Despite recent high-profile security risk accusations against Huawei, there’s been an incongruous disconnect between the promotion of IoT in the home and the security it demands. It’s almost as if both consumers and the high-tech industry have preferred to avoid looking at the big picture. The concern about Huawei, and security implications as telecoms begin to roll out 5G service is legitimate, but fails to address current security vulnerabilities - and they’re not just coming from Huawei.
Are consumers simply not taking the problem seriously, like drivers who refuse to use a seatbelt? Is the high-tech industry avoiding the issue because it's focused on selling gadgets and data acquisition? Either way, when it comes to smart-home security, telecommunication service providers must take the lead. Why? Because they have the most to lose. And much to gain.
IoT in the Home
Connected devices in the home are expected to be the fastest growing sector of IoT in the next few years. According to a recent Statista report, more than 45 million smart home devices were installed in 2018 and that number will increase exponentially every year. The average european home already has fourteen devices. In the US the number is sixteen devices. We’re talking about devices ranging from personal assistants (Google Home, Amazon Echo) to smart locks (August, Ring).
The problem is that most of these devices are not manufactured with security in mind, as demonstrated by recent security reports. In a paper published in 2018, for example, researchers at Ben-Gurion University in Israel analysed 16 different IoT devices and found that even security-critical devices like smart cameras or doorbells were not difficult to hack.
Even devices as innocuous as a lightbulb may be a risk. For those who work from home, a laptop can also be an entry point into a work network.
While all of these devices may add convenience or provide entertainment, many are also entry points into the home network through which hackers could gain access to personal data and more. And yet consumers are doing little to protect themselves, partly out of confusion regarding where to begin and how to implement protection.
Who will take the lead?
All of these raise an important issue for the telecom industry: who is going to provide security for home-based smart devices? By security, I mean also privacy protection, confidentiality, and ensuring the availability of the services offered within the IoT ecosystem.
There is no reason to believe manufacturers will take the lead on this. For starters, many of the devices are made cheaply and without security capabilities. But even more advanced devices simply lack sufficient security capabilities.
In many cases, the problem is hardcoded credentials used within IoT devices that are easy to compromise due to the use of the same password by multiple devices.
There’s an Engineering Task Force (IETF) draft document called the Manufacturer Usage Description Specification (MUD), which hopes to heighten home security by enabling IoT devices to identify themselves to the home router to gain internet network access.But agreement by manufacturers on MUD remains elusive. Until then, there’s nothing to prevent IoT devices from providing entry to the network.
As for the companies championing IoT in the home, they are driven by a desire for data and unimpeded data transfer.
Amazon, for example, is introducing a new way to make it even easier to set up smart devices. Dubbed Wi-Fi Simple Setup, the system will use Amazon’s Wi-Fi Locker to store a customer's Wi-Fi credentials and share them with compatible smart home devices. In all likelihood, those connected devices will also be sharing data with Amazon.
Consumers may be depending on governments to regulate smart home security. The announcement last month that the US Department of Homeland Security is reviewing risks posed by 5G technology is a step in the right direction.
However, it’s worth remembering that Homeland Security’s priorities aren’t necessarily the same as those of consumers. The US government is primarily concerned with security gaps in electronics from Chinese telecommunications giant Huawei Technologies and other Chinese manufactures that could expose the US to espionage by Beijing and others.
As well, on 11 March, the US introduced The Internet of Things (IoT) Cybersecurity Improvement Act of 2019, which allows permit government agencies to use only those devices that adhere to a minimum set of security standards. But the bill does not extend to consumer and business use.
The Japanese government is also moving to make providers more responsible for their services. It has approved a law amendment that will allow government workers to hack into people's IoT as part of a plan to compile a list of insecure devices in advance of the Tokyo 2020 Summer Olympics.
Despite some protests, the National Institute of Information and Communications Technology (NICT) under the supervision of the Japanese Ministry of Internal Affairs and Communications, will pass survey results to relevant authorities and internet service providers, which must inform consumers and secure the devices.
An opportunity and a responsibility
Telecoms must very soon resolve that they will be the gatekeepers, and there are some significant reasons why this should be. Awareness is steadily growing about the privacy and security risks of connected devices – and it’s going to affect the choices consumers make.
A Blackberry study released recently found that 80 percent of respondents don’t trust their current internet-connected devices to secure their data. This situation presents telecoms with a responsibility and an opportunity.
On one hand, despite the uncertainty about the devices, telecoms may be blamed for not providing adequate protection from hackers. The reality is that telecoms are perceived as the first line of defense for the home users as the owners of the networks.
As incidences of hacks and vandalism increase increase, it is the reputations of telecoms that will be damaged. And although it hasn’t happened yet, a DDOS attack on the network itself seems inevitable. The good news is that telecoms will be rewarded for providing the safeguards.
Comcast, for instance, recently launched xFi Advanced Security, a US$ 5.99-per-month service available to existing Comcast Wi-Fi customers that is meant to monitor all of a network’s devices for suspicious activity, block anything if necessary and alert the customer.
There will certainly be other opportunities to promote value-added security solutions. Combining forces with an IoT security solution provider is the best means of allaying customer concerns about smart home security, and safeguarding the reputation of your company in an increasingly competitive market.
Contributed by Sivan Rauscher, CEO of SAM Seamless Network
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media UK or Haymarket Media.