Have you ever opened your fridge and wondered what is lurking behind the pots of out-of-date yoghurt? Given the pace at which the Internet of Things is evolving, this could be the least of your worries. As our homes become more connected, mostly without our consent, what does a connected home mean to you, and what sort of images does it conjure up? Does it mean that you can access and control devices remotely, via an app, or perhaps a scenario where all your home devices can talk with each other and interoperate? This could mean that your thermostat tells the house alarm system that you have left the house, or perhaps your microwave asks your freezer if there is any pizza left, and if not, orders it.
Whatever the case may be, we should all be concerned about how cybercriminals will exploit this next level of massive invisible processing power and Internet connectivity in our most personal space. Who will be the first person to find not expired yoghurt at the back of their fridge but rather the latest flavour of ransomware?
What's at the back of your fridge?
Manufacturers are now routinely adding WiFi connectivity to their home appliances, mostly because the cost of doing so is cheap and having a WiFi chip embedded in a fridge can open all sorts of commercial opportunities. Samsung in particular have created a concept called SmartThings, which includes a well-thought-through ecosystem for users, third party developers and device makers. There is even a catchy set of short videos painting a humorous picture of a connected world, including a fraught parent turning off the iron remotely whilst driving away for a long weekend.
Would you put such trust in this system? I am not so sure, and I certainly wouldn’t know how my insurance company would respond to a claim for a burnt down house as a result of an iron or cooker being turned on remotely by a hacker. There are already reports of the Nest smart thermostat turning the heating on at odd times of the day and night, but at least the worst this could lead to is an impromptu home sauna and outrageous energy bill.
Or imagine the following scenario, where a series of actions is triggered as a result of a potential intrusion. What happens if the intruder is actually your son arriving home late after a party?
Home automation is now mainstream
Whichever way you think about home automation, one thing that is certain is that it is rapidly becoming mainstream. A search with Google for ‘Connected Home’, reveals the top of the list of participants to be well-known retailers such as Best Buy and John Lewis, who are now advertising and selling a wide range of home automation devices. In fact, they have a fast growing set of connected products, which I imagine are confusing to many people.
Less than a year ago the market was a very different place, when home automation was more for early adopters and only available in hobbyist and electronic stores. Now it is targeting all types of users, especially those who might struggle to change a plug, never mind configure and manage a collection of automated home devices.
This raises some serious concerns about the security of connected homes, and whether or not the manufacturers are considering cybersecurity with the same degree of concern that they would with physical security. For example, we all trust that our clothes dryer will not burst into flames, despite the high temperature that the clothes are subjected to. This allows us to leave the dryer on whilst we are away from home, and even program it to come on late at night when electricity is cheaper.
Are our smart products cybersecurity tested?
One of the reasons why our everyday appliances can be trusted is because they are subjected to rigorous testing, both by the manufacturer as well as independent testing labs. We trust that the labs follow well established standards such as those developed and implemented by the International Organisation for Standardisation (ISO), European Committee for Standardisation (CEN), ASTM International and Underwriters Laboratories (UL), and their logos are a welcome sight on the products we buy. But is there a similar approach being taken with respect to cybersecurity and are products destined for the connected home being subjected to thorough cybersecurity testing?
Samsung has recently organised a developers’ conference to discuss all things related to a connected world, and more. This is a big event with hundreds of interesting talks and well known sponsors. However it is noticeable that none of them are from the cybersecurity industry and there do not appear to be any workshops or talks about cybersecurity. We have to assume that this a reflection of the general perception in the industry on how important cybersecurity is and it’s clear that something will need to change, since otherwise we will see a classic example of an industry trying to play catch-up on security threats.
We have already experienced many examples of IT systems not being designed with security in mind, and the costs and consequences that follow. Connected devices and homes in particular need to have cybersecurity at the heart of their designs; otherwise users, who on the whole are not IT experts, will eventually experience the consequences of hackers looking to exploit weaknesses within connected homes. This could be something as simple as home appliances being turned on and off at apparently random times, or much worse, widespread ransomware attacks threatening to take over control of an entire connected home. Although this may sound implausible, as we have discovered to our cost with other aspects of connected life, hackers these days are most of all interested in financial gain, and where there is a will, there is a way.
As with most Internet-related technologies, openness is paramount and it will not take long for inherent weaknesses within the interconnected home to be discovered. This will be exacerbated by the widespread proliferation of connected devices within homes, which is beginning to happen. If you visit your local department store and are looking for the latest, high-tech washing machine, there will soon not be an option for a non-WiFi model.
Taking cybersecurity in the connected world seriously
There are many advantages to the connected world that we are rapidly moving towards, and this is to be welcomed. However, the industry needs to take cybersecurity seriously and ensure that not only do the products themselves follow well established cybersecurity principles, but importantly that the connected ecosystems, which will enable the more efficient life that we all crave, do not become some form of Pandora’s box. The level of complexity is likely to increase by several orders of magnitude over what we currently experience with our mobile devices. Today there are about 6.8 billion phones and Cisco is predicting that by 2020 there will be more than 50 billion connected devices, which equates to about 7 connected devices for every person in the world. The vast majority of the growth will be consumer devices, many of which will be in our most private space - the home.
Many of us already have partially connected homes, for example with the sales of smart thermostats predicted to reach almost 40 million by 2019, and more domestic connected technology following closely behind. On the whole we rely on the good judgement of the designers and manufacturers of our technology, and short of government intervention, which might yet be required, we have to hope that such companies have at least hired a chief security officer with the power to review and influence product development. Otherwise hackers will once again have access to easy targets, and this would be a very unfortunate state of affairs.
Richard Kirk, Senior VP at AlienVault