Security in the connected home – why there is no simple answer

Wolfgang Kandek headshot

Guest post by Wolfgang Kandek, CTO at Qualys.

Christmas in 2015 saw an estimated 50 million new connected devices enter homes across the world, according to research by the Online Trust Alliance. Some of these were simple household objects that can be linked to the Internet like the iKettle, while others were novelties like Hello Barbie, a toy that can listen to children then automatically respond to their questions. However, these devices are often not developed with security in mind.

One of the problems here is how these devices are designed from a software perspective. Many of the companies involved in producing IoT devices or adding Internet services to toys do not consider security over time as part of their products. For example, Hello Barbie has already been taken apart to find several issues that could be used to subvert the toy from its original purpose of entertainment for a child. An Internet-enabled door lock was subjected to attack and found to risk other devices on the same Wi-Fi network.

For companies involved in producing new devices with IoT services embedded into them, ongoing security should be a key concern. If a hole or problem is found within the software that runs these Internet-enabled devices, a solid update process should be in place to solve the issue. However, these devices are often sold without considering this so consumers have to ensure the security of their own data instead. For those that are familiar with the principles of IT security – or are significantly paranoid – this would not be an issue. However, most consumers don’t think in this way.

The second problem here is that these devices support speech recognition. As these devices are often low-cost, the speech recognition does not take place on the item itself, as this would require huge amounts of processing power. Instead, speech segments are recorded and sent to the cloud for processing. After the analysis is completed, an appropriate response can be sent back to the device. This can produce a more life-like response from a toy, or provide useful information to the user.

However, the need to capture speech means that recording takes place continuously. Everything that is recorded is uploaded for recognition, which presents its own data privacy and security concerns.

Many of these devices are designed without consideration for what can go wrong if a determined hacker is involved. Use of the speech data should be limited to specific demands, rather than ongoing storage and analysis; however, a hack could lead to speech data being sent to another location and mined for information. Instead, these services should be locked down so that they cannot be misused.

Solving the security problems in the connected home
Ultimately, this is emblematic of how we approach innovation. As new IoT devices enter the market, are these products designed with security in mind, or are they being rushed out to meet deadlines? However, this can be a false economy, as data security should be part of the initial thinking that all companies put in place.

For the device manufacturers, this “security by design” approach means that that security cannot ever be fully completed when Internet-enabled services are involved. If companies do want to produce one product and then not have to support them afterwards from a software perspective, then Internet connectivity should be left out. If Internet-based services are included, then there are more decisions that should be taken too around how much these products cost over time to cover that potential ongoing maintenance.

For consumers, these IoT devices should be treated just like other IT assets. We would not dream of putting our laptops on the Internet without security software, so why should these devices be treated any differently? While firewalling individual Barbie toys or households goods might not be practical, there are other steps we can all take to protect ourselves.

One solution is network segmentation. Rather than allowing all our devices onto one Wi-Fi network, any new smart gadgets can be limited to a specific section of the network. For most consumers, this would appear to be a separate Wi-Fi system for those “untrusted” devices. Secured devices like tablets, PCs, and laptops can run on another section and the traffic they create would be separated.

Now, Wi-Fi network segmentation currently requires technical awareness that is beyond the reach of most consumers. However, it is possible, and with more thought on the end-user experience it can be made simple for consumers to implement.

There is also a business reason for companies to support this approach. The growth in volume of IoT devices should also drive up demand for more bandwidth. As this goes up, it should increase spending on Internet connectivity services. However, this increase in the number of connected devices can be an opportunity for providers to differentiate themselves as well; just as providers have offered free security software or network-level protection to entice customers, so looking at connected home security could be a future point for telecoms companies to differentiate themselves.

Already, the industry is beginning to mature and put standards around connected devices in place. This will help the whole industry to develop, as well as ensuring that security is put in place for the future. However, the most important element here is that IoT device manufacturers and the consumers buying these devices recognise that security should not be an afterthought.

For all the companies involved in making the smart home a reality, security should be treated as a fundamentally important building block for success. The lessons learned around IT security can be applied in the IoT market to ensure that the same mistakes are not made again.

Related posts