Consumer Reports announced March 6, it had collaborated with several external organizations to develop methodologies for studying how easily a product could be hacked, and how well user data is secured. The firm will steadily implement the methodologies across its reviews, starting with test projects evaluating a small number of products.
It favors a gradual approach, a spokesperson said, because IoT is a "complicated area," the reviewing of which will require "a lot of refinement" to perfect.
An initial draft of the standards Consumer Reports will rate devices on has been published online. Areas covered include reviewing whether software is built using best security practices, studying how much information is collected about consumers, and checking whether companies delete all user data upon an account being terminated.
The move follows a surge in cyberattacks which have exploited vulnerabilities in IoT devices such as webcams, routers, digital video recorders and other connected devices.
In October 2016 for instance, hackers employed malware known as Mirai (from a Japanese word meaning "the future") to block access to PayPal, Spotify, Twitter and dozens of other websites for hours. Internet access was entirely shut off for around 900,000 Deutsche Telekom customers.
Mirai malware took down Twitter, Spotify, Reddit, The New York Times, Pinterest, PayPal and other major websites on 21st OCT. Any updates? pic.twitter.com/IdrzfHrIxL— fizcity (@fizcity) October 24, 2016
Security experts have previously suggested that attacks on IoT devices are very easy to pull off, given manufacturers are reluctant to invest in security measures. Ken Munro, an executive member of the Internet of Things Security Forum — a body promoting best practice for smart device manufacturing — is but one.
"What we often find is we can extract firmware form IoT devices, and glean lots of interesting secrets, which can eventually lead to devices being hacked," Mr. Munro explained.
As a result, he believes security concerns could be "a significant break" on the growth of IoT, unless and until they are resolved.
For example, IoT manufacturers often use identical passwords for their products, such as "admin" and 123456.
Swedish firm Ouman has been reported to still be using default passwords on their nearly ten-year-old automation systems. Given a great many houses in the Nordic region utilize Ouman's building and energy saving IoT solutions, and a large number of customers never bother to change their passwords, the door is wide open for potential unauthorized logins by hackers, with potentially dire implications for customers.
The consequences of a hack can often be very troubling.
In January 2017, a series of web-connected, app-enabled toys called CloudPets were hacked, exposing 800,000 user account details and voice messages left by children. CloudPets allow parents to record a message for their children on their phones, which then arrives on the Bluetooth connected stuffed toy and is played back.
Here it is:— Troy Hunt (@troyhunt) February 27, 2017
— Toy captured kids voices
— Data exposed via MongoDB
— 2.2m recordings
— DB ransom'd
— And much more…https://t.co/HvePnZleXR
CloudPets manufacturer Spiral Toys held 800,000 customers' data on a platform that wasn't firewall protected, allowing hackers to obtain the information and hold it for ransom. They were even able to hear messages left for and by children.
There are suggestions hackers can even turn headphones plugged into computers and phones into microphones and record conversations — and experts also predict security risks will only increase as IoT devices get smarter, particularly "listen for instruction" gadgets.
"These devices hemorrhage personal data. They always have to be listening to ensure it hears when those instructions are invoked. That data will end up feeding individuals more tailored adverts, but also means the police can listen to or access all the data a device has generated and sent to its servers, and that could be instructions or potentially a log of everything that has been said," an anonymous cybersecurity expert previously told Sputnik.
It's not just opportunistic hackers who are seeking to attack IoT devices. James Clapper, US Director of National Intelligence, admitted to the Senate in October 2016 that intelligence services represented a significant opportunity for surveillance and tracking of individuals and their activities.
Such activities may already be ongoing — the FBI, for instance, refuses to confirm whether it is tapping Amazon Echo devices.