View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
January 11, 2016updated 22 Sep 2016 12:00pm

Plug and play, dispose & educate: How to secure the smart home against cyberattacks

Exclusive Analysis: It is not about what a kettle can do for you, it is about what that kettle can tell others about you.

By Joao Lima

The smart home segment has exploded; however, crucial questions around devices’ security could potentially lose the promised opportunity of a $72 billion industry by 2017.

Last week the consumer space was flooded with hundreds of new smart inventions brought to CES by all sorts of companies. At the same time, giant Google saw its smart home Nest product being attack by a software bug that was shutting down thermostats at users’ homes.

In addition, last week, researchers found a security flaw on Comcast’s XFINITY security technology that instead of protecting homes, could in fact help robbers to enter more easily.

This follows when, in 2015, the industry was told that smart home hubs could put families at risk of not only virtual attacks but also physical ones.

Speaking to CBR at the time, Jason du Preez, CEO of Privitar said that people need to be aware that any information shared, implicitly or explicitly could fall into the wrong hands.

He said: "We should think carefully about which services we use, who we share with and how we express our preferences. We need to think carefully about transacting with organisations that cannot prove they have the right governance, controls and systems in place.

"If users are to have any confidence that their private information will remain private, companies need to think very seriously about how they protect and anonymise user’s data."

Content from our partners
How businesses can safeguard themselves on the cyber frontline
How hackers’ tactics are evolving in an increasingly complex landscape
Green for go: Transforming trade in the UK

All in all, the IoT comes down to build a trusting relationship between man and machine, and that trust is mostly built on security and privacy.

Yet, a shocking report from December revealed that 85% of IoT network devices use copied code, putting in jeopardy the future of the movement itself as it leaves devices vulnerable to attacks.

In the wake of a recent study that has found that as many as 56% of Brits are interested in the ability to manage or automate parts of the home remotely via a smart device, CBR spoke with Adam Simon, Global MD Retail at CONTEXT.

Following a 30% growth in the number of connected homes, security conversations around how to secure the devices and the services around these devices is a hot and unquestionable topic at the moment.

Simon said that one of the main aspects manufacturers need to consider is the secure disposal of devices once the end of their lifetime is reached. However, how do you dispose of a kettle that contains an IP and potentially could help intruders enter a house?

He said: "For example, Dixons said that their knowhow division will securely wipe all data from devices given back to them. There is this kind of nightmare scenario of people dumping their kettle in a skip, and that kettle has all the IP addresses and passwords in there for someone to get into your home.

"I would take it to my local Dixons, to the knowhow department and ask them to wipe that out for me. At the end of the day, I am sitting at home with legacy devices because I am afraid of what is going to happen. It is a problem. As everyone talks about the explosion of IoT, then we have to think how we dispose of these things securely."

In the UK, the British firm has found that the top three security fears with smart home technology is identity theft (63%), fraud (57%), and misuse of devices (55%). Three areas intrinsically linked to the safe disposable of devices.

"On one hand it is a break on people buying because of security issues. 60% of people [in Europe] do not know enough about smart home products, they need to be educated. It is a journey that goes through education, and then purchase, and people are trying to jump straight into purchase, without knowing. If you go to a typical retail store there is no one explaining to you how something works."

Another neglected piece of security is the ‘plug and play’ functions manufacturers are seeking to deploy on devices. "The plug and play is a big dream to have. Nevertheless, if you put your security on the line, that might be an issue. It should be harder [to get devices up].

"If a product comes to your home and really is ‘plug and play‘, it means you probably have not secured it. We would like it to be a bit more difficult in the setting up of the product, and that is because from the beginning that product has been designed to be secure."

While companies do not address these issues, the smart home market in Europe fails to gain traction from consumers.

As a result, 80% of Europeans have no intention of buying smart home products in 2016 while 57% agree that they would like to learn more about the smart home, according to CONTEXT’s survey of over 2,500 people in the UK, Spain Italy, France and Germany.

Click next to read about the Smart home cybersecurity manifesto.

Smart home cybersecurity manifesto

Consequently, CONTEXT has launched a smart home manifesto targeting the security of the home dividing it into three different categories: data security, data policy and consumer support.

The document was put together with input from companies and institutions including Deutsche Telekom, Nottingham University, Intel, D-Link and Dixons Carphone.

Simon explained that the company was trying to address the whole ecosystem, including government, retailers, manufactures and academics, and particularly create a dialogue between retailers and manufacturers.

"The question is: who ultimately is responsible if faulty goods allow privacy to be assaulted? The industry has to work very closely together to make something happen on it.

"We have one controversial thing in the manifesto that not everyone will agree with, which is ‘all data in the home should be encrypted’."

Data encryption falls under the data security vertical of the manifesto. In the same category the firm said that first, the smart home must be secure by design and security cannot be added as an afterthought.

Secondly, the smart home must be able to authenticate all users, and thirdly, all data flows through the smart home must be encrypted.

As a last key point in data security, the firm said that more must be done to ensure end-to-end security, as devices communicate to the cloud and data centres.

Moving on, Simon set the data policy aspect, "probably one of the most important things in the manifesto".

"First, companies must adopt transparent data policies. It must be made explicitly clear what personal data is collected and what that data is then used for. Consumers must be told if any company sells their data to marketers or any other third party.

"We think that is the core of it. In the same way you give permission for data to be used in many different applications, that is the type of thing we think should be the case. Transparency. This is what consumers would like and what they should expect."

As a second principle in data policy, the manifesto says that all smart homes must offer the same level of privacy as homes do now. "That means when the doors are closed, and the curtains pulled down, no company or person should expect to be able to access any activity of the home owner."

Lastly, in the consumer support space, the manifesto says that all smart home devices must be accessible and understandable for all users, regardless of technical power. The end-user should never be blamed for a security vulnerability that arises in the installation or the running of a product or service.

As a last note, CONTEXT states that all devices and services must launch with lifetime support, with regular updates and on-going support for the consumer for as long as the product or service is live.

Simon said: "Security needs to be provided since the item is designed until the item is disposed."

Nonetheless, while the industry still needs to work around security, mass adoption of smart home technology will most likely not come from the general public buying products, but from developers and contractors.

Selling smart home devices to developers and constructors would get a lot of IoT technology out there and would indeed start a revolution in the building sector making smart home technology the norm. As a consequence, knowledge around smart home technology would rise allied with the desire to own smart products.

Simon said: "There is a big opportunity there. Manufacturers are targeting the opportunity. There is a smart buildings opportunity, which is a B2B opportunity, which sits in parallel with the smart home opportunity."

 

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU