Table of Contents
- What is the Digital Standard?
- Who Created and Maintains the Digital Standard? Who can Contribute?
- Why is Testing Important?
- Why was this Testing Handbook Necessary, and Who is it For?
- How does the Handbook Score Products?
- How did we Pick the Products? (And Why aren’t We Naming Them?)
- What Products did we Ultimately Choose?
- How did we Design the Technical Testing Procedures?
- How did we Design the Policy Testing Procedures?
- What would we Change in the Standard?
- Conclusion
Why is Testing Important?
The huge expansion in the number of connected IoT smart devices over the last decade has made accessing parts of our homes from an app a routine part of daily life. While someone installing a new smart doorbell may not think of it as an internet-connected computer, it is. All of these devices are potentially susceptible to many of the same kinds of vulnerabilities as laptops and phones are. IoT devices also present new possibilities for cyber attacks that can escalate to consequences in the physical world. If your smart lock gets compromised, someone could remotely unlock your front door; if your thermostat gets compromised, your heat could be turned off on a cold winter night. However, the average consumer is likely more accustomed to thinking about the harms associated with the food in their refrigerator spoiling than the computer in their refrigerator getting hacked.
It is often unclear, even to the technically savvy, what pieces of technology were used to make a traditional product "smart," or how closely those pieces integrate into or intersect with the basic functionality of a product. There is not one single way for a manufacturer to go from making thermostats to smart thermostats. Different smart products will connect to the internet in different ways, and present both unique features, as well as unique security risks.
Unlike laptops and phones, a huge number of IoT devices exist in a space where their manufacturers are either unable or unwilling to update a device's vulnerable code. This presents a problem for durable goods, such as major kitchen appliances, which are often expected to function for over a decade, far exceeding the traditional support cycles of most internet connected products. There is often no way to know ahead of time whether a manufacturer can or will provide ongoing updates, or for how long they will do so. There is also little way to know from the outside of the box if a product handles user data correctly.
Many IoT products may not even be tested for their digital security before being sold. And even in cases where manufacturers do rigorously test their products, it is rare for either the testing criteria or the results to be released.
This puts consumers in a situation where they cannot fully evaluate the quality of products, or make informed choices about the risks those products may pose to the privacy or security of themselves or their loved ones, and whether the benefit of the product's features truly outweigh those risks.
An open, shared, and widely-used testing framework could change all of these dynamics. Better testing could allow consumers to make more informed choices, and interacting with those results could help educate consumers on some of the risks inherent with internet-connected things. Widespread product testing could also encourage companies to learn about and implement best practices for digital security.