Crash testing your connected stuff—before you get hacked
A consumer group is checking to see if products & apps keep you safe online.
If you need a new vacuum, you might go to Consumer Report to see which one has the most power—and which will leave you disappointed.
Soon, you’ll be able to do the same for connected stuff, like your smart TV, your Internet-friendly fridge and the apps you use.
The non-profit consumer group that reports on crash testing for cars and kids’ car seats is adding cyber tests to its repertoire, putting products, apps and services through a security gauntlet to see if they pass muster.
The first step—coming up with the security rules. It’s not an easy task.
Consumer Reports and other groups worked to create the digital privacy and security standard that will serve as a baseline for evaluations.
Like a nutrition label on your cereal box, you may soon be able to tell if that thing you want to buy will keep you safe from cyber crooks or online stalkers.
“We want to rate products on measures such as security, in much the same the way we currently assess products for physical safety and performance,” Consumer Reports said in a post.
Not so glowing reviews
Some products have already flunked Consumer Reports’ cyber evaluations.
The Glow pregnancy and fertility mobile app lets women track their menstrual cycles and ovulation. Men can use the app as well, usually in conjunction with a partner.
But the consumer group found last year that people could easily connect to a woman’s Glow account without her permission.
“…[A]nyone—loving partner, obsessive ex-husband, or anonymous creep—could link his account to any Glow user’s, if he knew the woman’s email address,” a post explained.
The Glow app collected personal information from women but did not protect it last year, Consumer Reports said. Image via App Store.
In addition, someone with basic hacking skills could change a woman’s password and get personal information about people posting in the Glow community forums, where users talk about things like miscarriage and sexual positions.
Consumer Reports contacted Glow and reported that the company then fixed the problems.
The Glow app later fixed the security problems that revealed women’s personal information, Consumer Reports said. Image via App Store.
Crash test dummies
Now, more companies will face the same testing.
“Products should be built to be secure,” Consumer Reports said.
“We think it’s unfair and unrealistic to expect consumers to constantly play defense when the products and services they use aren’t engineered with basic privacy and security protections built in,” the organization wrote.
For example, testers will check to see if the products use encryption to protect your information, and if the manufacturer updates the products regularly to keep malware out—some basic safety steps.
“If you have a car that doesn’t have airbags, seat belts, or antilock brakes, you, as the consumer, need to know this,” said Peiter “Mudge” Zatko, who helped found the non-profit Cyber Independent Testing Lab and is working with Consumer Reports.
Part of the new digital standard that defines good password practices.
The new digital standard also addresses privacy issues.
That means evaluators will ask questions about what companies are doing with your information.
“For instance, does the company tell the consumer exactly what data is being collected?” testers will query. “Is the company collecting that information to make the product or service work correctly, or for some other purpose? And when a consumer closes an account—quitting a social media service, for instance—does all that data get deleted?”
People have to pay to subscribe to Consumer Reports.
But you may benefit from this new wave of testing, even if you do not pay.
Cybersecurity expert Jeff Williams of Contrast Security created his own “nutrition label” for software security more than 10 years ago.
The label showed what kind of security controls the software had, and whether the code was secure, among other points.
Software facts label created by Jeff Williams. Image credit: Jeff Williams
Food nutrition labels were not popular when they first came out, Williams said.
“Everyone hated it,” Williams told Archer News in an interview at the RSA cybersecurity conference last month. “Consumers didn’t read it.”
Still, the labels ended up changing the contents of your food, he said.
“It had a fantastically transformational effect on the market over a number of years because the producers themselves wouldn’t allow them to put out a product—their lawyers and their marketers wouldn’t allow them to put out a product—that said, ‘This product is 100% fat,’ or ‘There are no nutritional benefits to this product,’” Williams said.
Similar efforts to expose security practices could have the same effect as nutrition labels, he said.
“Consumers are reading those labels, but it didn’t start out that way. And I think that will be the exact same thing that’s happening,” Williams said.
The U.S. finalized the first food nutrition label laws in 1973, according to the U.S. National Library of Medicine. Image credit: Archer News.
The government should require companies to disclose how secure their software really is, Williams suggested, as it could encourage them to do a better job, lest their failures be revealed.
“The marketers won’t let it happen. So, we can affect the market without the consumers really having to be interested or involved,” he said. “How about that?”
Other groups have suggested labeling, testing and design ideas as well.
Williams helped develop the Open Web Application Security Project, or OWASP, which works to make web applications more secure.
OWASP came up with a series of labels showing an app’s security, privacy, transparency and openness.
UL—known for testing household products for safety and giving them the “UL” seal of approval—has started checking connected things through its Cybersecurity Assurance Program.
UL testing products for safety in the 1940’s. Now UL tests for cybersecurity. Image from Library of Congress.
The volunteer cybersecurity group “I Am The Cavalry” asked companies involved in making connected medical devices to publish a “Hippocratic Oath” where they declared their commitment to things like designing devices securely, reporting safety problems and updating their products.
The group also asked car makers to follow a five-star security framework for connected cars.
Parts of the new digital standard announced by Consumer Reports calls for companies to allow people to fix their own devices if they break, and to tell customers if they act ethically.
“For example, a company’s customers might want to know whether it resists digital censorship in totalitarian countries, and, closer to home, whether it quickly notifies the public after a data breach,” Consumer Reports said.
The organization calls its version of the digital standard a ‘first draft’ and encourages people to comment and help shape the future.
“What matters for now isn’t that every detail is correct,” Consumer Reports said. “The important thing is for the idea of a digital consumer-protection standard to take hold.”
Vote with your wallet
Consumer advocates hope people will be interested and involved, checking the results of cybersecurity tests for stuff they buy.
“When consumers vote with their wallets and their clicks, we’ve seen that companies pay attention,” Consumer Reports said.
There are ratings systems for movies and miles-per-gallon statements for cars.
Movie ratings. Image credit: Filmratings.com
Next, you may see letter grades for software security and ratings for just how well that app protects your private stuff.
That new vacuum you were eyeing? It may be connected soon, too. But now you’ll know if it’s sucking out your data as well as your dust.
“We think companies will strive to out-do their competitors when it comes to privacy, security, and other consumer rights,” Consumer Reports explained. “The ones that do a better job will gain more customers. That’s one of the primary ways that consumer power works.”