Can UL Save Us From the Internet of Things (IoT)?
Back when electricity was harnessed and wiring and lightbulbs and fans and stoves and other household electrical items became common, there was a good chance your Grandma’s house could burn down from the substandard wiring and faulty equipment that was being produced and sold. Enter the Underwriter Laboratories (UL) in Chicago, a name now known around the world for trusted testing and certification.
Beginning in 1894, UL developed standards, launched tests, designed equipment and uncovered fire and safety hazards of that new technology — electricity — so consumers could be assured products were safe to use and met minimum performance standards. That little UL tag on electric products was, and still is, the gold standard for consumer confidence in all kinds of gadgets from mixers to microwaves.
Except when it’s not.
A new wave of products has emerged with today’s wireless technologies that mimic exactly what happened when electricity was introduced in the early 1900s. Today we have devices embedded with electronics, software, sensors and connectivity that allow them to exchange data with similar “things,” but that have no standards for reliability, security, or performance. Every-day examples of theses Internet of Things (IoT) include smart thermostat systems, white goods like refrigerators/washers/dryers, home entertainment systems and even light bulbs that utilize Wi-Fi, Bluetooth or LTE for remote monitoring and control.
So, who is watching out for consumers in this evolution of the IoT? Who is testing and guaranteeing the reliability of smart lightbulbs, DVRs, security cameras and the other estimated 20 billion IoT products expected to be in use by 2020? So far, the manufacturers themselves are not the answer. Take security as an example. These devices, which have typically operated in isolation, can from now on be considered interconnected because each has an embedded computing system, allowing it to operate within the Internet through machine-to-machine communications.
Manufacturers — whose primary concern is that the products just work — send them out with preset passwords that make them easier to “plug and play.” As a result, just 68 generic username and password pairs are used by dozens and dozens of products and manufacturers.
Hackers and those seeking denial of services (DDoS) know this, and they know consumers rarely change the default. For example, a malware dubbed “Mirai” spreads to vulnerable devices by continuously scanning the Internet for IoT systems protected by factory default usernames and passwords. Yes, it doesn’t really hurt you, but your refrigerator could be part of a botnet.
So, if manufacturing giants like Samsung and Panasonic are not taking care of issues like this, who is? Enter UL once again. The company has dedicated 600 experts to cybersecurity efforts, examining source code in connected devices, hunting for vulnerabilities and looking at components that could be particularly susceptible to errors. Devices that meet the IoT standards will be certified as “UL 2900 compliant.” The first round of testing began last year and is focusing on industrial and medical products. And as more connected equipment and sensors enter the workplace and homes, other efforts are underway at UL to help secure these devices as well as certify their reliability.
The European Union has gone even farther, passing policies to assess the opportunities and risks of this migration to machinery that is functionally devoid of human interaction — but which affects manufacturers, retailers, policymakers, regulators, service companies, and consumers.
Will the US be next to force some type of compliance? Or will the marketplace take care of that through competition? We’ll know long before 2020.