Your next smart device might come with a 'security rating'

Posted Jul 26, 2017 by James Walker
As the Internet of Things proliferates, keeping scores of connected devices secure is going to present a challenge. Since most users don't understand the risks, some experts are proposing devices get a "security score," similar to an energy rating.
Woman holding an iPhone
Woman holding an iPhone / Pexels
The suggestion was voiced by Mike Barton, a UK police chief, in a report in The Guardian this week. He noted that new smart home products are being designed around always-on Internet access. At the same time, the Internet of Things is one of the fastest growing cyberattack vectors, with everything from smart kettles to connected webcams being hacked.
READ MORE: NVIDIA hands out free Volta graphics cards to top AI researchers
As adoption of the Internet of Things starts to increase, more consumers will bring potentially risky products into their homes. Unaware of the underlying dangers, it's expected users will embrace connected devices, smart sensors and the Internet-linked household.
Barton called for tech companies and regulators to do more around cybersecurity education. Echoing similar warnings from the U.S. Congress last year, he called for a system of "security ratings" to be set up. This would let consumers determine the cyber safety of a product while browsing different items in a store. It would be directly comparable to the EU's A to F energy efficiency system which is universally understood by shoppers.
"Whenever you go into a store now you see fridges and it's A down to F in terms of its energy efficiency. Where are the security ratings?" The Guardian reported Barton said. "You've got a situation where we don't know what the security is like in the devices we are buying in the internet of things. It's just not reported. And yet that is the most significant component of what it is you are buying."
There is a problem with this idea though. While the suggestion sounds good on paper, it would be almost impossible to implement. Assuming a standards body even found a way of uniformly testing security, the cyberthreat landscape is constantly changing. Barton didn't elaborate on how his proposal could be implemented.
READ NEXT: Bluetooth sensors used to monitor traffic flow in Danish city
The most logical way would involve setting up an industry-wide working group responsible for laying down the barriers between each category. The group would then need to use a fixed set of tests to determine a rating for each device relative to the other products being tested. This model wouldn't readily adapt to meet emerging forms of attack though.
In practice, the score of many devices would probably change over time. Whereas the energy efficiency of a washing machine stays largely constant through its life, new cyberattacks, zero-day exploits or even remedial software updates could alter a cybersecurity rating on a regular basis. While everyone agrees something needs to be done about IoT security, it seems unlikely a colour-coded sticker can fully address the problem.