Consumer Reports announced this week that it’s creating a standard that protects consumer security and privacy. The objective of the organization, which tests and offers unbiased ratings on thousands of products, “is to help consumers understand which digital products do the most to protect their privacy and security, and give them the most control over their personal data.” Consumer Reports hopes that the standard can eventually be used to develop test protocols and help people make better purchasing decisions.
This development is great for consumers who need more tools for judging the security of the products they buy, especially as every device, from televisions to washing machines, seems to have an app or Web connectivity. As Cybereason research has shown, popular consumer products like IP cameras lack basic security standards and have software vulnerabilities that can’t be patched. And as we saw with the DDoS attack against DNS service provider Dyn, poor IoT security can impact enterprises.
Consumer Reports’ standard got Cybereason thinking about what our standard would call for if we created one for embedded system security. So here are our theoretical standard’s basic requirements:
-- All IoT devices need the ability to receive software updates, a feature that an alarming number of products lack. Even if a security problem isn’t immediately evident during a product’s development, manufacturers should assume that an issue will eventually emerge. All products needs a mechanism that allows future software and firmware problems to be addressed. People who own vulnerable products that can’t be patched are left with two less-than-ideal options: throw out the device or continue to use it despite the security risks.
-- To decrease the security risks, incentives should be placed around finding bugs. People who discover flaws should be rewarded and praised and their findings should be used to foster a robust security research community. Treating people who discover bugs as security risks and ignoring them or treating them like pariahs won’t improve IoT security.
-- Force users to change a device’s default username and password, a measure also supported by Consumer Reports. And the system people use to change their passwordsecurity needs to be easier to use. Getting users to change a default username and password is already challenging. A system that’s overly complicated will further discourage people from taking this action.
-- Ultimately, people use IoT devices and this needs to be remembered when discussing possible government regulations for smart devices. Consumers are more concerned with if the device will fulfill their needs, not with it’s security. Any standard should come from the perspective of how a person will actually use a device.
The situation around embedded system security needs to improve urgently as our kinetic lives increasingly intertwine with our cyber lives.