We noticed you're browsing in private or incognito mode.

To continue reading this article, please exit incognito mode or log in.

Not a subscriber? Subscribe now for unlimited access to online articles.

Cyber security ratings


If Only a Simple Gadget Rating Could Save Us from Cyberattack

Suggestions that a security score be awarded to connected devices is a lovely idea that would be almost impossible to implement.

In these hyper-connected days, where every Internet-enabled device appears to be corralled by criminals to carry out cyberattacks, wouldn’t it be great to find a little peace of mind?

Wouldn’t it be nice, say, if every time you went to buy a gadget, a little sticker told you just how secure the device was, so you could make a purchase safe in the knowledge that you were doing the best you could to keep your devices from being hijacked? It might at least ease the headaches of many consumers, who have found their routers and smart baby monitors and Wi-Fi printers hacked, as they look to add add smart refrigerators and washing machines and whatever else to their battery of connected domestic devices.

Certainly, that’s what Mike Barton, a British police chief and the U.K.'s policing lead for crime operations, thinks should happen. The Guardian reports that the Barton would like companies to publish a security rating on their products, much like they’re required to list energy efficiency ratings in many countries.

“You’ve got a situation where we don’t know what the security is like in the devices we are buying in the Internet of things. It’s just not reported. And yet that is the most significant component of what it is you are buying,” he explained, according to the newspaper, as he described how a smart fridge could be compromised. “It’s not just how many yogurts you are eating that is at risk, it’s that your Internet of things are all plugged into the same network. That is a backdoor into your network.”

Picking through the garble, he is, of course, correct. A device with weak security can be hacked and controlled remotely. That could provide criminals with access to your home networks, or they may use the hardware for a grander purpose by recruiting it to one of the growing armies of Botnets of Things (see: "10 Breakthrough Technologies 2017: Botnets of Things") .

Sadly, he pulls up short of actually describing how it would be possible to implement such a rating system. And unlike energy efficiency, which is relatively easy to measure objectively, digital security is a slippery concept. It may be easy enough for a company to tick off boxes to reassure users that they don’t, say, use weak default passwords, but it’s nearly impossible to guarantee that a device’s software doesn’t have security vulnerabilities that could be exploited by criminals.

In fact, the only thing that really is possible to guarantee about any kind of connected device is that it does have some vulnerability—even if it hasn't been identified yet.

The security of a gadget also relies largely on its software. So the ability of a device to withstand hacking can be changed overnight by an update (either improving it or, through shoddy code, making it worse). Similarly, a device's security will degrade over time if it doesn't get updates, as hackers develop new tools and devices sit around using the same old operating systems.

Barton is certainly not the first to voice these kinds of concerns. Last year, cyber security experts warned Congress that the security situation surrounding connected devices was worsening because manufacturers lack incentives to prioritize security. At the time Kevin Fu, a professor of computer science and engineering at the University of Michigan, said that the U.S. government should establish an independent body to test the security of IoT devices. That's perhaps a better idea than Barton’s, but again it’s still not clear how it would work in practice.

For now, then, consumers continue to buy hardware and connect it to the Internet with little idea of how secure the device is, other than some vague notion of trust. There may be a better way, of course, but it’s yet to present itself.

(Read more: The Guardian, “Security Experts Warn Congress That the Internet of Things Could Kill People,” “10 Breakthrough Technologies: Botnets of Things,” “The Internet of Things Goes Rogue”)

Keep up with the latest in IOT at EmTech Digital.

The Countdown has begun.
March 25-26, 2019
San Francisco, CA

Register now
Cyber security ratings
Want more award-winning journalism? Subscribe to All Access Digital.
  • All Access Digital {! insider.prices.digital !}*

    {! insider.display.menuOptionsLabel !}

    The digital magazine, plus unlimited site access, our online archive, and The Download delivered to your email in-box each weekday.

    See details+

    12-month subscription

    Unlimited access to all our daily online news and feature stories

    Digital magazine (6 bi-monthly issues)

    Access to entire PDF magazine archive dating back to 1899

    The Download: newsletter delivered daily

You've read of three free articles this month. for unlimited online access. You've read of three free articles this month. for unlimited online access. This is your last free article this month. for unlimited online access. You've read all your free articles this month. for unlimited online access. You've read of three free articles this month. for more, or for unlimited online access. for two more free articles, or for unlimited online access.