The state of smart-home security should be embarrassing. Take for instance the webcams hacked and exploited to launch massive denial-of-service attacks, or the smart doorbell video footage recently left unsecured online. But that doesn’t seem to have been enough to get manufacturers to improve the security of their devices. So a set of consumer groups are trying a different approach: shaming the retailers that sell hackable “Internet of Things” hardware.
That’s the idea behind a “Dear Retailers” open letter posted Tuesday by 11 groups, including the Mozilla Foundation (the non-profit behind the Firefox browser), the Internet Society and the Center for Democracy & Technology. The letter challenges Amazon (AMZN), Best Buy (BBY), Target (TGT) and Walmart (WMT) to limit their IoT inventory to devices that meet a minimum set of security standards.
It’s a good idea, but one unlikely to drive any quick changes in what you see on store shelves. The only short-term upgrade to IoT security may come from customers knowing enough to avoid insecure gear on their own.
Minimally viable products
The open letter and a linked document posted in November offer a five-part definition of “secure enough.”
That list starts with encrypted communications—a must to ensure that an attacker can’t snoop on your smart home or, more importantly, tamper with commands sent to and from its various gadgets.
Security updates for devices must also be automatically downloaded and installed. They’re also supposed to be provided “for a reasonable period after sale,” but neither document suggests how long security updates should be supported for.
Devices also need strong passwords for remote access, meaning they’re both sufficiently complex to defy guessing attempts and unique to each device. Insecure default passwords, some hard-coded into devices, have figured in many past IoT breaches.
Finally, the documents call on companies to be diligent and consistent in handling reports of vulnerabilities—something many firms flub today—and fixing them. They should also tell people what they’ll do with their data, and let users opt out of sharing it and give them the option to delete it.
Will retailers respond?
All that sounds great, but will retailers do anything in response to the letter?
“We think change is on the horizon,” Mozilla campaigns director Sara Haghdoosti said in an emailed statement. “Last year, we saw Target, Amazon and Walmart respond swiftly when we asked them to take CloudPets, a highly-vulnerable smart toy, off their shelves.”
That poor security left some 2 million audio messages that children sent to their friends unguarded online.
But shaming retailers over individual products doesn’t scale, Jeff Wilbur, technical director of the Internet Society’s Online Trust Alliance, and an architect of the shaming initiative, explained via a statement.
“Generally, we've found that targeting individual products isn't a sustainable approach, but it can be used to draw attention to the overall issue,” Wilbur said.
Among the retail foursome of Amazon, Best Buy, Target and Walmart, only Target responded to queries sent Tuesday afternoon. Spokesperson Jenna Reck said Wednesday evening that the company had no comment on the letter.
You’re on your own
You may have to forgive these retailers if they don’t immediately scrub their inventory of insecure IoT gadgets: The minimum-standards effort has yet to yield a comprehensive list of adequate products that they could consult.
This leaves you, the shopper, somewhat out of luck too.
The Internet Society’s Wilbur suggested looking into Mozilla’s Privacy Not Included, a database of 87 devices that grades each one against minimum-security guidelines. Forty-two get a checkmark for meeting those standards, including Amazon’s (AMZN) Echo, Google’s (GOOG, GOOGL) Home smart speakers, Nintendo’s Switch gaming console and Philips’ Hue smart-light kit.
The site also lets visitors vote on the relative creepiness of these devices, which leads to some interesting mismatches: Amazon’s Cloud Cam complies with the security guidelines but got hit with a “Super creepy!” assessment.
Note that none of those resources are called out in the letter or the security-guidelines document.
Consumers Union (disclosure: I have occasionally written for Consumer Reports) has its own Digital Standard effort under way to test the security of smart-home gear, while Underwriters Laboratories is developing cybersecurity labels.
But for now, there’s no generally-recognized label along the lines of the government’s Energy Star logo to identify smart-home stuff that’s secure enough. We also seem a considerable distance away from the government requiring any such standards.
Instead, you’ll have to read the fine print of a connected gadget’s specifications and manuals to get a sense of where privacy lands among its priorities.
More from Rob: