Just like all businesses, technology manufacturers exist to make a profit, and the dawn of the Internet of Things (IoT) presented limitless opportunities. Not wanting to miss out, the first businesses to grasp the potential of this new market got their products out as quickly as they could, prioritizing speed and functionality while leaving security as an afterthought – if it was a thought at all.
As a result, many of the first wave of IoT devices lacked the ability to update software or firmware. So, even when new vulnerabilities were discovered, there was no way to patch them, and hackers wasted little time taking advantage. (New vulnerabilities continue to be discovered today, by the way, even with older firmware.)
Also, knowing that most homeowners were more interested in getting their new gadgets up and running than they were in security or privacy, manufacturers didn’t provide a lot of guidance. Their set-up instructions, for example, didn’t always stress the importance of changing the default login credentials.
Up for one more wrinkle? When appliance manufacturers started adding smart features to their legacy products, they were trying to get people to buy new TVs, refrigerators, etc., not cutting-edge technology. Smart technology wasn’t their core competency, and it still isn’t. That means that keeping the “smart” aspects of their products up to date may not be a priority.
Has the Internet of Things Jumped the Shark?
Not at all. Businesses were right about consumers’ hunger for IoT devices. They’re convenient and, let’s face it, cool. There are already more IoT devices in the world than there are people, and it’s predicted that the number of smart devices will reach 20.4 billion by 2020.
However, there’s a huge speed bump looming on the horizon: consumers are becoming aware that convenience and coolness come with a trade-off. According to one report, 28% of those who don’t already own a connected device say concerns over security and privacy might discourage them from making that leap.
The Current State of the Consumer IoT
Consumers are now starting to wonder whether the fun and convenience of IoT devices are worth the risks. On the other side, governments around the world are becoming concerned enough to consider legislating IoT security.
The good news is that IoT manufacturers are sitting right in the sweet spot. By taking action on their own — because it’s the right thing to do and because their customers demand it — without being forced to do so through legislation, they have an opportunity to build a foundation of trust.
And opportunities like that don’t come around very often. Remember, when everyone thought that buying things online was sketchy? Now we do it every day without a second thought. That’s because online retailers and security experts teamed up to make sure online shopping was safe.
We now have the same opportunity with IoT devices.
What Manufacturers Can do to Make Their Devices More Secure
I firmly believe that the Internet of Things will eventually be regulated; it’s too big not to be. And, even if manufacturers take the initiative, there will need to be some sort of coordination to ensure all of those devices can be secure and still play nicely together. The UK has taken the initiative by creating a Code of Practice for Consumer IoT Security, but that’s just the beginning, and we have a long way to go.
Starting right now, I strongly encourage the makers of consumer IoT devices to embrace privacy-by-design. Stop rushing your products to market knowing you’ll eventually have to address security issues. We’re now at the point where real people’s lives depend on their smart devices working like they’re supposed to. And I’m not just talking about pacemakers and other healthcare devices.
What if all of your refrigerators turned themselves off at night and back on in the morning (so that no one noticed), spoiling the contents and launching a wave of food poisoning?
Or what if somebody launched a Stuxnet-type attack on your smoke detectors, turning them off while all indicators suggest they’re still working perfectly?
In other words, it’s time to stop crossing your fingers and hoping for the best.
Security By Design
So now that I’ve (hopefully) thrown some well-deserved fear into the mix, here are my top security-by-design recommendations for manufacturers:
- Choose a method for being able to verify the identity of each device. You’d never allow an unidentified user into your network, and you shouldn’t expect your customers to, either. Security starts with being able to establish the unique identity of each of your IoT devices throughout their lifecycle. The best methods for doing this depend on the device and its capabilities, but they include things like secure boot protection, code signing and digital certificates like traditional RSAs or elliptic curve cryptography (ECC).
