerator can now leak your gmail credentials, your kids’ Barbie doll can now be used as a surveillance tool, and your “smart” tea kettle can now open your wireless network to attack.

Security analysts like Bruce Schneier have been warning for a while that the check is about to come due for this mammoth dumpster fire, potentially resulting in human fatalities at scale — especially if these flaws are allowed to impact integral infrastructure systems. But Schneier has also done a good job noting how nobody in the production or consumer cycle has any incentive to take responsibility for what’s happening:

“The market can’t fix this because neither the buyer nor the seller cares. Think of all the CCTV cameras and DVRs used in the attack against Brian Krebs. The owners of those devices don’t care. Their devices were cheap to buy, they still work, and they don’t even know Brian. The sellers of those devices don’t care: they’re now selling newer and better models, and the original buyers only cared about price and features. There is no market solution because the insecurity is what economists call an externality: it’s an effect of the purchasing decision that affects other people. Think of it kind of like invisible pollution.”

There’s no quick fix for this problem. And as Schneier notes it’s going to take the cooperation of companies, governments, consumers and independent groups to craft a solution, something that was already difficult enough during decidedly more sane times.

Consumer Reports has been one of the few organizations to try and tackle this problem with plans to incorporate some open source security and privacy testing standards into its product reviews, to name and shame companies that turn a blind eye to this problem. Just about a year ago the organization noted it was working with privacy software firm Disconnect, non-profit privacy research firm Ranking Digital Rights (RDR), and nonprofit software security-testing organization Cyber Independent Testing Lab (CITL) on the new effort, which it acknowledged was early and requires public and expert assistance.

This week these groups shed a little more detail on the new effort, which it claims is the first step in reinstilling some degree of trust in the internet of very broken things. The standard is still very much under development, and the groups are looking for your help in spreading the word:

“We are focused on ensuring the Standard?s maximum impact by working across many constituencies to use and refine this tool as a metric for evaluating consumer software and hardware. Our goals are to educate companies on how they can use the Standard to improve their products, help consumer and digital rights advocates to leverage the Standard in their advocacy, and solicit feedback from the full range of stakeholders on how the Standard can be improved.”

The emerging standard would incorporate 35 different security and privacy testing standards into product reviews, with a heavy emphasis on the obvious need for quality encryption, non-default usernames and passwords, transparency as to what data is collected and who it’s being sold to, more easily understood terms of service, and better government mechanisms to handle consumer complaints and enforcement against bad actors.

Traditionally, IOT companies have disregarded these issues in both their business models and product design, creating Schneier’s unaccountable “invisible pollution” (for example when your cheap ass Chinese security camera gets hacked minutes after being connected online, then contributes to historically massive DDOS attacks without your knowledge or consent). Convincing companies (especially when they’re overseas and outside of regulatory authority) that contributing to the greater good benefits everybody in the long run hasn’t been easy.

As such, the OTI tries to make the case that over the long term, respecting privacy and embracing security standards should save everybody money, noting that firms like the Ponemon Institute have estimated that the average data breach in 2017 cost “responsible” businesses $3.5 million. Not to mention the costs of downtime from massive DDOS attacks like the one that targeted Dyn last year, or the costs of having to deal with regulatory action because of the lack of common security sense we’ve seen applied to everything from smart TVs to in-car infortainment systems.

Still, the temptation to disregard security and privacy and just move on to marketing the next IOT product in the pipeline is a siren song that will be hard to compensate for (especially for overseas Chinese vendors), and it’s going to take a massive, collective push to avoid some of the doomsday scenarios many security researchers have been warning about.

Filed Under: , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “New Open Source Standard Hopes To Cure The Internet Of Broken Things Of Some Awful Security Practices”

Subscribe: RSS Leave a comment
Anonymous Coward says:

but will this even make much of a difference?

Back in the early days of the Internet, there were more than a few activists loudly complaining that the vast majority of email servers were doing unencrypted plain text logins. A decade later, the situation had barely improved, despite the fact that all the tools needed to fix the problem had been available for many years.

The problem is that the vast majority of people don’t care one bit about security, and tend to brand anyone who does as some kind of paranoid conspiracy kook. That’s just about as true today as it was 25 years ago, when the few people who taught themselves how to use PGP discovered it was a complete waste of time because everyone else they ever knew with an email address thought PGP was too silly to bother with.

Hopefully this new OTI standard will not just be taken seriously, but will be widely if not universally adopted. But based on the history of internet security (non)adoptions, that’s likely to be another pipe dream.

Anonymous Anonymous Coward (profile) says:

The next step is marketing

The way I see it is that this is a good start. There may be other things that need to be added to the standard, as we grow and learn and new vulnerabilities are discovered. But much more important is adoption. This comes in two parts, the first is getting consumers to know about and understand the issues created by the lack of security and privacy in IoT devices. This could become a reality by getting more mainstream press to cover the story, and that might be accomplished by exposing some of the more popular devices, and what that lack of security and privacy might mean to the average, or less than average, users.

The next step would be to show the importance of the evaluations by third party tech organizations. Consumer Reports is a good start, but since it is paywalled it should not be the only source of such information. Getting consumers to value ratings by such organizations, and getting those ratings to be freely available to consumers is very, very important. Once consumers begin to value those ratings, they will become important to the manufacturers.

