- Internet-connected objects are rapidly filling our lives and homes
- Unsecured smart appliances may leave consumers vulnerable to data breaches and worse
- A unified Digital Standard could set the security bar for manufacturers of these devices
Imagine you and some friends want to commit a daring casino robbery. You don’t have enough people to overpower the casino security staff, and let’s face it – you’re not smooth enough to pull off an Ocean’s Eleven heist. So, what do you do?
If you have the technical knowhow, you might hack a fish tank thermometer.
That might sound strange, but it’s exactly what happened to one unlucky casino. Hackers used the internet-connected thermometer in a fish tank on the casino floor to access a database that held a list of high-rollers—incredibly valuable information in the gambling industry.
These are the kinds of data breaches that Maria Rerecich, Director of Electronics Testing at Consumer Reports, dreads.
When is a TV not a TV?
Rerecich’s job is ensuring that consumers have all the information they need about the items they buy. Lately, she’s noticed an uptick in devices connected to the internet, a trend known as the Internet of Things (IoT).
“Different things are becoming connected now, it's not just computers and smartphones,” Rerecich says. “It's door locks, thermostats, refrigerators, gas grills. We're seeing all these products that were just things before, now they have this whole internet capability as well. So how do we handle that?”
Rerecich and her colleagues believe they may have the beginnings of an answer. Along with security firm Cyber ITL, privacy activists at Ranking Digital Rights, and software developer Disconnect, Rerecich and her team have developed what they’re calling the Digital Standard.
This framework lays out expectations consumers should have about the IoT products they purchase, such as the use of data encryption or requiring the user to enter a secure password. The idea is to create a standard that companies should aspire to achieve.
Rerecich and her team also focus on how companies use their products to mine data from their unwitting customers. Some data collection may be necessary, e.g., when an item is malfunctioning, but it can be hard for the average consumer to decide where to draw the line.
People think of a TV as a TV, they don't think of it as a TV AND something that's sending what they're watching out to the manufacturer.
Says Rerecich, “Is information from a connected refrigerator only going to the manufacturer so they can figure out how big to make the refrigerator, or are they sending it to a health insurance company to tell them how much chocolate cake you're eating?"
While sharing personal data with a corporation may make you feel uneasy, there’s another danger here: a man-in-the-middle (MiTM) attack. That’s when hackers get in between your machine and whatever it’s communicating with in order to intercept data.
In this scenario, an IoT door lock could communicate to its manufacturer that you haven’t opened your door in a week—information that also alerts burglars that your home is ripe for robbery.
Find security without losing your mind
These kinds of security revelations can make consumers feel helpless and scared, but Rerecich doesn’t see things that way. Rather, she views the IoT as a new challenge that we have every ability to overcome. We just need to start now.
She hopes that initiatives like the Digital Standard will push manufacturers to realize the importance of IoT security and implement solutions. But since corporations aren’t famous for doing what they don’t have to, it will likely take a concerted effort by consumers and the scientific community for the Digital Standard to work as intended.
Which is why Rerecich is calling for broad community participation.
“We have the Digital Standard on Github, and it’s open for comments, questions, and pull requests,” says Rerecich. “Any improvements anyone wants to suggest can be put up there, and we’ll use them to improve the Standard as we move forward.”
Rerecich also points out that the Digital Standard offers an excellent opportunity for students and researchers.
“Someone can take a section that’s not very well defined and do some testing on different products to work out what’s missing from our current model,” she says. “A good research project would be developing some tool suites that make it not only more automatic, but more consistent to do this testing.”
We have a long way to go before the IoT is secured. But efforts like the Digital Standard are at least giving us a report card to show how far we’ve come.