Security Standards for the Internet of (Insecure) Things?

Everything you can think of and many things you have never dreamed of are being manufactured with little Linux operating systems and wireless Internet connections. Or in simpler terms, a brain, storage, and communications ability. This is the Internet of Things (IoT).  Lots and lots of “smart” devices talking to each other and phoning home to some data collection or dissemination point.  If only the people who are designing these devices, writing the controlling software, and marketing them to the unsuspecting public were as concerned with the security of these devices and the privacy and safety of their customers.

As a result of this lack of security in design and manufacture, many of these smart toys and utility devices are being compromised by skilled cyber-criminals and turned into surveillance or attack bots.

Homeland Security and the Federal Communications Commission are already concerned, and calling for voluntary standards.  Manufacturers who fail to voluntarily undertake the task of developing secure devices will probably find themselves compelled to do so at some point by government agencies, or in a courtroom facing an expensive class action lawsuit.

Currently these little machines are totally insecure, very intrusive, and collecting lots of personal information that is completely unregulated and can be shared with third parties as the manufacturers see fit.  Not to mention that much or all of this data is transmitted and stored without encryption, and can be easily read by unauthorized cyber-snoops.  The Standard appears to be a well thought-out attempt at recommendations that would go a long way to improving the security and safety of these devices, as well as defining who owns the devices, the data collected, and what can be done with it.

Consumer Reports has proposed an open source security standard for manufacturers to voluntarily adopt. The Digital Standard, as it is called, is comprised of several main sections, such as:

  • Security (Is it safe?)
    • Build quality
    • Data security
    • User safety
  • Privacy (Is it private?)
    • Access and control
    • Data retention
    • Overreach – collecting too much data
    • Third party tracking and data sharing
  • Ownership (Is it mine?)
    • Who owns the device?
    • Permanence or how long will it be supported?
    • The right to repair
  • Governance and Compliance (Are the manufacturers good?)
    • The manufacturer’s business model (how they make money)
    • Human rights and corporate social responsibility
    • Open systems
    • Privacy policy and terms of service
    • Transparency

For consumers, the only thing you can do is perform your own due diligence about each device you are thinking of purchasing. This means understanding what your prospective device is going to do, over and above the purpose you are buying it for.  If you take a minute to look at the Standard, and you will begin to understand the issues involved and what is at stake for you personally.

0

About the Author:

Cybersecurity guru to business owners in the St Paul, Minneapolis, and western Wisconsin area. Computer security and hacking have been a passion of mine since I entered the computer and networking business in 2000. In 2013 I completed a course of study and certification exam to become a Certified Ethical Hacker (CEH). In 2016 I was certified as a Certified Information Systems Security Professional (CISSP). As Senior Cybersecurity Engineer at Computer Integration Technologies, I help our clients experience high levels of computer security, network security, and web site security. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also provide Cybersecurity Awareness Training for clients and their employees. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. The views expressed on this Web site are mine alone and do not necessarily represent the views of my employer.

Add a Comment