A recent announcement from Consumer Reports, an influential US group that conducts extensive product reviews, suggests that they are gearing up to start considering cyber security and privacy safeguards when scoring products. IT security experts from LogMeIn and Allot Communications commented below.
Ryan Lester, Director Of IoT Strategy at Xively by LogMeIn:
“No matter the product, security needs to be a foremost concern for manufacturers. When talking about IoT products specifically, security becomes even that more important and complex. Having an assessment model in place will be a great incentive to make sure manufacturers are leaving no stone unturned when it comes to the security of their products, but it is also important to keep in mind that the responsibility does not fall on the manufacturer alone. Product manufacturers can build in various security mechanisms to reduce the risk of attacks – including strong authentication, encryption and the like — but consumers also need to do their due diligence as well. Creating strong passwords, connecting to only secured networks, ensuring firmware is up to date, etc. are just a few steps consumers themselves can do to ensure their own security in the world of connected products.”
Moshe Elias, Director of Product Marketing at Allot Communications:
“Consumer Reports considering cyber security in product reviews is a step in the right direction. Manufacturers need an incentive to apply security and a high review score may help.
The problem with the consumer IoT industry is that emphasis is made on functionality which is natural, but none on security. These “things” or devices, are a security backdoor. A wifi connected doorbell is “not interesting” in itself, but if it stores the Wi-Fi password in cleartext a hacker can use that to access all the household connected devices, alarm systems computers etc.
The security solution, however, needs to be layered, and centered around a network based security system that is delivered by a capable operator. Just as every smartphone and computer have vulnerabilities, so will IoT devices and these require an additional layer of security – in the network.
Device ranking will not guarantee that devices become un-hackable. Protecting access and validating data on a device-by-device basis is not a sufficient solution. Most devices are closed systems and don`t allows installing any security client software or any software after shipping from the factory and even if some devices allow that, this approach requires investment and scalability, and continuous maintenance needed to ensure devices are controlled. A more reasonable approach is a comprehensive solution delivered from the CSP network (network-based) security solution, that unifies all security function needed to control any device (whether an IoT device or mobile handset) and provides a simple, scalable way to protect the network with a growing number of connected devices.”