SUBSCRIBE NOW
IN THIS ISSUE
PIPELINE RESOURCES

Smart Home Devices Open New Vulnerabilities


The task of securing the connected home is challenged by a customer base largely uninformed about how home networking functions.
These challenges are compounded by increasing interactions with other devices and third-party services. The Babel of protocols and procedures without any generally accepted standards leaves product developers with no clear definition of what a secure product actually is. At worst, this confusion reduces security to a marketing challenge preoccupied simply with, “How much security does a product need to satisfy the consumer?”

Parks Associates data indicate that almost half of U.S. broadband households are “very concerned” (rating 6-7 on a 7-point scale) about hackers gaining control of connected devices. Consumers are equally concerned about hackers getting access to historical data from those devices.

Product Management Challenges

Beyond product development, product management for connected products faces security challenges that require a level of product support that pre-connected products have not. Product managers must take a long-term view of supporting connected devices that may have replacement cycles as long as 10-15 years. Over the lifecycle of a product, product managers need to continually evaluate the need for firmware and software updates to incorporate issues like Wi-Fi standards, data ownership and usage policies, response to new regulatory compliance requirements, and more. 

Development of updates requires continual monitoring of the device, expanding knowledge in all security-related fields, solutions development, quality assurance testing of all firmware and software updates before rolling out, and feedback monitoring and analysis after each update. For some products, this process needs to be conducted every 3–6 months.

In mid-September, Fitbit sent out security updates after learning about vulnerabilities in two popular models where hackers could access data from consumers’ devices.  These updates are prime examples of responsible product management.

Given the complexity and costs related to supporting connected products throughout the product lifecycle, one major challenge to securing the connected home results from manufacturers’ inability or unwillingness to provide the support needed to secure the product. Instances have already occurred, for example with routers, where security patches for well-documented threats have been available for years without being adequately installed in firmware updates on products in the field. Whether this happens as a result of consumer inattention or a manufacturer’s dereliction of duty to ensure updates are created and installed, the continuing vulnerability is evidence of poor product management. 

Consumer Education Challenges

Consumers trust vendors to provide a secure experience. Where service providers control product selection, installation, and take responsibility for the platform delivering their services, consumer education is less of a challenge. However, a growing share of connected products are self-installed and self-monitored, including almost half of all networked cameras installed by owners, family, or friends. 

The task of securing the connected home is challenged by a customer base largely uninformed about how home networking functions. In the absence of security standards, some consumers are easily attracted to lower-cost, minimally viable products from vendors with cheap, often open source solutions designed merely for a quick one-off sale. Consumers often choose the path of least resistance, preferring ease of setup with default passwords over changing login credentials regularly or mastering security settings offered for device configuration. They may assume that vendors are providing a secure experience with no practical means of evaluating whether that is true or not.

Consumers continue using routers or other devices past their recommended life cycle or after product support stops, security patches are needed, or encryption standards change. Generally, if a router is four to five years old it needs replacement. Part of the consumer challenge also derives from the lack of visibility into what is actually happening in the home network. Traditional router applications have been relatively simple, leading to the primary consumer interaction with a router being restarting it when a problem is observed.

While the best remedy for a lack of education is education, some vendors express reluctance to bring up security concerns with consumers. They believe addressing the issue undermines overall consumer confidence in connected products. A more positive approach takes a proactive position to add value by providing security education, emphasizing all the steps the vendor is taking to secure the connected home. In the end, relieving consumers of as much responsibility for security as possible is the most productive path.

New security gateway products like Bitdefender Box, Dojo by Bullguard, and Cujo are on the market for less than $200 and focused on providing additional security at the router level as well as educating consumers about additional security options to secure the home network and all devices on them.



FEATURED SPONSOR:

Latest Updates





Subscribe to our YouTube Channel