A 2016 study commissioned by August Home and Xfinity Home projects that 30 million U.S. households will add smart home technologies over the next 12 months. IHS Markit (a consumer intelligence firm) expects the smart home market to grow to 477 million devices by 2020. Recent trade shows like the annual Consumer Electronics Show have built up hype based on consumer enthusiasm for IoT devices. The cool factor associated with these devices has led to their increased adoption. However, the lack of standardization and the relative nascence of the Internet of Things (IoT) industry have led to these devices being purchased indiscriminately. There is a paucity of research on how these devices interact and how best to securely and optimally integrate them, which has led to uninformed purchasing decisions primarily based on hype. An example of this behavior can be seen, for example, in a family that purchases an Amazon Echo (which interconnects smart home systems and enables the user to control them by giving voice instructions to the virtual assistant) for Christmas and later acquires an Insteon Hub for home automation (which connects the user to their smart home devices from anyplace in the world using a mobile device).
The problem with assembling IoT devices disjointedly is that, while each device may be secure on its own, together they may create significant vulnerabilities. In a personal interview with Brian Johnson, a cybersecurity analyst at the MITRE Corporation, he detailed an experiment that was conducted on behalf the National Cybersecurity Center of Excellence. The experiment involved an Insteon Hub, an Insteon On/Off Module, and a wireless door lock. The wireless door lock was secure, as its key used a rolling code that protected it against replay attacks. The vulnerability of the entire system was associated with the radio frequency (RF) signal that the Insteon Hub used to communicate with the wireless lock. When the smart home app is used to open the door lock, the smart home hub would send an RF signal to the door. The experiment discovered that the RF signal could be captured and replayed using a hackRF to open the door, thus compromising the security of the entire system. This experiment highlights how the interconnectivity of IoT systems may be exploited.
The projected exponential growth of IoT devices implies a massive occurrence of software complexity and ubiquity. With the introduction of multiple IoT devices having diverse interfaces and functions over the coming years, IoT software complexity is sure to increase and expand the surface area for an attack. This proliferation will also pose unique challenges in designating responsibilities for various parts of the burgeoning IoT system. According to McKinsey & Company, some 30 billion objects could be connected to the IoT by 2020. Considering this in light of the rapidly expanding global economic space, IoT will grow beyond the point where it can be suitably managed. Issues of responsibility and accountability for security and maintenance are bound to arise. A major feature of current IoT implementation that exacerbates this problem is the lack of standardization in the IoT industry.
The present-day IoT has been described as the "network of networks." Devices have disparate, multiple control systems and networks like Z-Wave and ZigBee to control various features like HVAC (heating, venting, and air conditioning), telephone services, home security, and more. IoT standards are particularly lacking in the areas of security, privacy, communication, and architecture. Several IoT consortiums and developers have sprung up to institute interorganizational IoT standardization. The inability to communicate across devices and platforms creates a need for various connections to gain access into the IoT network to facilitate the operation of the IoT system. This creates a vulnerability, as the agents behind various connections cannot always be verified. These vulnerabilities can be exploited to perform attacks that can degrade the safety and comfort of our homes.
An area where this lack of standardization affects homeowners greatly relates to insurance. Let's say an electric fire occurs in an insured home, leading to loss of lives and property. Suppose investigations by the insurance company conclude that the fire was perpetrated using the IoT enablement in the HVAC system, through which an attacker hacked into the system and overrode critical security controls. Depending on the nature of the insurance agreement, this could jeopardize a successful insurance pay out due to issues of liability.
Who is responsible in this scenario? The insurance company? The vendor? The homeowner? Can it be written off as an unexpected disaster? These are some of the issues that homeowners must carefully consider in conjunction with insurance companies so as not to compromise vital disaster recovery arrangements.
Given the concerns discussed above, consumers will have to weigh considerations with IoT. However, given the trend of technology adoption in the digital age and the significant productivity gains it offers, consumers are more likely to adopt than reject IoT. The onus therefore lies in developing secure procedures and practices for the adoption of smart technologies. These include:
- Adopting IoT technologies based on a risk-based approach: Current IoT devices are relatively insecure, including those from recognized brands like Amazon (Echo) and Google (Nest). The consumer needs to identify and assess the risks associated with various home devices based on their functions and the data collected. Smart home devices should only be used for applications where the risk of compromise is tolerable.
- Using IoT devices responsibly: By practicing general safety practices like using secure passwords and storage, regularly patching devices, and keeping physical protection updated, consumers can greatly improve the security postures of their IoT systems. These seemingly insignificant steps go a long way in ensuring security: attackers go for the method of easiest penetration, and instituting these safe practices can help protect against such attacks.
- Pushing for industry regulation and standardization: Consumer groups need to put pressure on government and relevant authorities to institute common secure standards for IoT devices to ensure safer use. The openness and common understanding that results from such a standard will go a long way to supporting successful IoT security research. Public regulation can ensure that manufacturers have greater economic incentives to adopt more transparent standards and produce more secure devices.
The importance of IoT to the home and other sectors like health care, agriculture, and finance cannot be over emphasized. However, caution must be applied in its adoption to secure IoT gains from adverse cyberattacks. A secure approach to the development and implementation of IoT will encourage more global adoption, thus designating it as a tool for effecting far-reaching positive change.
Udochi Nwobodo is a graduate student at Carnegie Mellon University. She is particularly interested in researching ways through which systems can be improved to provide better security. Follow @SecureDoe on Twitter.
© 2017 Udochi Nwobodo. This EDUCAUSE Review blog is licensed under the Creative Commons BY-NC-SA 4.0 International license.