Rich Kulawiec (profile) says:

“Security analysts like Bruce Schneier have been warning for a while that the check is about to come due for this mammoth dumpster fire, potentially resulting in human fatalities at scale — especially if these flaws are allowed to impact integral infrastructure systems.”

Like driverless vehicles. The cheerleaders for these like to pretend that they’re exempt from the dumpster fire, but in fact they may be the worst part of it.

Last week’s Uber incident was only the beginning.

Ninja (profile) says:

Re: Re:

Hmm, as far as I could understand the incident was caused by lousy programming, not because of some hacking. While I agree with you that it is something to worry, driverless cars will be subjected to much more scrutiny and regulations than your standard camera or dvr exactly because it’s much easier to see the problem. DDoS attacks are abstract, possibly alien concept to most of the population.

Uriel-238 (profile) says:

Re: Re: Three Layers of Fictionalization

Dear Boss:

Last night, when Nunzio and I were finishing up the special task you sent us on, a movie idea came to my head. On my off time, I jotted down a script and thought, y’know, this ain’t half bad. So I send it to you, hoping one of your studio lots might make use of it. Let me know.




SETTING: Classy office in a publishing company. BURTON is behind the desk looking at a manuscript. DANIELS the author is in front of the desk nervously sitting in a chair.

DANIELS: This is, of course, an early draft. I can change names, circumstances. Whatever you need.

BURTON: The premise sounds a big wonky. Let’s take a look

(Voice over as Burton reads the story.)

Little sue was all good and tucked into bed. "Daddy, I’m ready for bed. Is it story time?"

Daddy sat down at the side of the bed "It sure is, pumpkin. Do you want to hear a particular story?"

Sue giggled. "Surprise me," she said.

Daddy began "Long ago there were two princesses Avril and Clara who spent their days in the royal garden laughing and playing. One day while running through the daffodil thickets, Clara tripped and fell into the fountain. She got her clothes all wet and had to take them all off…"

Sue’s little face soured. "You told me that one, yesterday." she said.

"Whoops!" Daddy said. "Okay, let me start again." He breathed. "Once upon a time there was a land where devices were connected to the internet. It was really nifty, because someone could take pictures remotely, or adjust their thermostat before they got home, or check their email on their refrigerator as they were getting breakfast. Only these devices were not built with locks, so mischieveous little boys could find them on the internet and repurpose them to obey a supreme master computer. With enough devices they could force large portions of the internet to malfunction, in what was called a Distributed Denial of Service attack, or DDOS.

Only the camera owners didn’t care, because the cameras still worked. And the camera makers didn’t care, because it wasn’t making their customers unhappy. So a man in a hat came up with an idea: Lets make our own botnet out of all these devices and DDOS the camera manufacturers. That way it WILL be their problem.

Sue asked "But wouldn’t that be highly illegal, and in violation of the CFAA? He’d go to jail for that longer than he would for murder or child endangerment."

"Desperate times call for desperate measures, my sweet." Daddy replied.

BURTON: Is this a story of a father corrupting his own daughter.

DANIELS: (Nods) It’s a slow burn. Something of objective horror fiction with a sci-fi twist.

BURTON: (shakes his head) I don’t think we have an audience for it. But let me give you a phone number.

Mike Linksvayer (profile) says:

This week these groups shed a little more detail on the new effort, which it claims is the first step in reinstilling some degree of trust in the internet of very broken things. The standard is still very much under development, and the groups are looking for your help in spreading the word.

I couldn’t figure out from the PDF linked to in the article text above what the context of this was. Here’s the blog post announcing the PDF: (March 23)

The only new detail shed is that they’re starting a promotional effort for The Digital Standard. Which is good!

Anonymous Coward says:

Wow. Bruce Schneier seems to think his words are so magic that care itself will go away simply because he said “no one cares”. Of course, he and like minded ilk (those who hang on his every word, as “if” he were an expert, even though he became irrelevant years ago, when most know the only reason he is still referred to one is because he a jew in the industry, and this being true regardless of how you feel about that statement), like Steven Gibson are so out of touch with what is actually going on in the industry they barely can make heads or tails of their own reports at their highly advanced ages. They do not know the mindset of anyone else, they only know what is conducive to apathy and that is what they spout because that is their want. Plenty of people cared, and still do, while they lie through their teeth.

Renaud Pierrette (user link) says:

Print Office Depot Brand Cleaning Dusters 10

Renard Pierrette
Rue André Phililp 3336
Lyon 69007.
Bouyggues. Eteclcom
Nous avons besoin d’une nouvelle version de Twitter de la maison de campagne électorale pour le reste c’est de faire la même chose de la musique de la maison des jeunes de nos services dans les années passent plus vite que les autres sont des jeunes de la maison des jeunes filles qui ont fait une nouvelle fois

Steven Raker (user link) says:

The Dutch police

The Dutch police have brought down the world’s biggest DDoS-for-hire service that improved international cybercriminals launch over 4 million attacks and arrested its administrators yesterday help withDutch Police.
An administration led by the UK’s National Crime Agency (NCA) and the Dutch Police, dubbed “Power Off,” with the assistance of Europol and a dozen different law enforcing agencies, issued in the arrest of 6 members of the group behind the “” website in Scotland, Croatia, Canada and Serbia on Tuesday.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...