Welcome to our Predictions Series 2022. Today, we are discussing the top IoT Security Trends that could revolutionize the global economy around the Internet of Things and other emerging technologies in the upcoming year.
Today, we are hosting insights from Rebecca Herold, IEEE Member, and Founder/CEO, The Privacy Professor.
Hi Rebecca, could you please tell us how do smart home devices work?
Yes, of course!
We could write a book to answer this question sufficiently. However, put simply, a “smart home device” is an internet-of-things (IoT) device. In other words, it is an internet-connected device manufactured to be used within a consumer’s home to connect multiple smart devices together, often through a hub or gateway of some sort, and to allow them to be accessible through a mobile app and/or cloud system. Just a few examples of smart home devices include connected doorbells, smart vacuums, smart refrigerators, smart TVs, and digital, smart personal assistants.
Smart home devices need to communicate with each other to ensure coordinated use of home resources. Something that all smart device users generally want is to use smart home devices to efficiently manage resources, such as electricity, gas, water, etc.
What kinds of technologies enable their functions and how do these influence the adoption of other related technologies in an enterprise setup?
General technologies found within smart homes include sensors, gateways, hubs, cloud servers, mobile apps, control devices/panels, and the IoT devices themselves. Typically, the smart home IoT devices are supported by a platform (e.g., cloud-based) that provides connectivity, processing and data storage for the smart devices, and which make the devices typically accessible throughout the world. So, if you travel to Melbourne and then realize you forgot to turn down the thermostat in your home in Des Moines, Iowa, you could utilize your mobile app to access the smart thermostat platform, to change the temperature settings for your thermostat.
The seemingly limitless possibilities for interconnectivity capabilities allow smart home devices to obtain real-time data from different sources, often through sensors and connections to other types of smart devices, and even cloud sources like meteorology forecasting labs (as just one of unlimited possible examples), to support the improvement of customer safety, security and comfort.
Smart homes can utilize Zigbee (IEEE’s 802.15.4 PAN standard), wi-fi connections, Bluetooth and/or hardwired connections to the systems within the home. All of these types of connections provide, or support, a way to allow remote access to the full smart home network, and usually to the specific smart devices themselves. Sometimes through specialized devices, such as remote controls, but it has become much more common to use mobile apps to communicate with and access smart home networks.
Please tell us about the data management in IoT companies. Is the data they create typically stored on the smart home device or somewhere else?
It depends upon the smart device and the full composite of the IoT product that is used. In this nascent stage of IoT devices and the industry generally, there is no “typically.” That said, to date, data from smart home devices have been typically stored in a cloud server. Sometimes the data, often recent data collected, is stored in the phone of the app that is used to interact with the smart home components.
For other types of more complex smart home devices like smart TVs and smart refrigerators and other types of devices, there is often data stored and processed within the device. It then also gets transmitted elsewhere:
within the home area network
to the servers running the associated app
to the associated cloud services
to various third-parties, fourth-parties and beyond
Smart home device data is very valuable for the wide range of uses that result in the collected and derived data. However, as time goes on, more complex types of smart home devices store data within the device itself (while also transmitting copies of it elsewhere).
How does the transmission and storage of data create opportunities for bad actors?
There are multiple vulnerable points within the full ecosystems of smart homes that provide for access to data. If any device, location, or transmission throughout the smart home ecosystem has a security vulnerability, then it can create a wide variety of opportunities for bad actors. Some examples of components within a smart home ecosystem that could have such vulnerabilities include, but are not limited to:
The smart home sensors themselves
The home wi-fi network to which the device is attached
The smart home hub, controller, and gateway
The individual apps for connecting to specific IoT devices within the smart home
The mobile phones, tablets, laptops and other devices connecting to the smart home
The associated cloud server(s)
Third parties with whom the data is shared, who provide support for specific components of the IoT product, etc
Supply chain entities, many of which have been found to still have access to the devices to which they’ve contributed hardware, software and firmware
At each of these points, if security is not thoughtfully applied with consideration for the associated risks within the context of use, it is possible for a bad actor to gain entry into the smart home ecosystem, plant malware, store other types of files surreptitiously use as pathways to other systems (e.g., to get in the business networks that the home residents connect to through the wi-fi-network), support plans for crimes (e.g., robberies, assaults), and more.
Are there other openings for bad actors to take advantage of these smart home devices?
Old-fashioned vulnerabilities still exist and still are exploited. Social engineering is still very effective for gaining access into smart home networks, devices, and other components (cloud servers, mobile app servers, etc.). Social engineering, and human vulnerabilities, will always need to be addressed and mitigated with any type of technology, no matter how advanced the technology may be.
What is the most important thing a consumer should do to secure their smart home devices?
Make sure they have full control over the security basics:
Authentication: Users should be able to implement multi-factor authentication, etc.
Access controls: Users should be able to limit who has access to their data and IoT product components that could reveal insights into their lives and activities, etc.
Patched Systems: Users should make sure the latest updates are installed to plug security holes
Secured Networks: Users should ensure their home wi-fi router is strongly secured and their network encrypted
Identity Verification: Users should confirm device verification through the smart home devices’ call centers
What are some other ways that users can do to secure their devices?
In addition to what I described in the above question, users should:
Read the security notice/policy. There should be high-level information about the company’s internal security and privacy policies and procedures that are followed by all their workers and third parties, they should indicate the high-level categories of security technologies used, and they should indicate who to contact—and how—with any security questions.
Never use the same login credentials for their smart home devices as they use for their work/employer, banking/financial sites, social media, retail sites, etc. Smart home login credentials should be unique from all other login credentials.
Completely unplug smart devices in the home that are listening and/or watching devices. Including those with “wake words.”