First of all, I have nothing against Security by Design. Let’s sort this one right out the gate! My point in this article is that Security by Design on its own is not enough. That’s something I can safely stand behind.
Now that we’ve straightened this one out, we can continue as planned.
The use of IoT devices, particularly in smart homes and for consumer use, is on the rise. No news here. If you ask Forbes, the IoT consumer electronics market is expected to reach $180 billion in 2022, in the US alone. Even though it’s sometimes hard to remember, the US population is just a very small portion of the entire world.
A recent report by Statista predicted that the market will have 75 billion connected devices by 2025. I can’t even imagine the amount of data.
There’s just one tiny problem…
Who’s the gatekeeper on the premises?
As more privacy-sensitive devices such as cameras and speakers enter consumers’ homes and connect to the network, the industry must be able to rest assured that these devices are secure and that consumers are safe.
Today, Home IoT devices are riddled with cybersecurity vulnerabilities and are ultra-easy pickings for hackers who usually look for the easiest point of entry into a network. Safe to say that the number of IoT devices is not the only trend that’s on the rise; related cyber attacks are growing in number, as well as complexity.
What’s the hackers’ incentive? Hacking a smart home device could allow a hacker to access sensitive data such as credit card and personal information, take control of the device to activate the microphone and camera without the user’s knowledge, and use it as an entry point into other, more sensitive devices within the home network, then use it for cryptomining, or just enjoy the prestige.
Still, while many companies in the industry do implement various security protocols, these are simply not enough to protect consumers’ privacy and safety.
Were you there, on January 2019, when Wired reported dozens of breaches in Nest cameras?
Users reported terrifying accounts that included hearing a voice on the baby monitor threatening to kidnap their child, or a voice on a security camera stating that North Korean missiles were about the strike the US, and more. Since this industry is so young, you can clearly understand why this is only the beginning, and it’s only going to get worse. Well, unless proper security measurements will be implemented ASAP.
The inherent problem of the home IoT industry when it comes to cybersecurity
There are a number of reasons why home IoT devices pose a threat to consumers who use them:
- Computing limitations – As an industry pro, you know that typical IoT devices for home use have many hardware limitations, including limited processing resources and little memory, and therefore require specific lightweight solutions that can work with embedded devices. In many cases, due to a lack of solutions, devices are left vulnerable to attacks.
- Monetary resources – In most cases, home IoT devices are very affordable. This makes the industry known for low margins, and manufacturers face the challenge of finding inexpensive solutions that get the job done without eliminating their profits completely. It doesn’t leave a lot of valid, feasible cybersecurity solutions.
- Lack of cybersecurity knowledge – In many cases, smart home device companies don’t have cybersecurity experts on board. And unfortunately, there is no CISO in consumers’ home network.
The mature industry of connected computers and mobile devices has long understood the variety of risks that lie in cybercrime and is therefore heavily leaning towards dedicated software-based solutions for endpoint attack prevention. How come this isn’t today’s standard in the embedded ecosystem?
Who’s to Blame for Smart-Home Devices Vulnerability?
What happens when an attack does occur? If a manufacturer or IoT device company sells a device, and that device gets compromised, the brand is held accountable. And quite rightfully, if you ask me. You can blame the authorities for not regulating this industry, you can blame consumers for letting anyone in their house, or you can blame the ISP for providing gateways that are riddled with flaws. But the more important question is, who will bear the costs?
What could happen?
For consumers and regulators, it doesn’t matter who is to blame – only who is responsible. Once a breach occurs, smart home companies will face a backlash from their client base, as well as significant damage to their brand reputation and bottom line. In other words, this can cost a fortune. Take CloudPets as an example, a cyber breach that resulted in being yanked from the shelves of the big retailers.
Don’t leave Security by Design alone in the field
Let’s say the company takes full responsibility and works to solve the crisis. Even if the problem is acknowledged and addressed, Security by Design (I assume you know the material) does not allow for quick implementation of patches and fixes, making all existing home-connected devices already in the market unusable, or a ticking time bomb.
Manufacturers need a solution they can rely on to dynamically learn new attack methods, prevent attacks, protect their brand and consumers, and allow for OTA (Over the Air) updates to fix problems in existing devices already in use – everything that’s not feasible with security by design on its own.
Why am I so sure that security by design isn’t fit to fight cybersecurity threats alone? Just look at some well known best practice from other industries in the IoT domain, such as EDR for enterprises, antiviruses for private users, etc., and do the math. They didn’t start using advanced and proactive solutions simply for the sake of it. They encountered a burning need. And now the Home IOT industry is going the same route.
But as always, since we are all late to the party, some will be the first to bear the costs, and the others will witness their crises and only then run to find suitable solutions.
That’s how humans work.
What Does the Future Hold?
As IoT becomes commonplace in every home, consumer electronics companies will soon address their current misconceptions about security. Security by Design is VERY important, no one says it isn’t. But it’s not enough, and other dynamic and proactive layers must be added to the blend to ensure safety, just like in other industries. Companies and manufacturers that don’t take the necessary security measures to protect their customers and brand will suffer the consequences of heavy damage to their brand reputation and bottom line as a result of negative PR, lawsuits, fines, and more.
As demand grows, more security players will find ways to tailor their solutions to the needs and limitations of smart home device companies (just like we did with Firedome).
Using a proactive and dynamic security approach is key to addressing cybersecurity risks.
Companies must implement tailor-made solutions for smart home devices in addition to Security by Design, solutions that will identify breach attempts and respond quickly to mitigate risks and damages. This will allow them to continue selling their devices at a profit while adding the security measures they need to keep them in business in the long term.