How secure are smart home devices? What do manufacturers of connected Internet of Things (IoT) products need to do to secure their products?
As more people install and use smart home products, fundamental security questions are increasing. Still, without clear regulatory guidance, manufacturers are mostly left to themselves to figure out connected product security.
In this time of fragmented landscapes, poorly defined regulations, and other growing pains, how should manufacturers of smart home devices approach the IoT security? These issues were the topic of a CES panel on “Security, Privacy, and Data Ownership Challenges in the IoT Era.”
Here’s some of what the panelists discussed—and what they recommended for manufacturers making or considering designing connected products with IoT security in mind.
Connected-Product Security is Still Being Defined
Security and privacy are now table-stakes for connected products, according to Christian Renaud, Research VP of IoT for 451 Research. But when you ask 50 manufacturers what ‘security’ means in their products, you’ll get 50 different answers.
“Security and privacy issues for connected products are still like warm jello—going through a phase transition from something nebulous to something more solid,” he said. Manufacturers can’t look for regulatory guidance, because IoT security regulations have yet to be well defined. In fact, the first law of its kind in the United States, the California Internet of Things (IoT) Security Law, went into effect just January 1 of this year.
Shaked Ilan, VP of Security and Research at Firedome, suggested that the IoT industry could learn from the computer industry, where antiviral and similar security is a must for every system, from data center servers to personal computers.
How Much Smart Home Security is Enough?
For Dima Tokar, Senior Product Manager IoT for Keurig Dr. Pepper, ‘adequate’ security requires a multi-prong approach that takes into account different degrees of severity for a potential security breach. For instance, some security breaches don’t affect a user’s privacy, whereas others are to be avoided at all costs.
“You can always spend more money and research on security, so you need to decide what’s adequate enough for each connected product,” Tokar said. “You need to find the happy medium based on the vertical you play in, the expectations of your consumers, the price point, the countries to which you sell, and so on.”
Security is Key to IoT Manufacturers' Brand
Security can be a real differentiator for vendors of connected products, according to 451 Research’s Renaud. The ones able to communicate clearly how they will secure IoT devices and data, and how they’ll protect data privacy, are likely to enhance their brand reputations.
Conversely, even one serious and high-profile security breach can be a brand killer, especially for smaller or less well-established manufacturers.
“The marketplace is changing, with the IoT industry-shifting very strongly toward security,” said Firedome’s Ilan. “When we talked to makers of connected products last year, they didn’t have a position or role in their organizations responsible for the security of their connected products. Today, almost everybody has someone in that role.”
Engage with IoT Security Experts
In-house expertise is rarely sufficient for manufacturers of connected products to provide the security necessary.
“As manufacturers, we will never have enough in-house security expertise to rival those companies that focus on security,” said Keurig’s Tokar.
“Even technology companies don’t have the in-house expertise—or the necessary resources, even if they have the expertise—to implement effective IoT device security,” said Ilan.
“I’m especially concerned about smaller manufacturers that say they have a robust security infrastructure because it’s an arms race—you have to have ongoing penetration testing and a hardened environment,” said Renaud.
He cites this concern as the reason he sees more manufacturers in 451 Research surveys leaning toward partnering with commercial IoT platforms versus building their connected security capabilities in-house.
Commercial IoT platform companies “have a team of people and support hundreds of customers, as opposed to a manufacturer that’s doing it once and figuring it out as they go,” Renaud said. “Manufacturers choose to work with commercial IoT platform companies not only for feature/function capabilities but also time to value—because they’re not reinventing every feature from scratch.”
Additionally, leading IoT platform providers such as Ayla Networks take care of remaining up-to-date with changes in technologies, regulations, and best practices. As an example, the Ayla IoT platform embodies the best practice of end-to-end security covering the device, cloud, and mobile app layers.
If you are developing smart home products, we invite you to contact the IoT platform experts at Ayla Networks for a free consultation to learn more about securing your connected devices now and for the future.