/ Technology

Update: could your tech be secure by design?

The government has today launched a code of practice to ensure that connected products are ‘secure by design’. Tech companies HP Inc and Centrica Hive are the first to commit.

Update 14/10/2018

The government has launched a code of practice to ensure that connected products are ‘secure by design’. Security must now be considered in the design process rather than being left as an afterthought.

We welcome the government taking a lead in tackling the growing issue of security in internet-connected products. Manufacturers of these smart devices must now show they are taking security seriously and sign up to the code to better protect consumers who use their products every day.

Read the latest news here

New safety risks

In its 60 years of existence, Which? has been a champion of consumers’ rights, given advice on products and services, and held industry and the government to account where we find problems – all to keep consumers protected.

Over the past six decades, we’ve had to adapt our testing to ensure we cover the products that have continued to change consumers’ lives. We rigorously test and provide advice that allows consumers to make a smarter decision on the product or service they’re purchasing.

The range of technology we test has grown and expanded over time, as has what is available on the market, with manufacturers continually innovating on features and design.

As technology has changed, new challenges have come to the fore and new risks to consumers’ safety have been exposed.

The security of consumer’s products is the next big issue for Which? and for the industry. Smart technology, the internet of things, and connected homes will bring benefits to consumers, but also risks. From cyber attacks and data leaks come scams and fraud, threatening people’s safety and the security of their personal information.

That’s why, in 2014, we first started investigating the security of smart products. Then, in 2015, we brought in a security-testing programme for cameras and wearables, before adding thermostats, smart hubs and more.

We’ve already spotted problems from connected toys that have no security measures, leaving children at risk, to wireless cameras that you can’t protect. We’ve also seen a connected coffee machine that wasn’t secure and allowed us to overload it during testing – a flaw that could lead to a fire.

Code of practice

At the moment, consumers have no way of knowing if a smart product isn’t secure and whether they’re protected or not. And we think that the onus and expectation to make a product secure should be on the manufacturer at the point of design and manufacture, not with the consumer as an after-thought.

Today, Digital Minister Margot James MP joined us at Which? with an invited audience from across the tech industry, manufacturers and academics to launch the government’s new code of practice for manufacturers of connected technology.

We’re supporting the government’s plan for improving the security of connected consumer technology. It’s no longer acceptable for a connected product to be put on the shelves and for it to not be secure.

We believe it’s time that manufacturers took safety and security seriously. With connected devices becoming increasingly popular, it’s vital that consumers aren’t exposed to the risk of cyber-attacks through products that are left vulnerable by manufacturers’ poor design and production.

Companies must ensure that the safety of their customers is the absolute priority when ‘smart’ products are designed.

If strong security standards aren’t already in place when these products hit the shelves, then they shouldn’t be sold.

What security standards do you expect to be in place when you buy smart products? Are you wary of buying connected tech because of the risks it poses?

Comments
Member

I perfectly understand why Which has made this a convo and an issue . Its a major policy point with both UK/US governments and big business and unless they convince the public in BOTH countries that data security really is secure then Globalization will be hit a blow. Personally I am far from convinced by any government statement in this regard , you have only to look at the recent US security breaches affecting both countries citizens ( part of globalisation ) . As you know I get emails from the White-House Press Dept. and major US defense industrial conglomerates and this is a big security issue with both parties in regards to social security and defense secrecy . I have been following this by regular up dates but I have just got an email telling me that a branch(subsidiary ) of AWS has lost a massive contract for Cloud Storage at a high security level . The last statement was highly redacted and looked benign but knowing the criticism that went on before from top level US Military/government controllers it was that they did not trust Cloud Storage and so a contract for nearly ONE TRILLION $$$$$$ was reduced to $65 million . Do not underestimate hackers nor offers to staff to disclose information even the FBI sacked personnel for graft just remember no matter what is said by officials internet security is NOT 100 % secure . I am prepared to debate this but they better be 100 % Honest as I will pick holes in much of the statements I have seen many security businesses give out as this is a subject I have gather info on from many sources over the years , remember – back-doors work for hackers as well and both ours and US security want back-doors to all our info and thats why MS for example have to keep updating their system.

