Consumer Reports Proposes Open Source Security Standard To Keep The Internet Of Things From Sucking

from the Russians-hacked-my-toaster.-Again. dept

Thanks to a laundry list of lazy companies, everything from your Barbie doll to your tea kettle is now hackable. Worse, these devices are now being quickly incorporated into some of the largest botnets ever built, resulting in some of the most devastating DDoS attacks the internet has ever seen. In short: thanks to "internet of things" companies that prioritized profits over consumer privacy and the safety of the internet, we're now facing a security and privacy dumpster fire that many experts believe will, sooner or later, result in mass human fatalities.

Hoping to, you know, help prevent that, the folks at Consumer Reports this week unveiled a new open source digital consumer-protection standard that safeguards consumers’ security and privacy in the internet-of-broken things era. According to the non-profit's explanation of the new standard, it's working with privacy software firm Disconnect, non-profit privacy research firm Ranking Digital Rights (RDR), and nonprofit software security-testing organization Cyber Independent Testing Lab (CITL) on the new effort, which it acknowledges is early and requires public and expert assistance.

As it stands, most of the proposals are common sense and take aim at most of the common issues in the IOT space. For example, encouraging companies to spend a few minutes engaged in "penetration testing" of their products before shipping (a novel idea!). The standard also hopes to ensure companies notify consumers of what's being collected and who it's being shared with, and that devices aren't using default login credentials. But Consumer Reports also notes that it hopes to develop these standards with an eye on more broadly incorporating them into product reviews:

"The standard should be easy enough for consumers without a technical background to understand, yet sophisticated enough to guide testing organizations such as Consumer Reports as we develop precise testing protocols. We want to rate products on measures such as security, in much the same the way we currently assess products for physical safety and performance."

This isn't the first effort of this type. Both the Department of Homeland Security and the FCC have started pushing for some voluntary sort of consistent standards. Of course the problem is that these standards are voluntary, meaning that the kind of companies that cut corners in the first place to sell unsecured products, aren't likely to give much of a damn. It's why folks like Bruce Schneier have advocated for stronger regulations. But with government agencies already walking back even existing consumer privacy protections under Trump, that doesn't seem likely anytime soon. And even if they were open to it, does anyone actually think that federal bureaucrats would come up with reasonable, workable standards that didn't do more harm than good? Having prominent reviewers, such as Consumer Reports take this on through an open standard and reviews seems like a pretty good way of shaming companies into better behavior.

Consumer Reports is quick to acknowledge this is just the beginning of what they hope evolves into a more comprehensive standard:

"The standard as it’s now written is a first draft. We hope that everyone from engineers to industry groups to concerned parents will get involved in shaping future versions of it. We’ve placed the standards on GitHub, a website that’s widely used by software developers to share ideas and work on group projects. Because GitHub can be hard for newcomers to navigate, we’ve also built a website that has the same information."

Folks that are curious or want to lend their assistance can check out the full standard here.


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Agammamon, 10 Mar 2017 @ 5:18pm

    "In short: thanks to "internet of things" companies that prioritized profits over consumer privacy and the safety of the internet, we're now facing a security and privacy dumpster fire that many experts believe will, sooner or later, result in mass human fatalities."

    Uhm, no.

    Because of *consumer apathy*, companies - which exist to make money for owners by serving customer desires - have not had any incentive to prioritize consumer privacy over any of the other consumer priorities.

    Companies can not read minds. All these companies did was offer a product.

    If you want companies to prioritize consumer privacy - and it will *never* top 'profits' as a company's number one priority - then you need to let them know (by not purchasing shit just because its shoveled in front of you) that its important to you.


    Now, this open-source security standard is, IMO, a great idea - but it will only take off if consumers give a damn. If you're going to place blame, place it where it belongs.

    The only other option is to get the government involved and there goes your open-source, quick-reacting-to-changing-circumstances, easy compliance standard and in comes your 'big-players-in-industry-lobbying for a standard and compliance documentation that they can afford the costs of but will drive small competitors out of business'.

    Because, in the end, all companies are driven by the search for profits.

    reply to this | link to this | view in chronology ]

    • icon
      Anonymous Anonymous Coward (profile), 10 Mar 2017 @ 5:36pm

      Re:

      Maybe then, the way is through the consumers heart. If it is possible to detect DDOS type activity over a specific IP address, then threaten the consumer that runs that IP with potential disconnection unless they disable their Internet of Broken Things. The consumer backlash may not fix already deployed stuff, but it may move consumers to look for a Consumer Reports Sanctioned emblem on new products to purchase, or some other statement of appropriate sincerity. Of course, significant marketing of any new standard would be a necessity.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 10 Mar 2017 @ 6:30pm

      1 size fits all

      consumer markets will adjust. Mass internet is still a comparatively new item on the time scale of consumer appliances. Early automobiles had no locks or security at all, but markets soon caught up with needs and automobile security is still evolving even today.

