Ask almost anyone at this year's CES expo in Las Vegas, and you'll hear one phrase again and again: "Internet of Things."
And so it begins, the craze that takes the world by storm, rinse and repeat, year after year. Once it was smartphones, then it was tablets, wearables, and now it's the smart home and our connected lives.
At its fundamental level, the Internet of Things (IoT) are devices that connect to the internet. They can be anything from data-guzzling devices that monitor your physical activity, smart thermostats that monitor the outside air and adjust your home temperature accordingly, or appliances that can think on their own and order groceries while you're at work.
But when your house comes under attack from an unknown threat, the Internet of Things craze paints an entirely different picture.
Security as an 'afterthought'
As the interest in IoT continues to rise, so does the concern about privacy and security. And all too often, device manufacturers have the same problem: they're thinking too much about the product, and not enough about security.
Take VTech, the Hong Kong-based toymaker that late last year suffered a massive data breach, leading to the theft of thousands of kids' photos, chat logs, and other personally-identifiable information. The company willfully admitted its database was "not as secure as it should have been," leading to criticisms that the toymaker put the functionality of its toys ahead of basic device security.
"Security needs to be designed into the fabric of the service from the beginning. It cannot be bolted on as an afterthought," said Mark Nunnikhoven, vice-president of cloud research at security firm Trend Micro, at the time.
Deepak Patel, vice-president of Engineering at security firm Imperva. said IoT devices are "easily the 'catch of the day' for cyber criminals," because all too often these devices have settings and options that are available from a web address, or with basic and easy-to-exploit vulnerabilities.
Security first, functionality later
If you thought it couldn't happen to you, think again.
Just last year, security firm Rapid7 discovered a slew of baby monitors that included hard-coded credentials, allowing anyone with the right username and password in. The research highlighted a wider trend of not just baby monitors, but other IoT-connected devices, which are increasingly connected to business and enterprise networks.
"Even security-oriented devices such as CCTVs have been found to be completely broken," said Patel.
Only this week, Comcast's Xfinity home security system, which relies on IoT devices and sensors to monitor homes, was found to have a "fail open" flaw, which could allow an attacker to trick the system into thinking that doors and windows are locked and secured -- when in fact, they're not.
Tod Beardsley, research manager at Rapid7, noted a common issue, that companies are "delivering IoT devices without addressing the problem of an active adversary attacking these devices -- even in the case where the IoT device is designed to be a security product."
No matter which way you look at it: every company nowadays has to be a security company.
The slow-brewing interest at CES, the world's largest tech expo, certainly shows that there have been a valiant efforts to tap into the security space. But it's far from the industry-wide effort that some are calling for.
"Without a serious change in the security state-of-mind, it's just a matter of time until we see the first victims of the security flood caused by zombie toasters and microwaves," said Patel.