Consumer Reports, an influential U.S. non-profit group that conducts extensive reviews of cars, kitchen appliances and other goods, is gearing up to start considering cyber security and privacy safeguards when scoring products.
The group, which issues scores that rank products it reviews, said on Monday it had collaborated with several outside organizations to develop methodologies for studying how easily a product can be hacked and how well customer data is secured.
Consumer Reports will gradually implement the new methodologies, starting with test projects that evaluate small numbers of products, Maria Rerecich, the organization’s director of electronics testing, said in a phone interview. This is a complicated area. There is going to be a lot of refinement to get this right,” Rerecich said.
The effort follows a surge in cyber attacks leveraging easy-to-exploit vulnerabilities in webcams, routers, digital video recorders and other connected devices, which are sometimes collectively referred to as the internet of things. “Personal cyber security and privacy is a big deal for everyone. This is urgently needed,” said Craig Newmark, the founder of Craigslist who sits on the board of directors at Consumer Reports.
In one high-profile October attack, hackers used a piece of software known as Mirai to cripple an internet infrastructure provider, blocking access to PayPal, Spotify, Twitter and dozens of other websites for hours. Another attack in November shut off internet access to some 900,000 Deutsche Telekom customers. Security researchers have said the attacks are likely to continue because there is little incentive for manufacturers to spend on securing connected devices.
“We need to shed light that this industry really hasn’t been caring about the build quality and software safety,” said Peiter Zatko, a well-known hacker who is director of Cyber Independent Testing Lab, one of the groups that helped Consumer Reports establish the standards. The first draft of the standards is available online at thedigitalstandard.org.
Issues covered in the draft include reviewing whether software is built using best security practices, studying how much information is collected about a consumer and checking whether companies delete all user data when an account is terminated. Jeff Joseph, senior vice president for the Consumer Technology Association, called the decision by Consumer Reports a “positive step” but cautioned that the group “must be very clear about how they score products and the limitations of what consumers can expect.”