Close-up of weatherproof outdoor Nest home surveillance camera from Google Inc installed in a smart home in San Ramon, California, August 21, 2018. (Photo by Smith Collection/Gado/Getty Images)
It’s a good idea, but one unlikely to drive any quick changes in what you see on store shelves. The only short-term upgrade to IoT security may come from customers knowing enough to avoid insecure gear on their own.
That list starts with encrypted communications—a must to ensure that an attacker can’t snoop on your smart home or, more importantly, tamper with commands sent to and from its various gadgets.
Security updates for devices must also be automatically downloaded and installed. They’re also supposed to be provided “for a reasonable period after sale,” but neither document suggests how long security updates should be supported for.
Devices also need strong passwords for remote access, meaning they’re both sufficiently complex to defy guessing attempts and unique to each device. Insecure default passwords, some hard-coded into devices, have figured in many past IoT breaches.
Finally, the documents call on companies to be diligent and consistent in handling reports of vulnerabilities—something many firms flub today—and fixing them. They should also tell people what they’ll do with their data, and let users opt out of sharing it and give them the option to delete it.
Will retailers respond?
All that sounds great, but will retailers do anything in response to the letter?
“We think change is on the horizon,” Mozilla campaigns director Sara Haghdoosti said in an emailed statement. “Last year, we saw Target, Amazon and Walmart respond swiftly when we asked them to take CloudPets, a highly-vulnerable smart toy, off their shelves.”
That poor security left some 2 million audio messages that children sent to their friends unguarded online.
But shaming retailers over individual products doesn’t scale, Jeff Wilbur, technical director of the Internet Society’s Online Trust Alliance, and an architect of the shaming initiative, explained via a statement.
“Generally, we've found that targeting individual products isn't a sustainable approach, but it can be used to draw attention to the overall issue,” Wilbur said.
Among the retail foursome of Amazon, Best Buy, Target and Walmart, only Target responded to queries sent Tuesday afternoon. Spokesperson Jenna Reck said Wednesday evening that the company had no comment on the letter.
You’re on your own
You may have to forgive these retailers if they don’t immediately scrub their inventory of insecure IoT gadgets: The minimum-standards effort has yet to yield a comprehensive list of adequate products that they could consult.
This leaves you, the shopper, somewhat out of luck too.
The Internet Society’s Wilbur suggested looking into Mozilla’s Privacy Not Included, a database of 87 devices that grades each one against minimum-security guidelines. Forty-two get a checkmark for meeting those standards, including Amazon’s (AMZN) Echo, Google’s (GOOG, GOOGL) Home smart speakers, Nintendo’s Switch gaming console and Philips’ Hue smart-light kit.
The site also lets visitors vote on the relative creepiness of these devices, which leads to some interesting mismatches: Amazon’s Cloud Cam complies with the security guidelines but got hit with a “Super creepy!” assessment.
Mozilla’s Haghdoosti recommended following the Usable Privacy Policy Project, which rates and annotates data-usage policies, and Trustable Technology Mark, an initiative under way to identify IoT gear that prioritizes privacy and security.
Note that none of those resources are called out in the letter or the security-guidelines document.
But for now, there’s no generally-recognized label along the lines of the government’s Energy Star logo to identify smart-home stuff that’s secure enough. We also seem a considerable distance away from the government requiring any such standards.
Instead, you’ll have to read the fine print of a connected gadget’s specifications and manuals to get a sense of where privacy lands among its priorities.
