Well, if you needed any more evidence that the Internet of Things is here, and it represents an entire world of new security issues, there's news of major change coming to Consumer Reports. Reportedly, this well-respected evaluator of consumer and business products is about to start including cyber-security ratings in its reviews. These evaluations will be based upon newly-created open collaborative standards in digital security meant to try to standardize what has previously been a wholly subjective and constantly-changing field.
So today, we wanted to briefly take a look at these changes and what they may mean for IoT security going forward.
It's no surprise that Consumer Reports is becoming interested in cyber security. With an increasing number of household appliances becoming Internet-aware, even things like washing machines and refrigerators, it opens up an incredible new world of potential security risks. This is particularly true in "smart home" or "smart office" configurations where multiple appliances and in-room services are tied together through central controllers. Remember the Target attack recently? That was from a HVAC piece.
The idea of a home or office seeing their security system compromised due to a vulnerability in their refrigerator may sound weirdly sci-fi, but that sort of thing will be a genuine threat very soon - if it isn't already. One of the many "X-Factors" in IoT security is that the groups who are most interested in finding and exploiting such vulnerabilities aren't exactly publishing their findings.
So, in the months to come, Consumer Reports is going to start including ratings on the safety, security, and hack-ability of products, in hopes of starting to educate buyers on this major security problem.
And they'll be doing it in coordination with The Digital Standard.
Introducing The Digital Standard
As we mentioned above, one of the biggest problems with IoT security is that there are no agreed-upon standards or protocols for security. As such, it's up to each device manufacturer to implement their own policies - for good or ill.
In some cases, of course, this isn't necessarily a bad thing. For example, Cisco acquired IoT powerhouse Jasper Technologies last year, and with them a huge range of AAA-tier clients including Amazon, Ford, GM, GE, Garmin, and Nissan. Cisco will undoubtedly be a powerful force for helping create strong IoT security - at least in their own products. The problem is everyone else, particularly in situations where multiple devices from multiple vendors are interacting. A vulnerability in one could become a vulnerability in all.
This is where The Digital Standard comes in. It is a collaborative "open source" style project between a number of mostly non-profit entity partners who are all inherently interested in creating solid, achievable standards in IoT security which -hopefully- all respectable vendors can adhere to. These standards will be the basis for Consumer Reports' security rankings.
You can look over their first-draft proposed standards for yourself, although many of the standards are still in the discussion\development phase. Still, on the whole they generally seem quite reasonable - providing clear guidance on matters like password protection, security oversight, bug-patching, and informing consumers about what data is being collected and how it's being used. Other standards will (probably) be used to emphasize customer-friendly policies, such as respecting right-to-repair philosophies.
At Hummingbird, we're all for this. We've been watching the growth of the IoT for some time, and we share the concerns many have about the security problems it will bring. Particularly, as we're dealing with clients who want the sort of advantages that "smart" home\office technologies bring.
To learn more about IoT security and current best options for keeping yourself safe, contact us with your questions!