When it’s not even obvious which kids’ toy happens to contain a networked computer, how are you supposed to know if the code running on it is secure?

That’s one question that comes free of charge with the growing wave of Internet of Things devices that use sensors and an internet link to respond to their environment and their users. Think of the thermostat that knows whether you’re home and governs the temperature accordingly or the door lock you can monitor from afar.

These can all deliver meaningful advances over unconnected, unaware devices. But security experts say that many of their vendors have skimped on malware protections. This was evidenced by October’s distributed denial-of-service attack that crippled many websites—it was launched from connected cameras that had been hacked.

Last week, Consumer Reports announced that it was working with three other organizations—privacy-software developer Disconnect, the security-testing firm Cyber ITL, and the corporate-accountability group Ranking Digital Rights—to create a set of criteria for testing and ranking Internet of Things gadgets, along with other digital products.

Representatives of all four groups discussed this venture at a panel Monday at the South by Southwest conference in Austin, Texas, and the conversation made one thing clear: The work won't be easy, but there's no time to lose in pushing ahead.

“These products and the Internet of Things bring real tangible benefits to our lives,” Disconnect founder Casey Oppenheim said to open the discussion. “We also have just crazy hacks that I don’t think anybody could even conceive of a few years ago.”

The Digital Standard

The four organizations have laid out their security and privacy criteria at a site called The Digital Standard and at the collaborative-coding site GitHub. Both locations host a spreadsheet that defines expectations in such areas as the use of default passwords and device encryption to protect your data, then proposes various tests to verify a product’s compliance.

Other groups are free to use the standards to develop product testing, and Consumer Reports plans to gradually introduce elements of the standard into its own evaluations.

As the panelists explained, some of the tests would be simple to conduct: For instance, the standard says that if a device or service is password-protected, the user should be required to set his or her own, strong password.

Others are more complex. One portion of the standard calls for companies to use common software defenses against remote attacks—but that can be evaluated when testers are looking at Internet of Things devices, where the underlying computer code is inaccessible. (The panel did have some advice for programmers, though: "Cut down on the spaghetti code because it only gets noodlier over time,” said Sarah Zatko, co-founder of Cyber ITL.)