Close-up of weatherproof outdoor Nest home surveillance camera from Google Inc installed in a smart home in San Ramon, California, August 21, 2018. (Photo by Smith Collection/Gado/Getty Images)
Close-up of weatherproof outdoor Nest home surveillance camera from Google Inc installed in a smart home in San Ramon, California, August 21, 2018. (Photo by Smith Collection/Gado/Getty Images)
<p class="canvas-atom canvas-text Mb(1.0em) Mb(0)–sm Mt(0.8em)–sm" type="text" content="The state of smart-home security should be embarrassing. Take for instance the webcams hacked and exploited to launch massive denial-of-service attacks, or the smart doorbell video footage recently left unsecured online. But that doesn’t seem to have been enough to get manufacturers to improve the security of their devices. So a set of consumer groups are trying a different approach: shaming the retailers that sell hackable “Internet of Things” hardware.” data-reactid=”22″>The state of smart-home security should be embarrassing. Take for instance the webcams hacked and exploited to launch massive denial-of-service attacks, or the smart doorbell video footage recently left unsecured online. But that doesn’t seem to have been enough to get manufacturers to improve the security of their devices. So a set of consumer groups are trying a different approach: shaming the retailers that sell hackable “Internet of Things” hardware.

<p class="canvas-atom canvas-text Mb(1.0em) Mb(0)–sm Mt(0.8em)–sm" type="text" content="That’s the idea behind a “Dear Retailers” open letter posted Tuesday by 11 groups, including the Mozilla Foundation (the non-profit behind the Firefox browser), the Internet Society and the Center for Democracy & Technology. The letter challenges Amazon (AMZN), Best Buy (BBY), Target (TGT) and Walmart (WMT) to limit their IoT inventory to devices that meet a minimum set of security standards.” data-reactid=”23″>That’s the idea behind a “Dear Retailers” open letter posted Tuesday by 11 groups, including the Mozilla Foundation (the non-profit behind the Firefox browser), the Internet Society and the Center for Democracy & Technology. The letter challenges Amazon (AMZN), Best Buy (BBY), Target (TGT) and Walmart (WMT) to limit their IoT inventory to devices that meet a minimum set of security standards.

It’s a good idea, but one unlikely to drive any quick changes in what you see on store shelves. The only short-term upgrade to IoT security may come from customers knowing enough to avoid insecure gear on their own.

Minimally viable products

<p class="canvas-atom canvas-text Mb(1.0em) Mb(0)–sm Mt(0.8em)–sm" type="text" content="The open letter and a linked document posted in November offer a five-part definition of “secure enough.”” data-reactid=”26″>The open letter and a linked document posted in November offer a five-part definition of “secure enough.”

That list starts with encrypted communications—a must to ensure that an attacker can’t snoop on your smart home or, more importantly, tamper with commands sent to and from its various gadgets.

Security updates for devices must also be automatically downloaded and installed. They’re also supposed to be provided “for a reasonable period after sale,” but neither document suggests how long security updates should be supported for.

<p class="canvas-atom canvas-text Mb(1.0em) Mb(0)–sm Mt(0.8em)–sm" type="text" content="Devices also need strong passwords for remote access, meaning they’re both sufficiently complex to defy guessing attempts and unique to each device. Insecure default passwords, some hard-coded into devices, have figured in many past IoT breaches.” data-reactid=”29″>Devices also need strong passwords for remote access, meaning they’re both sufficiently complex to defy guessing attempts and unique to each device. Insecure default passwords, some hard-coded into devices, have figured in many past IoT breaches.

<p class="canvas-atom canvas-text Mb(1.0em) Mb(0)–sm Mt(0.8em)–sm" type="text" content="Finally, the documents call on companies to be diligent and consistent in handling reports of vulnerabilities—something many firms flub today—and fixing them. They should also tell people what they’ll do with their data and give them the right to opt out of its usage and the ability to delete it.” data-reactid=”30″>Finally, the documents call on companies to be diligent and consistent in handling reports of vulnerabilities—something many firms flub today—and fixing them. They should also tell people what they’ll do with their data and give them the right to opt out of its usage and the ability to delete it.

Will retailers respond?

All that sounds great, but will retailers do anything in response to the letter?

<p class="canvas-atom canvas-text Mb(1.0em) Mb(0)–sm Mt(0.8em)–sm" type="text" content="“We think change is on the horizon,” Mozilla campaigns director Sara Haghdoosti said in an emailed statement. “Last year, we saw Target, Amazon and Walmart respond swiftly when we asked them to take CloudPets, a highly-vulnerable smart toy, off their shelves.”” data-reactid=”33″>“We think change is on the horizon,” Mozilla campaigns director Sara Haghdoosti said in an emailed statement. “Last year, we saw Target, Amazon and Walmart respond swiftly when we asked them to take CloudPets, a highly-vulnerable smart toy, off their shelves.”

<p class="canvas-atom canvas-text Mb(1.0em) Mb(0)–sm Mt(0.8em)–sm" type="text" content="That poor security left some 2 million audio messages that children sent to their friends unguarded online.” data-reactid=”34″>That poor security left some 2 million audio messages that children sent to their friends unguarded online.

