Consumer Reports, an influential US non-profit group that conducts extensive reviews of cars, kitchen appliances and other goods, is gearing up to start considering cybersecurity and privacy safeguards when scoring products.
The group, which issues scores that rank products it reviews, said on March 6 it had collaborated with several outside organisations to develop methodologies for studying how easily a product can be hacked and how well customer data is secured.
Consumer Reports will gradually implement the new methodologies, starting with test projects that evaluate small numbers of products, Maria Rerecich, the organisation’s director of electronics testing, said in a phone interview.
“This is a complicated area. There is going to be a lot of refinement to get this right,” Rerecich said.
The effort follows a surge in cyberattacks leveraging easy-to-exploit vulnerabilities in webcams, routers, digital video recorders and other connected devices, which are sometimes collectively referred to as the Internet of Things.
“Personal cybersecurity and privacy is a big deal for everyone. This is urgently needed,” said Craig Newmark, the founder of Craigslist who is a director at Consumer Reports.
In one high-profile October attack, hackers used a piece of software known as Mirai to cripple an Internet infrastructure provider, blocking access to PayPal, Spotify, Twitter and dozens of other websites for hours. Another attack in November shut off Internet access to some 900,000 Deutsche Telekom customers.
Security researchers have said the attacks are likely to continue because there is little incentive for manufacturers to spend on securing connected devices.
“We need to shed light that this industry really hasn’t been caring about the build quality and software safety,” said Peiter Zatko, a well-known hacker who is director of Cyber Independent Testing Lab, one of the groups that helped Consumer Reports establish the standards.
The first draft of the standards are available online at thedigitalstandard.org.
Issues covered in the draft include reviewing whether software is built using best security practices, studying how much information is collected about a consumer and checking whether companies delete all user data when an account is terminated. — Reuters