- Stop using default login credentials. Currently, most manufacturers use default login credentials like “admin” and “password,” relying on consumers to change them when they set the device up. The problem is that many never do, leaving devices with the default credentials vulnerable to even the dimmest of cybercriminals. Ending this practice is the top recommendation in the code of practice guidelines published by the UK government. Instead, make it a policy that all of your consumer IoT devices come with default login credentials that meet best-practice guidelines for passwords. In the meantime, design your devices so that customers are forced to change the default login credentials during the initial setup.
- Design your devices with the security defaults on the highest, most secure settings. If consumers want to change those settings, make them click an acknowledgment that their changes may make the device less secure.
- Stop making devices that can’t be updated. Make sure every smart device you sell can be easily updated (or patched) if/when a vulnerability is discovered, that the updates are delivered via a secure channel with no required downtime and that consumers are notified promptly. Or better yet, just make the device auto-update on its own without required user action once the preference is set.
- Start providing a solution that separates IoT devices from the user’s main network. Most consumers don’t (yet) understand the implications of IoT devices on the security of their home network. Even advising them to connect their devices to a guest network or a subnet goes a long way. That way, if one device is hacked, it can be isolated from other devices or the rest of the network, minimizing any potential damage. Apple and Linksys have already started providing a service that automatically segregates networks for different uses.
- Stop hard-coding credentials (cryptographic keys, device identifiers, etc.) in device software. It’s too easy for cybercriminals to discover them through reverse engineering. Store credentials either within the devices themselves or within your services.
- Encrypt data in transit. Not only are many IoT devices insecure, so is the data they store and transmit. So securing the device isn’t enough; you also have to encrypt the data itself. For many makers of home IoT devices, data security is not a core competency. (Who would’ve thought you’d need to encrypt data sent by a refrigerator?) In that case, you’ll need to either hire top-notch data security talent or outsource encryption to a reputable security firm. Regardless of who designs the security, your devices should meet the standards of the Global System for Mobile Communications Association (GSMA) or the Internet of Things Security Foundation (IoTSF).
- Shut down as many points of vulnerability as possible. In other words, if you don’t need it, seal it up. That includes things like unused ports and excess code and/or services.
- Build in tripwires. Design your devices to notify you of possible breaches and to store and install the latest known good-state version of the software. This allows the device to continue operating without risking additional exposure.
- Have a backup plan for outages. Design your devices so that they continue to provide (at least) minimal functionality if there’s a network outage and to restart seamlessly in the case of a power outage.
- Be transparent with your customers. Consumers are just now becoming aware of the security issues inherent in IoT devices. And the more transparent you are about those risks, the more they’ll trust you. Clearly state the steps you’ve taken to secure your devices, the steps users need to take, and any risks that remain. And don’t bury the information in a thick, boring user guide; make it a separate sheet with bold colors, infographics and anything else you can do to make it impossible for customers to ignore. Also, provide an easy way for customers to contact you if they have questions.
- Don’t forget about privacy. Privacy regulations have a headstart on security regulations, and many organizations are already accustomed to the privacy-by-design mindset. The challenge, however, is for brands stepping outside of their core competencies. Appliance manufacturers aren’t accustomed to thinking about the fact that what their refrigerators know about a family’s eating habits may violate privacy laws. So, if you haven’t already done so, make sure your devices are in compliance with laws like the EU’s General Data Privacy Regulation (GDPR), the California Consumer Privacy Act, and the many other privacy regulations being enacted in countries around the world.
For more detailed information, you may want to refer to the Code of Practice for Consumer IoT Security, published by the UK government.
The Future of IoT for the Home Rests on Your Dedication to Security-By-Design
Homeowners want your products; there’s no doubt about that. The only thing that will stem that tide is if they start to believe the risks outweigh the rewards. With the consumer IoT market projected to be worth more than $104 billion by 2023, it would be a shame to let the opportunity pass you by because you failed to embrace security-by-design. And the companies that do it first — without being compelled to become secure via legislation — will have a headstart on earning consumer trust.
So what are you waiting for? If you’d like a deeper dive on how you can secure your consumer IoT devices, check out these guidelines (they even have color-coded checklists!) by Consumers International.