But shaming retailers over individual products doesn’t scale, Jeff Wilbur, technical director of the Internet Society’s Online Trust Alliance, and an architect of the shaminig initiative, explained via a statement.

“Generally, we’ve found that targeting individual products isn’t a sustainable approach, but it can be used to draw attention to the overall issue,” Wilbur said.

Among the retail foursome of Amazon, Best Buy, Target and Walmart, only Target responded to queries sent Tuesday afternoon. Spokesperson Jenna Reck said Wednesday evening that the company had no comment on the letter.

You’re on your own

You may have to forgive these retailers if they don’t immediately scrub their inventory of insecure IoT gadgets: The minimum-standards effort has yet to yield a comprehensive list of adequate products that they could consult.

This leaves you, the shopper, somewhat out of luck too.

<p class="canvas-atom canvas-text Mb(1.0em) Mb(0)–sm Mt(0.8em)–sm" type="text" content="The Internet Society’s Wilbur suggested looking into Mozilla’s Privacy Not Included, a database of 87 devices that grades each one against minimum-security guidelines. Forty-two get a checkmark for meeting those standards, including Amazon’s (AMZN) Echo, Google’s (GOOG, GOOGL) Home smart speakers, Nintendo’s Switch gaming console and Philips’ Hue smart-light kit.” data-reactid=”41″>The Internet Society’s Wilbur suggested looking into Mozilla’s Privacy Not Included, a database of 87 devices that grades each one against minimum-security guidelines. Forty-two get a checkmark for meeting those standards, including Amazon’s (AMZN) Echo, Google’s (GOOG, GOOGL) Home smart speakers, Nintendo’s Switch gaming console and Philips’ Hue smart-light kit.

<p class="canvas-atom canvas-text Mb(1.0em) Mb(0)–sm Mt(0.8em)–sm" type="text" content="The site also lets visitors vote on the relative creepiness of these devices, which leads to some interesting mismatches: Amazon’s Cloud Cam complies with the security guidelines but got hit with a “Super creepy!” assessment.” data-reactid=”42″>The site also lets visitors vote on the relative creepiness of these devices, which leads to some interesting mismatches: Amazon’s Cloud Cam complies with the security guidelines but got hit with a “Super creepy!” assessment.

<p class="canvas-atom canvas-text Mb(1.0em) Mb(0)–sm Mt(0.8em)–sm" type="text" content="Mozilla’s Haghdoosti recommended following the Usable Privacy Policy Project, which rates and annotates data-usage policies, and Trustable Technology Mark, an initiative under way to identify IoT gear that prioritizes privacy and security.” data-reactid=”43″>Mozilla’s Haghdoosti recommended following the Usable Privacy Policy Project, which rates and annotates data-usage policies, and Trustable Technology Mark, an initiative under way to identify IoT gear that prioritizes privacy and security.

Note that none of those resources are called out in the letter or the security-guidelines document.

<p class="canvas-atom canvas-text Mb(1.0em) Mb(0)–sm Mt(0.8em)–sm" type="text" content="Consumers Union (disclosure: I have occasionally written for Consumer Reports) has its own Digital Standard effort under way to test the security of smart-home gear, while Underwriters Laboratories is developing cybersecurity labels.” data-reactid=”49″>Consumers Union (disclosure: I have occasionally written for Consumer Reports) has its own Digital Standard effort under way to test the security of smart-home gear, while Underwriters Laboratories is developing cybersecurity labels.

<p class="canvas-atom canvas-text Mb(1.0em) Mb(0)–sm Mt(0.8em)–sm" type="text" content="But for now, there’s no generally-recognized label along the lines of the government’s Energy Star logo to identify smart-home stuff that’s secure enough. We also seem a considerable distance away from the government requiring any such standards.” data-reactid=”50″>But for now, there’s no generally-recognized label along the lines of the government’s Energy Star logo to identify smart-home stuff that’s secure enough. We also seem a considerable distance away from the government requiring any such standards.

Instead, you’ll have to read the fine print of a connected gadget’s specifications and manuals to get a sense of where privacy lands among its priorities.

<p class="canvas-atom canvas-text Mb(1.0em) Mb(0)–sm Mt(0.8em)–sm" type="text" content="More from Rob:” data-reactid=”52″>More from Rob:

<p class="canvas-atom canvas-text Mb(1.0em) Mb(0)–sm Mt(0.8em)–sm" type="text" content="Email Rob at rob@robpegoraro.com; follow him on Twitter at @robpegoraro.” data-reactid=”56″>Email Rob at rob@robpegoraro.com; follow him on Twitter at @robpegoraro.

Let’s block ads! (Why?)


Source link

Load More By admin
Load More In Security

Leave a Reply

Your email address will not be published. Required fields are marked *

Check Also

Apple releases iOS 12.4, watchOS 5.3, macOS 10.14.6, and more – Ars Technica

Enlarge / The Apple Watch series 4 running watchOS 5. Valentina Palladino As it often does…