Member

Which? seems to be setting out or endorsing some fairly aspirational ideas here.

We know that security flaws come to light all the time in devices like computers and smart phones. Those devices are sold in vast numbers, so their manufacturers can afford the teams of software engineers that are needed to roll out retrospective bug fixes for emerging security or functional flaws.

Other, less ubiquitous, “smart devices”, like smart TV’s, must be selling in much smaller numbers. We have already seen that smart TV manufacturers cannot even keep their basic functionality updated. Hence their “smart features”, such as the ability to work with BBC iPlayer, tend to fail after only two or three years. I think folk trying to keep other smart products up to date, e.g. with security patches, are likely to face similar difficulties.

Given the current “race to the bottom” for the prices of consumer goods, we also seen that manufacturers are struggling to get even simple tech right. So we have kettles that (sometimes) make foul smelling drinks and tumble dryers that (sometimes) catch fire.

When I worked in the defence industry, we knew that we could not absolutely guarantee the security of any internet connected computers, so we kept all of our most secret data on isolated, non-networked machines. Having any sort of internet connected device and expecting it to be secure, on the basis of a “right-first-time” design could rather like wanting to eat your cake and then have it.

Member

There is a dichotomy here between the desire to advance technology and the results of doing so. The more automated and remotely controlled the household becomes, the easier it is for criminals to find a way of breaking in. The fear is that it is not simply burglary but untold damage to property when this automation malfunctions. Of course it doesn’t have to be criminals that cause this. Anyone who buys a product without understanding how it works, could well remotely damage it and perhaps cause a fire. Some items really require the owner to be present when they are in operation. I would not run a tumble drier remotely, for instance. With the skill that these criminals are able to deploy, it is hard to see any manufacturer being able to guarantee, that under all circumstances, their product will work for the owner alone. The links between products are also vulnerable. Though this technology is seen as the way forward to a new way of living, I wonder if it is driven by the manufacturers rather than a demand from the public. How many of us need to have the kettle boiling as we come through the door? How many need the fridge to place shopping orders for us? Actually setting up and controlling all these gadgets is also a problem. We need to make sure they do exactly what we want them to and technology has a way of placing limits on the way things work, so that they do them in a programmed sequence and not necessarily as we would like them to work. It is also a fact that any external attack on a network or country could disable these household products and reset them. A power cut might do the same. The more we automate things and join them together, the more we, as a country, can be paralysed. We can be now, but it can only get worse in this brave new world. I am not sanguine about the way things are shaping and you are right in the introduction to suggest that safety and security should come before any product is put on to the market for sale.

Member

This is getting creepy I just got informed that two Israeli,s have hacked Windows Cortana which has large control over many functions on MS.s system . Seemingly only one USB device needs to be attached to one computer and every other computer on that network can be hacked Remotely even when locked it can make them access the web and go to an infected website where its taken over and all the other computers are equally infected . What am I getting at ? it seems that so many apps are being attached to Cortana that they are turning out to be INSECURE as the app designers haven’t done as good job , exactly what this convo is all about lack of security in this modern age . Trust this digital age -no chance even Putin has now introduced a completely isolated Russian internet in case of problems as he has no trust in the West and many western hackers have tried to hack his defense establishments as well as ban big name US internet companies because data is held in US servers which, as I have said are open to US government departments including our own data .

Member

It gets worse Geek Squad (Best Buy USA ) as you all know due to the EFF ,of which I am a member, issued a lawsuit against Best Buy for giving the FBI information from repaired computers breaking one of the basic US laws -the Fourth Amendment . But this is where it gets interesting Geek Squad operate in the UK in CPW thats right Curry,s PC World , would I put my computer into them ?? well I dont as I do my own repairs but whats the betting in this Open UK with no Fourth Amendment that our own security services haven’t got the same arrangement ( check out the Snoopers Charter and its certainly “open Britain ” ) if you are up to no good then repair your own computer but the US GS “checked out ” all the hidden data on the customers HDD/SSD as a matter of “routine ” — officially– they “stumbled upon it by accident ” of course they did just as I “stumbled ” across a large gold nugget in the garden. Data collectors ? you have no chance against them.

