Imagine a typical day made simpler: While thinking about dinner at work, you access your refrigerator to see what ingredients you have. Your oven then does a recipe search and sets the cooking time and temperature.
The garage door opens automatically as your car approaches the house, and closes itself behind you. When you walk inside, the temperature is already adjusted to your comfort level and your washing machine has perfectly timed your laundry cycle’s completion.
These technologies are quickly moving beyond imagination and becoming reality thanks to the Internet of Things (IoT). The connected home offers homeowners unprecedented convenience, but with devices able to remotely track when residents are out of the house, monitor household activity through embedded cameras, and provide keyless entrance, security and privacy are crucial.
“Looking at the rate at which new products come to the market and the connectivity outside the home, all of the sudden there’s a lot of personal information being transmitted over the Internet,” says Hagai Feiner, founder and CEO of Access Networks and member of the Custom Electronic Design & Installation Association (CEDIA) board of directors.
And according to Feiner, this issue will only continue to grow.
“The more intertwined those devices are into our lives, the more risk is present,” he explains. “It’s becoming a bigger issue as we have more and more devices that are looking at our patterns—and this is where technology is going. The more products we have that are learning and that transmit to the Internet, the more risk we have of those devices being hacked and information being held by rogue identities.”
The market has grown quickly, and device security needs to be part of the conversation. That need led HP Fortify on Demand to create the IoT Top 10, an educational effort designed to explore the main security problems for IoT devices and help prevent them, says Daniel Miessler, practice principal, Fortify on Demand, HP Fortify.
“When people were talking about security, it was one issue in isolation … They weren’t talking about it very holistically. There was nothing that really took a look at the various problems that could occur and how often they are happening.”
Fortify on Demand recently used their IoT Top 10 list as a benchmark for a study that tested 10 of the most popular consumer connected home devices. A startling 70 percent of the devices presented serious vulnerabilities, with an average of 25 vulnerabilities per device and “major issues across all 10 surface areas,” Miessler says.
Eighty percent of the devices tested raised privacy concerns. Most devices collect some form of personal information, which can include addresses, health information or credit card numbers. With data being transmitted (often unencrypted) over users’ networks, and across mobile apps and cloud services, a data breach is far from an impossibility.
Additionally, 80 percent of devices failed to incorporate strong authentication measures, allowing weak passwords such as “1234” or using poor password recovery mechanisms. Sixty percent demonstrated an insecure web interface, and the same number did not implement protection for software files.
Guarding Against a Data Breach
With such realities in mind, CEDIA’s membership is taking an active role in monitoring these devices and their capabilities.
“In years past, we would look at physical security; now, we’re looking at digital security," says Feiner. "Who has access to what? What do these products do, and are these products safe? Who is going to control the remote access to the home? As we progress, the integrator’s work is going to continue and focus on the safety of the homeowner."
For homeowners, Feiner and Miessler agree, the best defense is awareness. It’s crucial that they understand their electronics and how to best configure them, Feiner says. “Homeowners need someone who understands integration and which products to go with to minimize the risk.”
To guard against allowing attackers access to sensitive information, homeowners should use strong authentication measures to secure their infrastructure and utilize the option to set up multiple networks.
“What is a little bit alarming about the Internet of Things is that you’re basically taking these vulnerabilities and combining them together into one product set, and then deploying that on your network,” Miessler adds. “When you get ready to deploy the devices, deploy them on the ‘dirty’ network—put them out there onto their own network … where they aren’t allowed to talk to your internal systems.”
A global survey on the IoT released by Fortinet in June indicates that homeowners are indeed thinking about security: 68 percent of U.S. respondents identified as “extremely concerned” or “somewhat concerned” about possible data breaches. Fifty-seven percent said that data privacy is important to them and they have misgivings about the potential use of their data, and 67 percent said that they would feel “completely violated and angry” should their data be surreptitiously collected and shared.
In spite of these concerns, the technology isn’t likely to go away. The home automation market is expected to grow to $16.4 billion by 2019, with an estimated 26 billion connected units by 2020. Homeowners are willing to pay for it: Only 25 percent of U.S. respondents in Fortinet’s survey indicated that they would “definitely not” be willing to pay extra for a wireless router optimized for smart devices.
As our lives increasingly move online, questions about security and privacy will continue, but it seems that for many homeowners, the benefits outweigh the risks.