In these hyper-connected days, where every Internet-enabled device appears to be corralled by criminals to carry out cyberattacks, wouldn’t it be great to find a little peace of mind?
Wouldn’t it be nice, say, if every time you went to buy a gadget, a little sticker told you just how secure the device was, so you could make a purchase safe in the knowledge that you were doing the best you could to keep your devices from being hijacked? It might at least ease the headaches of many consumers, who have found their routers and smart baby monitors and Wi-Fi printers hacked, as they look to add add smart refrigerators and washing machines and whatever else to their battery of connected domestic devices.
Certainly, that’s what Mike Barton, a British police chief and the U.K.'s policing lead for crime operations, thinks should happen. The Guardian reports that the Barton would like companies to publish a security rating on their products, much like they’re required to list energy efficiency ratings in many countries.
“You’ve got a situation where we don’t know what the security is like in the devices we are buying in the Internet of things. It’s just not reported. And yet that is the most significant component of what it is you are buying,” he explained, according to the newspaper, as he described how a smart fridge could be compromised. “It’s not just how many yogurts you are eating that is at risk, it’s that your Internet of things are all plugged into the same network. That is a backdoor into your network.”
Picking through the garble, he is, of course, correct. A device with weak security can be hacked and controlled remotely. That could provide criminals with access to your home networks, or they may use the hardware for a grander purpose by recruiting it to one of the growing armies of Botnets of Things (see: "10 Breakthrough Technologies 2017: Botnets of Things") .
Sadly, he pulls up short of actually describing how it would be possible to implement such a rating system. And unlike energy efficiency, which is relatively easy to measure objectively, digital security is a slippery concept. It may be easy enough for a company to tick off boxes to reassure users that they don’t, say, use weak default passwords, but it’s nearly impossible to guarantee that a device’s software doesn’t have security vulnerabilities that could be exploited by criminals.
In fact, the only thing that really is possible to guarantee about any kind of connected device is that it does have some vulnerability—even if it hasn't been identified yet.
The security of a gadget also relies largely on its software. So the ability of a device to withstand hacking can be changed overnight by an update (either improving it or, through shoddy code, making it worse). Similarly, a device's security will degrade over time if it doesn't get updates, as hackers develop new tools and devices sit around using the same old operating systems.
Barton is certainly not the first to voice these kinds of concerns. Last year, cyber security experts warned Congress that the security situation surrounding connected devices was worsening because manufacturers lack incentives to prioritize security. At the time Kevin Fu, a professor of computer science and engineering at the University of Michigan, said that the U.S. government should establish an independent body to test the security of IoT devices. That's perhaps a better idea than Barton’s, but again it’s still not clear how it would work in practice.
For now, then, consumers continue to buy hardware and connect it to the Internet with little idea of how secure the device is, other than some vague notion of trust. There may be a better way, of course, but it’s yet to present itself.