Concerns Over IoT Security Stifling Smart Home Adoption, Conference Told

Another challenge, Ree said, are recommendations following high-profile security breaches telling consumers to buy products from known brands. That advice “is not necessarily true” and “stifles innovation,” he said. Many small brands are driving innovative solutions, he said: “If you just go buy the name brand because you think that’s secure,” that leaves consumers with “a false sense of security and totally reduces adoption rates.”

IoXt Alliance, with about 300 members including silicon and device makers, wireless carriers and ISPs, retailers and industry organizations, is trying to “raise the bar” of security in connected products, “remove that fear and doubt among consumers,” provide “transparency” through certification and work with regulators worldwide to offer an “industry-led approach to regulations,” Ree said.

Consumer worries about privacy and security have ramped up in the past two years, said Paula Al-Soufi, F-Secure director-solution offering, citing increased awareness of high-profile breaches. Company research shows four in five consumers don’t think device makers are doing enough to secure their products. She noted different approaches to securing consumer trust: through IoT security alliances, “bringing security into the product itself” or a holistic cybersecurity solution that covers all devices.

Finland, where F-Secure is based, was the first country to introduce an IoT security certificate program in 2019, said Al-Soufi, and more governments are seeing security as “a ticking time bomb” if actions aren’t taken to address it, she said. Singapore is focusing on Wi-Fi routers and smart home hubs, and the U.K. is moving toward legislation, she said. “There’s a very strong signal to the market that governments are taking this very seriously.”

The days when security and privacy could be implemented “without much thought into it -- and focus just on price and speed -- are over,” said Sharon Mirsky, chief operating officer at security platform provider Firedome. “Manufacturers need to do more.” Mirsky referenced efforts in Singapore, where certification is provided for free to incentivize device makers “to do the right thing” and provide more visibility to let consumers know what they’re buying. That allows manufacturers to differentiate on cybersecurity, she said. Only a few manufacturers are participating, but she predicts more will go in that direction, with “more legislation and regulation in years to come.”

Ree warned of a legislative patchwork in the U.S. as each state adds its own take to regulations. He cited California SB-327, which took effect Jan. 1 and requires devices to have “a reasonable security feature or features that are appropriate to the nature and function of the device.” The bill was the impetus for the founding of the ioXt Alliance. SB-327 began as an effort by lawmakers to “do the right thing,” said Ree, but it left manufacturers questioning what they need to do. One of the bill’s stipulations is that there can't be a universal password, which is clear, he said, “but what’s reasonable, what’s not reasonable? What are the penalties if I do this thing wrong?”

The internet's international nature complicates the bill’s requirements further, Ree said. Regional regulations don’t solve the overall problem, create difficulties for manufacturers trying to build at scale, and “often contradict each other,” Ree said. The California bill “spread like wildfire through the states,” he said. Other states picked it up but wanted to “debate and add or change,” he said. “So what you see is SB-327 gets adopted by Oregon with a couple small twists,” he said. Then Virginia added its own twists.

As states try creating legislation based on the California law, each tweak to the password rules and other stipulations becomes a burden on device makers: “I challenge the light bulb manufacturer who is going to have to build the light bulb that follows the Mississippi password rules,” he said. “Regulations are good,” because they set boundaries, but “done without a proper back and forth with industry, [it] becomes challenging.” IoXt Alliance’s position is that regulations have to be “testable, scalable and customer-impactful,” he said.

Technology is usually a few steps ahead of regulation, said Al-Soufi, which makes it difficult for device makers to keep pace. “By the time the regulation is out, it’s usually very gray, and then the manufacturers don’t know how to deal with it," she said.

Parks’ Samuels asked panelists if there’s a way to mitigate the cumbersome processes for security protocols such as two-factor authentication to ensure ease of use and security simultaneously. Mirsky cited “best practices” such as closing ports, encryption and combining those with proactive security: “That doesn’t interfere and doesn’t hurt the user experience at all.” Firedome builds advanced endpoint protection for devices, she said. She called blockchain “overcomplicating and not necessary.”

Privacy has to be infused into “the entire developmental life cycle,” said Aleem Lakhani, executive vice president of insurer AmTrust North, noting security and privacy are different problems. Smart devices are expected to last five to 10 years, so it takes independent certification authorities to ensure there’s support behind devices for that long; otherwise, “these will move into the background and present lots of additional problems.”

Lakhani is a strong believer in blockchain as a security solution, touting the technology for distributing trust in a system and for being permissionless and “censorship-resistant,” but he said it isn’t mature enough for the smart home market. An industry challenge is that consumers are having difficulty accepting basic technology. Talk of blockchain conjures up cryptocurrencies, “and we lose them even further.”

Security should be part of the planning of a smart home device so it can be updated easily when necessary, said Al-Soufi. That requires a “mindset shift” for the industry. Long-term service of a smart home product should have a “life cycle” that manufacturers should consider from the product planning stage on.

The average cost of a security breach globally is $3.9 million, and $6 million in the U.S., said Lakhani. Brands also take a hit in consumer confidence, he said. Penalties are the most effective way to ensure companies maintain robust security practices, he said, which creates opportunities for insurance companies like his. A lingering question is “who has ownership of liability,” he said.

Prior to the IoT, a failed switch in an appliance affected only that appliance. In the connected world, “when the connection to all your washing machines for the entire North American fleet goes out, that’s a class of devices” that could lead to class-action lawsuits, said Ree. He cited Tapplock, a small Canadian startup the FTC settled with last year after alleging the company's Bluetooth smart locks failed to protect data (see 2005200051). Tapplock is "now going to have to have third-party assessment, controls over what they do, and have the government look over and manage their stuff.”

On whether advanced security in 5G technology can mitigate some security challenges for smart home products, Al-Soufi said all security solutions can be “virtualized” in 5G and protected through the network as well. But consumers won't replace their devices every year, she noted, so a security solution needs to protect all devices on a network and the network itself. Smart devices are connected to cloud services or apps that also need to be protected. Good password hygiene is a start, and identity monitoring services add another layer. “It’s about how you can add those layers of security to be better protected.” Security has to cover the older connected products in a home network, added Mirsky: The network can be only "as secure as the least secure device on the network."

Security starts with basics, said Ree, noting the ioXt Alliance has had products submitted for 5G certification that still use "admin" as the password. “If you don’t do the basics, it doesn’t matter the technology," he said: "You’re still going to shoot yourself in the foot.”