The letter was sent to a “who’s who” list of 25 players in the market including GoogleNest, Logitech, and Samsung SmartThings.
This letter places Consumer Reports at the forefront of the push for minimum device standards for the IoT. The publication has carved out a reputation as one of the fiercest and most independent consumer advocacy publications anywhere. Their reports and recommendations carry significant weight, are able to directly influence consumers’ purchases, and can even move the stock markets. They cover everything from cars to antivirus.
Is your #smart device going to support #user privacy? #ConsumersReport wants manufacturers to say how – and when – as it issues a not so friendly ultimatum to 25 of the industry top companies.
Privacy is a human right – and good business practice – pointed out Consumer Reports. “All people have an inherent right to privacy—especially within their own homes,” the letter stressed. The authors also pointed out both legal and business reasons for supporting privacy, explaining that the “right to privacy at home is protected in the US Constitution and is clearly reflected in consumer preferences regarding connected products used at home.” They cited the consumers’ concerns that their smart security systems were already invading their privacy (72%) and that nearly a quarter (23%) turn the system off completely when guests are visiting.
Letter recipients were warned that Consumer Report’s ratings will change to reflect the critical security and privacy practices. The letter listed nine features such as protection against credential stuffing and reuse; user confirmation of credential changes, and mandatory multi-factor authentication – and strongly urged manufacturers to adopt these practices. They also pointed out that not having these features could negatively impact a product’s eligibility for their recommendation.
Most importantly, recipients were given a Monday, January 27 deadline to give Consumer Reports details about “security measures you have implemented for your connected products and what additional security measures you plan to implement in the future (and by what date).” Almost as an afterthought, they said they would welcome a conversation about what the minimum security standards should be for connected cameras and doorbells.
The letter comes at an uncertain time for the IoT sector. While sales of devices are booming, so are the security issues. The FBI has warned about smart TVs. And while the vulnerabilities in Amazon’s Ring devices have gotten a lot of publicity, they are not alone. The Avira IoT team has uncovered a raft of issues in smart devices such as the Hue Philips light bulb, Pearl HD IP camera, Victure PC530 camera, and the Wansview Wireless Cloud IP Camera.
Securing smart devices is a challenge. There are millions of devices already on the market which are insecure by design with hard-coded passwords, communicate insecurely online, and which are difficult to update. A majority of the attacks on smart devices collected by the Avira honey pot are targeting devices with no or insecure credentials. This variety of device types and user inability to update them or change credentials is why the Avira SafeThings protects home networks at the router level, without requiring user involvement.
In the future, IoT standards such as the SPEC 27072 from the German Institute for Standardization(DIN) and the ETSI TS 103 645 from the Technical Committee on Cybersecurity of the European Telecommunications Standards will be more important. But ahead of mandatory standards, the Consumer Reports’ informal “name and shame’ approach has a critical role in promoting device security and giving manufacturers a level platform to explain their progress.