      ____________________


      "Consumer Reports is quick to acknowledge this is just the beginning of what they hope evolves into a more comprehensive standard..."




      well, ConsumerReports is a left-progressive organization that luvs government regulation and government mandates. Suspect they would eventually luv to see Federal mandatory "standards" for all the Internet-of-Things... dictating hardware & software design to all.

      we all know how so very concerned the Feds are about citizen privacy and prevention of hacking --- the NSA/CIA/FBI/etc devote almost all their time protecting citizen electronic communications from surveillance and hacking ?
      The Feds would never insist on IoT BackDoors ?

      (Fed mandatory standards on car airbags really worked out great-- everybody is required to have an unstable Explosive-Device in front of their face when riding in a car. Brilliant; ConsumerReports luvs it)

      reply to this | link to this | view in chronology ]

      • icon
        Anonymous Anonymous Coward (profile), 10 Mar 2017 @ 6:57pm

        Re: 1 size fits all

        This isn't a question of left or right or regulation. It is a question of education. The education of an unconcerned populace who are more interested in 'shiny' than the downsides of their acquisitions.

        Consumer Reports has a reputation in the general consumer market, and their recognition of the issue may go a long way in terms of marketing the actual threats presented by insecure IOT devices. Eventually, and hopefully sooner rather than later, other media will explain the issue to the populace.

        Making the issue important to Joe Sixpack and his cousins is a better way to go, rather than regulation. But the market must become aware of the issue, and the issue must become important to them in order for anything to happen with the manufacturers. Otherwise, the government will do hamfistedly what the government does.

        Other than that, your rant is meaningless.

        reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 10 Mar 2017 @ 7:10pm

        Re: 1 size fits all

        Lol, an actual anti-airbag person.

        reply to this | link to this | view in chronology ]

      • identicon
        Thad, 12 Mar 2017 @ 9:27am

        Re: 1 size fits all

        Early automobiles had no locks or security at all, but markets soon caught up with needs and automobile security is still evolving even today.

        Funny you bring up cars, an industry where companies deliberately chose not to include safety features because they were too expensive, and only improved due to lawsuits and government regulation.

        reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 13 Mar 2017 @ 2:02am

        Re: 1 size fits all

        We have another one over here.
        _Early automobiles had no locks or security at all_ We're not in the late 1800's anymore. Also criticizing airbags...
        Repeating late 19th century mistakes is not what having a "free market" is supposed to entail.
        Now little corporation, tell us where did the bad security regulation touch your profit ?

        reply to this | link to this | view in chronology ]

    • icon
      Not an Electronic Rodent (profile), 11 Mar 2017 @ 5:35am

      Re:

      If you want companies to prioritize consumer privacy - and it will never top 'profits' as a company's number one priority - then you need to let them know (by not purchasing shit just because its shoveled in front of you) that its important to you.

      There's something to what you say, though I suspect in many cases it's lack of knowledge rather than apathy. Most people I mention this kind of stuff to are surprised to learn just how vulnerable or intrusive this stuff can be.

      Plus, it's not that simple - take "smart" TV's for example. Bought one a couple of years ago - big screen - in full knowledge of the abortion that is security and privacy on the things. Because I don't care? No, because my previous big screen died and you can't buy a NON-smart screen in this country now without paying double the price.

      So my choices are; don't have a TV, pay a fortune, or buy the thing and make sure it's never anything than a dumb screen. Guess which is the only practical option? Also, for bonus points, guess how much response I got from the company for pointing out the insane cost of a screen with less in it and why I wanted one?

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 11 Mar 2017 @ 5:45am

      Re:

      "Because of *consumer apathy*"

      Victim blaming guy is at it again.

      The only reason for bad products is because consumers want bad products, not because corps are bad at making shit.

      reply to this | link to this | view in chronology ]

    • identicon
      Thad, 12 Mar 2017 @ 9:24am

      Re:

      Because of consumer apathy, companies - which exist to make money for owners by serving customer desires - have not had any incentive to prioritize consumer privacy over any of the other consumer priorities.

      If you put the onus for safety improvements at consumers' feet, you're never going to get safety improvements. What's easier, making safer cars, or teaching people to be better drivers?

      You're suggesting consumers who don't know the difference between Windows and Office should be able to make a value judgement about whether or not the TV they're buying is going to spy on them. Okay. How do you propose to do that?

      reply to this | link to this | view in chronology ]

      • identicon
        Wendy Cockcroft, 13 Mar 2017 @ 7:04am

        Re: Re:

        It's a pro-corporate logical fallacy designed to shut down argument, Thad, the fallacy being that consumers are constantly skeptical when making purchasing decisions. That whole "Caveat emptor, i.e. Hah! Got your money, sucker!" attitude is why we have consumer protection laws — and why we need to enforce them good and hard.

        reply to this | link to this | view in chronology ]

  • identicon
    Mark Wing, 10 Mar 2017 @ 5:23pm

    I spent 25 years writing code for infrastructure type industries like insurance, financial, communications, etc., and not once in that time did anyone ever ask me to work on making something more secure, or more reliable. In fact, my corporate overlords were almost always against spending development time on such petty intangibles.

