We noticed you're browsing in private or incognito mode.

To continue reading this article, please exit incognito mode or log in.

Not an Insider? Subscribe now for unlimited access to online articles.

Cyber security ratings


If Only a Simple Gadget Rating Could Save Us from Cyberattack

Suggestions that a security score be awarded to connected devices is a lovely idea that would be almost impossible to implement.

In these hyper-connected days, where every Internet-enabled device appears to be corralled by criminals to carry out cyberattacks, wouldn’t it be great to find a little peace of mind?

Wouldn’t it be nice, say, if every time you went to buy a gadget, a little sticker told you just how secure the device was, so you could make a purchase safe in the knowledge that you were doing the best you could to keep your devices from being hijacked? It might at least ease the headaches of many consumers, who have found their routers and smart baby monitors and Wi-Fi printers hacked, as they look to add add smart refrigerators and washing machines and whatever else to their battery of connected domestic devices.

Certainly, that’s what Mike Barton, a British police chief and the U.K.'s policing lead for crime operations, thinks should happen. The Guardian reports that the Barton would like companies to publish a security rating on their products, much like they’re required to list energy efficiency ratings in many countries.

“You’ve got a situation where we don’t know what the security is like in the devices we are buying in the Internet of things. It’s just not reported. And yet that is the most significant component of what it is you are buying,” he explained, according to the newspaper, as he described how a smart fridge could be compromised. “It’s not just how many yogurts you are eating that is at risk, it’s that your Internet of things are all plugged into the same network. That is a backdoor into your network.”

Picking through the garble, he is, of course, correct. A device with weak security can be hacked and controlled remotely. That could provide criminals with access to your home networks, or they may use the hardware for a grander purpose by recruiting it to one of the growing armies of Botnets of Things (see: "10 Breakthrough Technologies 2017: Botnets of Things") .

Sadly, he pulls up short of actually describing how it would be possible to implement such a rating system. And unlike energy efficiency, which is relatively easy to measure objectively, digital security is a slippery concept. It may be easy enough for a company to tick off boxes to reassure users that they don’t, say, use weak default passwords, but it’s nearly impossible to guarantee that a device’s software doesn’t have security vulnerabilities that could be exploited by criminals.

In fact, the only thing that really is possible to guarantee about any kind of connected device is that it does have some vulnerability—even if it hasn't been identified yet.

The security of a gadget also relies largely on its software. So the ability of a device to withstand hacking can be changed overnight by an update (either improving it or, through shoddy code, making it worse). Similarly, a device's security will degrade over time if it doesn't get updates, as hackers develop new tools and devices sit around using the same old operating systems.

Barton is certainly not the first to voice these kinds of concerns. Last year, cyber security experts warned Congress that the security situation surrounding connected devices was worsening because manufacturers lack incentives to prioritize security. At the time Kevin Fu, a professor of computer science and engineering at the University of Michigan, said that the U.S. government should establish an independent body to test the security of IoT devices. That's perhaps a better idea than Barton’s, but again it’s still not clear how it would work in practice.

For now, then, consumers continue to buy hardware and connect it to the Internet with little idea of how secure the device is, other than some vague notion of trust. There may be a better way, of course, but it’s yet to present itself.

(Read more: The Guardian, “Security Experts Warn Congress That the Internet of Things Could Kill People,” “10 Breakthrough Technologies: Botnets of Things,” “The Internet of Things Goes Rogue”)

Become an MIT Technology Review Insider for in-depth analysis and unparalleled perspective.

Subscribe today
Cyber security ratings
More from Connectivity

What it means to be constantly connected with each other and vast sources of information.

Want more award-winning journalism? Subscribe to Insider Plus.
  • Insider Plus {! insider.prices.plus !}*

    {! insider.display.menuOptionsLabel !}

    Everything included in Insider Basic, plus the digital magazine, extensive archive, ad-free web experience, and discounts to partner offerings and MIT Technology Review events.

    See details+

    What's Included

    Unlimited 24/7 access to MIT Technology Review’s website

    The Download: our daily newsletter of what's important in technology and innovation

    Bimonthly print magazine (6 issues per year)

    Bimonthly digital/PDF edition

    Access to the magazine PDF archive—thousands of articles going back to 1899 at your fingertips

    Special interest publications

    Discount to MIT Technology Review events

    Special discounts to select partner offerings

    Ad-free web experience

You've read of three free articles this month. for unlimited online access. You've read of three free articles this month. for unlimited online access. This is your last free article this month. for unlimited online access. You've read all your free articles this month. for unlimited online access. You've read of three free articles this month. for more, or for unlimited online access. for two more free articles, or for unlimited online access.