Connected homes may make our lives more convenient -- but they can also provide a conduit for cyberattackers to invade our lives unless strong security measures are put in place.
The Internet of Things (IoT) and the idea of the "connected home" -- from smart fridges which tell you when food is reaching its expiry date to smart lighting systems and wireless doorbells -- has grown dramatically in the last few years. Such smart devices might make our lives more convenient, but once you connect home devices and monitoring systems to the Internet through networking privacy and security issues become raised.
The connected home could become a strong, fresh revenue stream for tech giants once the idea truly takes off, but in the meantime, securing smart devices properly is an issue vendors must face.
In a Q&A session with ZDNet, Herman Yau, CEO and co-founder of Tend, developer of a Vision-as-a-Service (VaaS) platform for the connected home ecosystem, talked about cybersecurity issues affecting the IoT industry today -- and what lies ahead. Excerpts are below:
ZD: What are the main challenges facing vendors developing 'connected' or 'smart' home products when it comes to security?
"As connected home devices rely more and more on remote access and cloud technologies, protecting customer data in the cloud and on the device becomes increasingly vital.
While connected home products promise consumers convenience, these products may have potential security loopholes that invite hackers to attack. Of course, most connected home device companies recognize this. The true challenge is how to offer security in a way that does not affect the overall user experience and also in a cost-effective manner."
ZD: Do you think current privacy worries -- especially in light of the NSA activity exposure and the UK's 'Snooper's Charter' currently being discussed -- will impact on the future of the smart, connected home industry?
"Increased monitoring activities by security agencies like the NSA are inevitable. Today, these agencies work with network infrastructure providers to collect personal information on the Internet.
Already, an individual's privacy is threatened by access through a smartphone or personal computer in the home. It is possible that when connected home devices gain increasing popularity, security agencies will work with companies to use such devices as another entry point to monitor people's homes. Although the industry has developed many security technologies and practices to protect individual privacy, it will inevitably come down to lawmakers to decide whether security agencies are allowed into citizens' homes."
ZD: How does Tend monitor devices and alert consumers to threats?
"Tend keeps an eye on security announcements and advisories, such as CVEs published by NIST. We use this and other information to continually improve the security of our products and to provide device software updates to our customers."
ZD: We hear about how 'easy' it is to crack connected home devices such as smart meters -- whether to monitor individuals in a home or to cheat the system and alter readings. How widespread do you believe the problem is -- and what does the future hold for these products?
"In many consumer markets, security is an afterthought. Such has been the case with early-generation connected home devices. Older home automation devices offered little or no security. As hackers have begun targeting these devices, security has become important to consumers, and the industry has begun to address these flaws in newer products and platforms by requiring server authentication, access control, data encryption, etc.
Some older devices suffer from fundamental design issues that inhibit security. However, even newer devices that are properly designed often contain subtle flaws that may eventually be exploited. The industry will need to strive to stay a step ahead of the attackers."
ZD: What personal data do you believe vendors have a responsibility to protect on behalf of consumers?
"Connected devices can gather significant information about personally identifiable information (PII), user preferences, and even behavioral data. It is important to prevent such information from misuse both within the company as well as by attackers or other third parties. Often this information can be protected by anonymizing and aggregating it in such a way that original data cannot be extracted."
ZD: Do you think consumers also have a responsibility to keep their smart home devices secure? If so, in what ways?
"The vendor should take necessary steps to ensure that their product does not present security risks to consumers, however it is ultimately the consumer who makes the purchasing decision. Consumers need to carefully evaluate and vet potential product purchases.
Additionally, if a customer does not keep his or her password safe, there is very little that a company can do to protect the user's data. Some forms of fraud detection are possible using state-of-the-art machine learning, but if these security measures are not implemented properly, they can also inhibit legitimate use of the product.
Product companies can choose to enforce strict password policies that might help protect customers, but such policies can also detract from the user experience and make a product more difficult to use."
ZD: What advice would you give to vendors developing smart products in relation to their security practices?
"When developing smart products for the connected home, security cannot be an afterthought. Soon, your smart product will be judged by how secure it is in the eyes of your customers. Security consideration needs to be included at an early stage of product design, and implemented in every aspect of the system flow. It only takes one weak link (might it be the mobile app, device firmware or cloud server) to compromise your product security and the security of your consumers."
Read on: Top picks