US non-profit product testing publisher Consumer Rights has teamed up with a former Google cybersecurity expert to start the gigantic task of testing the security of Internet of Thing (IoT) products.
Manufacturers have already connected air conditioners, baby monitors, fridges, TVs, toasters and thermostats to the internet but security researchers prove time and again show that cybersecurity is at best an afterthought.
The latest evidence of lax security was the breach of a database owned by Spiral Toys containing 800,000 credentials of users of its CloudPets line of connected toys, which lets parents and children to send messages to each other. Australian security researcher, Troy Hunt, found it didn’t put a password on its credentials database and did little to protect more than 2.2 million audio recordings between senders stored in Amazon’s cloud.
Bringing attention to security flaws is one thing, but now, Consumer Rights, wants to give consumers the tools to judge products before buying them and, in turn, send signals to the market that IoT security does actually matter.
The publisher, which already tests these products for safety, value and quality, will begin offering reports that evaluate a company’s approach to cybersecurity and privacy.
For security testing Consumer Reports has teamed up with Cyber Independent Testing Lab (CITL), a non-profit pen test firm founded by famed whitehat hacker Peiter “Mudge” Zatko, who left Google in 2015 after a stint at the research arm of US Defense, DARPA. He was also one of the leading members of the influential cybersecurity think tank L0pht.
CITL uses automated tools to check whether software contains defenses that prevent attackers from harming users. Consumer Reports is looking to include CITL’s tools into its testing.
“The security community has been trying for years to get people to care more about software security, and now people finally do. But the security community is not providing consumers with meaningful things to do about it,” said Mudge.
“You cannot tell people everything's on fire, and then not have anything positive for consumers to do. We want to give all types of consumers the information they need to make smart security and safety decisions on what products to choose and use,” he added.
Consumer Reports today also published a draft open standard, which is also available on GitHub for developers, that asks questions about the security and privacy factors that affect the risk to users of connected products. Each category can guide secure product development and management practices, but also serves as a reminder about the many ways user security and privacy can be compromised.
The standard covers security, privacy, ownership, governance and compliance, and whether it supports open innovation.
Security related questions encompass software development practices, a company’s willingness and capacity to respond to bug reports, use of encryption, vulnerability to known flaws, requirements for the user to set a good password, and whether the company helps protect users from online harassment.
Privacy considerations include whether a company collects personal information and offers users control over that collection, data retention and deletion practices, and whether a company notifies authorities and affected users when a breach occurs.
The standard is also designed to hold companies to account to policies regarding sharing user data with governments and third parties, including whether the company tells users if any third-party requests the user’s information.
Consumer Reports notes that while there have been recent efforts in the public and private sectors to bring closer oversight to the security of connected devices, these have typically been narrow in focus and haven’t been widely supported.
“If Consumer Reports and other public-interest organizations create a reasonable standard and let people know which products do the best job of meeting it, consumer pressure and choices can change the marketplace. We’ve seen this repeatedly over our 80-year history,” it said.
The new IoT focussed assessments will also receive support from Disconnect, which helps consumers block sites that quietly track users, and the non-profit Ranking Digital Rights (RDR).Read more: New study finds zero-day flaws live for 7 years, supporting stockpiling