Security issues related to IoT devices has been an issue for over a decade.  IoT, or Internet-of-Things devices are often times unprotected, leaving them susceptible to unauthorized surveillance, being a weakness in a network’s architecture, and many more dangerous security risks. It seems as though security measures for these devices are unlikely to change in the near future. However, a new practice may be on the horizon to help manage a devices risk.

Researchers from Carnegie Mellon University presented a security and privacy label prototype at last month’s IEEE Symposium on Security & Privacy. The label’s purpose for IoT devices can be compared to what a Nutrition Facts label represents for food.  The purpose of the label is to inform a user of useful security information related to the specific device, as well as explain how the device will handle user data and privacy controls. The label will include information on if the device will get security updates, how long a company will support the device, the data that will be collected and whether or not data will be shared.

Yuvraj Agarwal, a networking and embedded systems researcher who worked on the project said, “In an IoT setting, the amount of sensors and information you have about users is potentially invasive and ubiquitous. It’s like trying to fix a leaky bucket. So transparency is the most important part. This work shows and enumerates all the choices and factors for consumers.”

The researchers at Carnegie Mellon want to ensure that the security label is as transparent and accessible as possible. In order to accomplish this, there are two different ways to access the label with varying degrees of specificity. The first way to access the label is to view it in printed form on the box of the device. Another way to access the label would be to scan a QR code or follow a URL that would guide you to a source that offers more detailed information.

Pardis Emami-Naeini, a security researcher who led work for this project said, “We wanted to understand whether this information can convey risk and whether participants really understood what this information means. Based on the study, we found that some of the factors are really important. For example, if the data is being shared or sold to third parties, people are really concerned about this. And that hugely changed their risk perception, as does whether the device has multifactor authentication.”

Another important aspect to the security and privacy label is the fact that it was encoded to be machine readable. This will allow the data to be able to be processed and compared even if other countries or industries develop their own assessment tools. With these labels, researchers note that it can be easier to search for products by their security and privacy features. Products could become more mainstream and easier to be researched by consumers. The labels could also create standards for ecommerce entities to provide relevant filters for consumers to search by when looking for a device that they need.

The researchers who worked on the label have noted that there has been private-sector and congressional interest. With this interest, the researchers are working to find a manufacturer to handle the labels and produce them with real, accurate information about products. The researchers are also realistic about the fact that in order for these labels to have an impact, there needs to be a voluntary adoption of the label by manufacturers – or a government mandate requiring their use.

"There may be a really good reason that your thermostat has a microphone, but if the company doesn’t tell you, then you’re shocked," Lorrie Cranor, director of Carnegie Mellon's usable privacy and security lab said. "If they tell you about the microphone up front and explain why that is, then you might say 'Oh, OK, that makes sense.'"

Although IoT security and privacy labels are not likely to be implemented any time soon, the security of IoT devices is a real issue – and these labels might just be the change that is needed to help manage these security risks.

Story via Wired