Many of us love our smart home technologies, from internet-enabled doorbells to intelligent boiler controls but very few of us really think about the technology that we put in our homes. The cost of a device or platform often plays a key factor in the decision-making process, with popular shopping sites offering numerous cut-price, no-name, smart home devices with features that seemingly offer parity with known brands and market leaders. It’s heart-warming to see that smart IoT devices are now accessible to so many with the ability to transform people’s lives.
However, if every IoT device in your home is viewed as a potential attack vector or as the source of a privacy breach, the picture of your home may be bleak. Imagine if the camera you’ve bought could be accessed illegally by another person, if the boiler controls in your house could be manipulated without your consent or if all smart smoke and carbon-monoxide alarms were maliciously activated remotely.
These may seem like unlikely scenarios more suited to a Hollywood movie but the media is full of examples of companies whose devices have been compromised in such a way, including smart thermostats, wifi-enabled baby monitors, children’s toys and smart doorbells.
Security by design
However, let me also offer you some reassurance. Not all IoT devices or platforms are equal and therefore the risk of a device being compromised is also variable. Some companies design their entire platforms with security in mind to reduce the risk that any single component could be compromised and therefore prevent the device ecosystem from being abused. ‘Security by design’ from the ground up should be a proactive ethos for all technology companies rather than retrospectively adding security to your platform and devices to address security holes.
Common standards have long existed for internet-facing components such as websites and web services but IoT is a relatively new area, so the quality of standards has varied greatly. Industry peers have recognised this deficit and have worked together to define standards for the IoT industry as part of recognised bodies such as the IoT Security Foundation. This helps to ensure that there’s a known good starting point for all members, learning from collective experience in this area.
Independent verification and accreditation
The BSI Kitemark for IoT devices was introduced in 2018 and offers consumers further assurance that the security of their devices has been independently assessed by a leading, independent industry body. Very few organisations have achieved this benchmark so including this as part of your procurement specification will give you added confidence that your IoT devices are secure.
Ensuring an IoT device has a genuine CE mark may seem obvious but it establishes a clear line of responsibility for the manufacturing of devices as well as conformity to established health, safety and standards within the EEA. This standard is often abused and fraudulently represented by cheaper offerings so performing due diligence before procurement to ensure IoT devices adhere to it could be a simple but effective way to reduce risk. The inability to satisfy CE requirements should be a warning sign that other areas, such as security, are likely to have been neglected.
Another risk mitigation measure is to ensure that any IoT vendor you engage with is in full control of their data transmission and processing to prevent ‘man in the middle’ attacks and to ensure that end-to-end commercial liabilities are in place. Some long-range, low-powered IoT devices use non-commercial data processing platforms which present a long-term operational risk as well as a commercial liability risk in the event that the devices or platforms are compromised.
The future of the connected world looks bright and strong cybersecurity is the backbone needed for the IoT landscape to flourish. Simple due diligence will help to ensure that you make smart choices when it comes to device and platform selections.
Simon Flint is the chief information and digital officer at Aico.