Member

I don’t have any concerns over data being checked during the repair of IT equipment and any illegal material being reported to the authorities. After, all, that is how the child pornographer and child sex abuser Gary Glitter got rumbled when he took his PC in for repair and the technician discovered heaps of illicit images. Since I am not “up to no good” I have nothing to fear from the contents of my hard drive. But the problem is that an enormous amount of our innocent private information has the potential to wreck our lives in the wrong hands if it is extracted and misused.

I certainly don’t see why many home appliances need to be connected or made slaves to a controlling system. It seems like a solution looking for a problem to me and for most people just a vanity concept. It’s like smart meters and home hubs – the promoters of these products seem to be able to suggest only one or two practical uses for them, and those are of dubious value, with the rest being contrived conceits suggesting they are playthings rather than essential accessories.

Member

Many of us have personal, financial, private information on our devices that we would not want anyone else to access. A warrant is required to search your premises; we don’t let the decorator or plumber go through your filing cabinet just in case incriminating information comes to light and can be reported.

Whilst I have nothing that is incriminating in my possession (I hope) protection of privacy should be a cornerstone of a civilised society. Information gained illegally should be inadmissible, however hard that might seem. Inevitably, though, even if the evidence cannot be used the suspicion it arouses can be followed up in legitimate ways.

In future a smart device could report its location if it is identified as having a (possible) inherent fault to make a recall system work properly. I could support that with the right safeguards.

Member

I agree with Vynor as to why do we need so many devices operated remotely connected to a vulnerable web? It is hard to conceive of every possible way someone might accidentally or deliberately infiltrate your device and only experience might bring these things to light, however hard the manufacturers try to anticipate and avoid by design. Most of them seem to me to be adult novelties and I would avoid them. Perhaps they should all carry a “health warning” so people are aware of the risk they take, and if they don’t like them then either don’t buy them or disconnect them from the web.

Member

I agree with malcolm r.

Just as it is impossible to make a tumble dryer that poses zero fire risk, i.e. one that can be absolutely guaranteed to never start a fire, making internet connected devices 100.000000% safe and secure will also be impossible.

In professional health and safety terms, we say something is “safe” if the risks associated with it are small (but not necessarily zero) in relation to the benefits arising from its use. Private cars are a good example of where we make trade-offs between convenience and safety. In other convos, we have already discussed the challenges involved in the design of “safe” self-driving cars and some of the potential unintended consequences of such designs.

If a code of practice – or standard – is to be produced, the above issues will need to be dealt with. From our discussion of fire safety standards for electrical appliances, we should be able to get some idea of how much work will be involved.

Member

At one time, mobile phones could make calls and send texts, and then they involved into powerful portable computers requiring security software and periodic updates to keep them safe. With some smart devices I expect that the same will be necessary.

As technology develops we will learn the risks and take appropriate security measures. At present it is not difficult to avoid smart devices and my main concern is with cars, where we may have no choice.

Member

I continually state that the internet is not safe regardless of what HMG+ big business state and I have posted on my negative opinion of the IoT,s . Well I have been justified by an Israeli professor -Dr. Yosi Oren -Senior lecturer at Ben -Gurion University at the Negev ( desert area ) . Using Google Search it took him only 30 minutes to hack into all the IoT,s gadgets , passwords etc etc allowing him to control cameras, baby watchers , every type you can imagine -quote- its terrifying how easily a criminal -voyer – hacker-pedophile can take over the devices . Once in they can control a whole network of cameras etc . Now you know why I have I blocked Wi-Fi /Blue tooth etc and only use a LAN cable AND have disabled it in the main programming.

Member

As I have said before NO technology is 100% safe ….I doubt it will be for along time because there are very clever people trying to break every new security system all the time many on behalf of governments everywhere

Member

You got that right Bishbut including the government comment.

Member

…and the first operational quantum computer wil spell the death knell for encryption, so that will be fun.