IoT security: University creates new labels for devices to increase awareness for consumers

TechRepublic’s Karen Roby spoke with Lorrie Cranor, director and Bosch Distinguished Professor in security and privacy technologies of CyLab and the FORE Systems Professor of Computer Science and of Engineering and Public Policy at Carnegie Mellon University, about security in Internet of Things (IoT) devices for Cybersecurity Awareness Month. The following is an edited transcript of their conversation.

SEE: Identity theft protection policy (TechRepublic Premium)

Karen Roby: October is national Cybersecurity Awareness Month. I think it’s great that each year this is gaining more and more traction as more people are starting to understand the importance of cybersecurity and attempting to even understand how to keep themselves or their companies safe. One of the big things that you’ve done a lot of research on and are working on right now is IoT privacy labels. Let’s just start with what they are and how you think this is going to help folks.

Lorrie Cranor: One of the things we’ve observed is that there are a lot of concerns about the security and privacy of IoT devices. You hear about it on the news. And then if you go into the store and pick up one of these devices and look at the box, there’s no information about security or privacy. Even if you shop online, you can compare all sorts of features, but there’s really nothing about security and privacy.

So, we thought, well, what if these boxes of IoT devices had labels like the food nutrition label on a can of beans that would tell you about the security and privacy kind of nutrition of these items? So, we went about trying to design one. We did some consumer studies. Consumers thought this was a great idea, but they didn’t know what they didn’t know. They didn’t know what information should be on these labels.

We did an expert study. We got lots of great info from experts, and we designed our label. And the way it works, it’s a two-layer label. On the packaging or on the website is just the most important information. And then there’s a QR code in a link that you can click on to go get all the gory details if you’re an expert or if you like to see all that detail.

SEE: Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)

Karen Roby: I think that what you just said really hits on something that really resonated with me. People don’t even know what they don’t know. They have no idea what should be important when they’re buying these devices that they’re putting all over their houses, but they have no idea.

Lorrie Cranor: That’s why we figured we’re going to highlight what are some of the important things. Some of the most important things are: What kind of access control does it have? Can anybody just come by with their phone and start programming your devices? Or can you set a password to lock people out who aren’t part of your family? That’s important.

We also looked at what information do they collect and are they uploading it to the internet? Or are they sharing it with other companies? Are they giving the target ads to you based on the information that your light bulb observes?

Then on the security side, it’s also important as to whether it gets security updates. If they find a vulnerability, is your device going to get hacked? Or will you automatically get the latest security update installed?

Karen Roby: When you talk about the manufacturers who are on the other side of this, what is the reaction like? Obviously you haven’t polled every company that makes the devices, but where do they stand on this?

Lorrie Cranor: We’ve been trying to get the word out, and we’re starting to get some interest from manufacturers. So far, this is still just a prototype, and it’s not out there. So, if anybody from a company is listening and they’d like to get in touch with us, we’d love to get it out there and actually do some piloting.

SEE: 5G: What it means for IoT (free PDF) (TechRepublic)

Karen Roby: These IoT devices, Lorrie, people are just gobbling them up and using them all over their homes and their businesses. Do you think people really have any idea with IoT devices the power that they have as far as just being vulnerable and open?

Lorrie Cranor: I think most people don’t really think about it. They buy these devices because they’re convenient and cool and fun and, “Oh, look, I can press a button and make my lights purple.” I don’t think they put a lot of thought into the security or privacy issues. There are other people though, who I talk to who say, “Oh yeah, I would never buy these things because I have no idea what’s going to happen. And they just scare me.”

Karen Roby: I definitely hear a lot of that, too, on the other side. What is your goal to make this  an industry standard one day? Is that what you’re looking toward?

Lorrie Cranor: Yeah. I mean, we’re hoping that it would become some sort of an industry standard so that you would be able to look at the package of similar devices and put them side by side and actually make that comparison because the information is in the same format on all the packages.

Karen Roby: That would make it more user friendly. I mean, we know you can compare a box of pasta, two different brands. You know exactly what you’re trying to look for, if it’s calories or whatever. But again, you put two different devices when you’re standing at Best Buy and you have no idea.

Lorrie Cranor: It’s really hard to do. We actually have a prototype of a little app that our students put together where you can kind of take your phone, scan those devices at Best Buy, and it will tell you, what’s the difference between them in security and privacy. That would be really convenient. Or when you do a search on Amazon, or whatever, that you could rank them based on security or privacy and things like that.

Karen Roby: Before we let you go here, being national Cybersecurity Awareness month, and the work that you guys do, and the research is such important stuff revolving around keeping people safe and their data and security from every standpoint. We’ve been talking about passwords forever and it still never ceases to amaze me that some people will have password 123 or those kinds of things. Have we progressed at all, do you think, from that? Or are we still stuck in this mode of well, my employees still aren’t using strong passwords, so there we go. We’re getting breached again.

Lorrie Cranor: We still have a big problem with passwords. I think over time, people are learning that they need to have digits in their passwords and things like that. But they’re still not being all that smart about it. We’re still seeing people who say, “Well, I have to have a digit, so I’ll put a one on the end,” which doesn’t really make your password strong.

It’s really hard for people because they’re being asked to come up with so many different passwords. And the right thing to do is to make them all unique, but it’s hard for people to keep track of them. And so, the advice that I give people is, use a password manager. That way you can have your password manager come up with random passwords for you, remember them all for you, and then you don’t have to remember them and it will store your passwords securely.

Karen Roby: That’s been a huge help for me, because I was constantly forgetting them and having to go back and reset them. And it definitely takes a load off and there they can be really strong passwords as well. What about two-factor authentication? I mean, where do you see that we are as far as authentication is concerned?

Lorrie Cranor: I think two-factor authentication is also great, and it’s an extra layer. Even if your password does get breached, if you have two-factor authentication, you’re going to be much less likely to have a problem because the attacker will have to get through both layers. When you have the opportunity to sign up for two-factor authentication for an account, it’s a good idea to do it.

SEE: Apple Watch Series 6: A cheat sheet (free PDF) (TechRepublic)

Karen Roby: When it comes to cybersecurity, you could talk about it, I’m sure, for days, and that the amount of research you guys are doing is really phenomenal. If you had to say, five years down the road, looking ahead, when it comes to cybersecurity, what are you hoping for? Do you hope everyone’s just more aware? That we have more people going into the cybersecurity field? What are you hoping for the future when it comes to this?

Lorrie Cranor: I think the cybersecurity field is a great field and I’d like to see more people go into it, more diverse people go into it. I also hope that we are able to develop tools that are inherently secure and easy to use so that the end user doesn’t have to be a security expert in order to be safe.

Karen Roby: That would be great. And certainly, the demand is there, Lorrie, too. I’m hoping that a lot of younger people, whether they’re in high school and involved in STEM or whatever, that they’ll start to see what a great field it is and the demand for these jobs. It’s there for sure.

Lorrie Cranor: Definitely.

Also see