After a slow start, Internet of Things (IoT) solutions for the home are experiencing a surge in popularity. Recent research by Telsyte found that more than 40% of Australian households currently have at least one IoT device, with more than 150 million devices expected to be in operation by 2021. As smart home devices become more widespread, however, security becomes an increasing concern; 2016 research by Deloitte found that 80% of consumers did not feel well-informed about security risks and 13% cited it as the main reason for not adopting IoT solutions at home.
Data and device security is vitally important in any IoT solution, and the responsibility for this must lie with the companies developing these solutions. Facing an ever-increasing range of threats, what can a company do to ensure its users’ data and devices are secure? While cybersecurity is a complex topic, the most important aspects are quite straightforward:
1. Design for security in every layer
In a typical smart home solution data is constantly flowing between connected devices, smart hubs, cloud platforms, mobile devices and web apps. Finding the best way to move data around is one of the core challenges of IoT; while cost, interoperability and energy efficiency constraints often dictate which technologies are used, it is critical to consider security here too.
Controlling wireless network access in the home, exclusively using encrypted communication protocols, and restricting access to cloud platforms will go a long way towards ensuring the safety and integrity of the solution. Secure data storage is also essential – don’t make the same mistakes as CloudPets, a line of internet-connected teddy bears which in 2017 was found to be storing customers’ personal information and voice recordings in publicly accessible Amazon cloud storage.
2. Plan for the future
Sooner or later, vulnerabilities will be found in any system, often in areas beyond your control. In October 2017, for example, Belgian researchers revealed the KRACK attack against WPA2, a ubiquitous security protocol used in all modern WiFi networks. This attack meant that every secure WiFi network became vulnerable due to a previously unknown flaw in WPA2. It is rarely possible to predict these incidents, but once a vulnerability is exposed a solution will generally be published very quickly. It is therefore vital that every aspect of an IoT solution can be rapidly upgraded in response to new threats.
3. And finally – get the basics right
In October 2016 the Mirai botnet launched multiple massive denial-of-service attacks, preventing users from accessing a range of major websites including Amazon, Airbnb, Twitter and Spotify. This incident was particularly significant as it was the first high-profile attack carried out by millions of infected IoT devices such as cameras, printers and thermostats. Mirai was able to infect all of these devices by simply attempting to log into them with common default usernames and passwords. In this case, the most basic level of security – setting the username and password of the devices to something other than ‘admin’ – would have been enough to keep these devices safe.
In addition to changing default credentials, every organisation working with IoT solutions should also be:
- Ensuring the entire software stack is up to date at all times
- Protecting your cloud credentials
- Implementing a strong password policy, and never storing or transmitting users’ passwords in plaintext
- Closely monitoring who has access to your data at all times. For example, is your sensor data being sent to someone else’s cloud too?
- Raising employee awareness about the importance of security
These best practices are not new or revolutionary, but without them the strongest security architecture and most advanced cryptography in the world won’t keep a system secure.
IoT solutions for the home inherently deal with huge amounts of personal data; protecting this data and ensuring device integrity must be a priority. As the number of connected devices increases and threats multiply, it is critical that the developers and providers of IoT solutions be both transparent and proactive in their approach to cybersecurity.