Retailers who don't take steps to address potential security flaws in the IoT-enabled devices that are either sold in their stores or online could not only be named and shamed by consumer groups, but also see their inventory gather dust.
Yahoo Finance reported that an open letter was posted to four retailers on Valentine's Day that called for the companies to pay attention to the concerns that people have with the standards of privacy and security. The letter was addressed to a quartet of household names – Target, Walmart, Best Buy and Amazon – and set out a number of minimum guidelines that every "reputable consumer company must be expected to meet."
Security breaches have become ever more common among IoT devices, and there have been a number of incidents that have exposed just how easy it is to hack consumer-facing hardware.
The letter – signed by 11 groups, including the non-profit Mozilla Foundation – cited the example of CloudPets, cuddly toy animals that have the ability to store and replay voice messages sent to them via the internet. The toys were often used to relay messages from parents while overseas or even deployed military personnel, with the recipient of the recording able to access it when he or she interacts with the toy.
In early 2017, the account details of around 800,000 users were accessed by hackers, with details such as kids names, authorized users and birthdays all accessible. The toy was pulled from the shelves over a year later and the parent company – Spiral Toys – went out of business, but the security concerns raised by the CloudPets breach are still in play.
According to the open letter, the consumer groups want retailers to insist on five minimum guidelines for all IoT devices sold in stores or via ecommerce channels. These guidelines include the following:
The full text of the Valentine's Day letter can be found here.
The plea to company decision makers did not identify any other retailers, nor did it set a timeline for implementation but it did place the onus on retailers to ensure that IoT-enabled devices (toys, smart home devices, smart TVs et al) are safe to purchase.
"Given the value and trust that consumers place in your company, you have a uniquely important role in addressing this problem and helping to build a more secure, connected future," the authors of the letter wrote. "Consumers can and should be confident that, when they buy a device from you, that device will not compromise their privacy and security. Signing on to these minimum guidelines is the first step to turn the tide and build trust in this space."
The caveat to this novel approach to IoT security concerns is that retailers are under no obligation to actually do anything. In addition, shaming big-box companies on a collective basis is great in principle, but in the long run may just increase public awareness. And with billions of IoT devices still on the shelves, introducing minimum standards for security is only likely to take off when consumers stop buying the devices.
With that in mind, Perle offers high-performance networking tools that can be used by retailers that want to take advantage of IoT technology. To find out more about what we can provide, please check out our customer stories.