    Security isn't sexy. It's hard to sell security. It's kind of like the police--no one cares about it until there's a dead body in your lobby.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 11 Mar 2017 @ 4:32am

    i'm not going to wait up to see the first corporation that actually cares one whit about the people it's selling junk to.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 11 Mar 2017 @ 5:42am

    "Consumer Reports Proposes Open Source Security Standard To Keep The Internet Of Things From Sucking"

    Too late

    reply to this | link to this | view in chronology ]

  • identicon
    anonymous, 11 Mar 2017 @ 7:31am

    Consumer Reports on YOU, you mean.

    If the TV in the store can spy on me, I won't buy it. I don't care JACK about any value added services.

    Done and done.

    reply to this | link to this | view in chronology ]

  • icon
    Marvin (profile), 11 Mar 2017 @ 9:34am

    A few Bankruptcies will make IOT a lot more secure

    The Internet of things is simply a bad idea. Working in an area where security was essential we did EM sweeps to keep bugs out and never connected to the Internet. We used couriers to transfer sensitive information and kept the Internet separate from the networks where sensitive information was processed. .
    The Internet of Things is so insecure and provides so many avenues into your information, that it is a nightmare happening right before our Eyes. The answer is to make the technology safe by making its sellers legally liable for security breaches.
    Cars being hacked for assassinations is a simple and quick example things happening that require much better security. The people that allow communication with your equipment are held legally liable for both criminal and civil acts is the market way of making these careless bas**rds a little less careless. A few bankruptcies could make the IOT a lot better.

    reply to this | link to this | view in chronology ]

  • identicon
    EducateElectedOfficialsNext, 11 Mar 2017 @ 10:40am

    About Time and Thank You Consumer Reports

    With standards, we get better products.

    As IOT is all over the market from wifi cameras to thermostats, remote door locks to that huggable (and fiercely insecure) child's toy I appreciate that consumer reports is stepping into the fray and providing some level of sanity and reason along with education.

    Hopefully what they learn and what the standards move towards will be heard in the halls of congress or the house or lords or any government that wants to ensure the safety of their citizens.

    For me, it's about long term goals.
    IOT is about convenience, not necessity.

    Right now I see IOT as a weapon being used to make everything insecure for nefarious purposes. How can I treat it otherwise?

    I wouldn't buy anything IOT, I look for dumb television Monitors, not smart TVs, I'd never buy a wifi enabled device that controls any aspects of my home or business and wouldn't allow my child near an IOT teddybear. (Anyone remember the Barney doll that used on-air television whitespace to program and it ended up swearing at children).

    IOT is like the latest model mobile device, shiny with rounded corners full of eye candy that steals your data, shares it with hostile governments which then use it to cash our your tax return. No Thanks... until standards are set, security is verified and we can trace the supply chain for all the parts used.

    reply to this | link to this | view in chronology ]

  • identicon
    Digitari, 11 Mar 2017 @ 10:42am

    "Smart" things

    I have a "smart" TV. it cannot connect to the net, at all, it works fine, as a TV, not a "Media center". to each their own, If I want to watch a movie or some such I plug in a thumb drive with the content of my choice on it.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 13 Mar 2017 @ 12:37pm

      Re: "Smart" things

      I have a "smart" TV. it cannot connect to the net, at all

      How sure can you be of that? Many of these have wi-fi, and if they're not receiving regular updates there are probably some exploitable video-parsing bugs. If you download the wrong video—or someone manages to embed it into a digital broadcast—the TV might end up connected to a neighbors wi-fi, reporting your viewing habits.

      reply to this | link to this | view in chronology ]

  • icon
    reza (profile), 12 Mar 2017 @ 8:35am

    internet of things

    nice article
    The standard should be easy enough for consumers without a technical background to understand, yet sophisticated enough to guide testing organizations such as Consumer Reports as we develop precise testing protocols
    its thinkable

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 13 Mar 2017 @ 5:42am

    too late

    reply to this | link to this | view in chronology ]

  • icon
    Ninja (profile), 13 Mar 2017 @ 7:18am

    It's a matter of how you market things. "Our products are compliant with Consumer Standard X in terms of security and privacy. The product, your network and your data are behind strong security protocols that help prevent them from falling in the hands of criminals via hacking and your privacy is safeguarded by stringent standards we are committed to."

    In this day and age of fears this can be a selling point.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Shop Now: Copying Is Not Theft
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.