Security Standards for the Internet of (Insecure) Things?

Everything you can think of and many things you have never dreamed of are being manufactured with little Linux operating systems and wireless Internet connections. Or in simpler terms, a brain, storage, and communications ability. This is the Internet of Things (IoT).  Lots and lots of “smart” devices talking to each other and phoning home to some data collection or dissemination point.  If only the people who are designing these devices, writing the controlling software, and marketing them to the unsuspecting public were as concerned with the security of these devices and the privacy and safety of their customers.

As a result of this lack of security in design and manufacture, many of these smart toys and utility devices are being compromised by skilled cyber-criminals and turned into surveillance or attack bots.

Homeland Security and the Federal Communications Commission are already concerned, and calling for voluntary standards.  Manufacturers who fail to voluntarily undertake the task of developing secure devices will probably find themselves compelled to do so at some point by government agencies, or in a courtroom facing an expensive class action lawsuit.

Currently these little machines are totally insecure, very intrusive, and collecting lots of personal information that is completely unregulated and can be shared with third parties as the manufacturers see fit.  Not to mention that much or all of this data is transmitted and stored without encryption, and can be easily read by unauthorized cyber-snoops.  The Standard appears to be a well thought-out attempt at recommendations that would go a long way to improving the security and safety of these devices, as well as defining who owns the devices, the data collected, and what can be done with it.

Consumer Reports has proposed an open source security standard for manufacturers to voluntarily adopt. The Digital Standard, as it is called, is comprised of several main sections, such as:

  • Security (Is it safe?)
    • Build quality
    • Data security
    • User safety
  • Privacy (Is it private?)
    • Access and control
    • Data retention
    • Overreach – collecting too much data
    • Third party tracking and data sharing
  • Ownership (Is it mine?)
    • Who owns the device?
    • Permanence or how long will it be supported?
    • The right to repair
  • Governance and Compliance (Are the manufacturers good?)
    • The manufacturer’s business model (how they make money)
    • Human rights and corporate social responsibility
    • Open systems
    • Privacy policy and terms of service
    • Transparency

For consumers, the only thing you can do is perform your own due diligence about each device you are thinking of purchasing. This means understanding what your prospective device is going to do, over and above the purpose you are buying it for.  If you take a minute to look at the Standard, and you will begin to understand the issues involved and what is at stake for you personally.

0

About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com

Add a Comment


This site uses Akismet to reduce spam. Learn how your comment data is processed.