Security is set to become the hot button issue in the smart home this year, as more connected devices come online and more hackers attempt to infiltrate corporate and consumer networks through connected gadgets. The FBI even issued a warning about connected home products.
The concerns about security and the smart home are well-founded. Several devices from connected cameras to smart home hubs have been hacked. Even light bulbs aren't immune.
A survey issued by Intel on Thursday found that 77 percent of those asked believe smart homes will be as common in 2025 as smartphones are today, but 66 percent are also very concerned about smart home data being hacked by cybercriminals.
The looming threat of the hacked home is why the Atlantic Council worked with three security researchers to issue nine recommendations to make the smart home more secure. The report is a collaboration between the Atlantic Council think tank and I Am The Cavalry, a independent security research group. I Am The Cavalry has issued a framework for securing connected cars and connected medical devices.
Beau Woods, an author of the report and the deputy director of the Cyber Statecraft Initiative at the Atlantic Council, explained fear of hacking has hindered consumer acceptance of the smart home. The smaller market has its own effects on the industry's security practices, making it harder for start-ups to invest in security, and leading them to business models that may drive even more consumers away.
The goal of the Atlantic Council's report is to lay the groundwork for the creation of a new smart home security framework in a few months. Most of the recommendations are uncontroversial, but I can't think of a single product that follows all of them today. They are:
For the last one I'd like the industry to also understand what third parties plan to do with their user data, and communicate that to consumers. I might trust Amazon with my Echo utterances, but if Amazon wants to share that with a third party, it's not enough to say it is doing so. I'd want to know that Amazon has limited what that third-party can do with my data.
In general, these recommendations codify the current best practices for device security without directly mandating how the devices should be secured. You won't find dictates about how databases of user passwords should be secured or what level of encryption the devices should use.
Already, companies are stepping up in those areas, but the Atlantic Council report brings up a bigger challenges, such as the lack of incentives for companies to build in better security. From the report:
In the United States, there is no software liability, so the costs of security failure fall to the buyer. Though many device makers are conscious of security concerns and want to do the right thing, investing in better security may not make sense from a monetary, cost-benefit standpoint. For device makers, the cost of reducing security risks may not outweigh the benefits from securing their products—especially if they are delayed to market. Furthermore, any incentive to invest in better security may be even smaller, considering that many of the potential security risks might never affect consumers. How much should a device maker spend when the costs of failure do not directly affect them?
Steve Grobman, chief technology officer for Intel Security, points out another problem with incentives. Namely that because many of these devices have a long life cycle but are relatively low-margin, manufacturers may not want to support them over the entire life of the product.
"How do we change the incentive model when device life cycles and security maintenance on devices are not aligned?" he asks.
Instead of a regulatory solution, such as the FTC stepping in to assess fines, Grobman thinks that consumer education about what they are buying will help. A more likely area of help will come from new business models where device makers can generate revenue in the long term from a connected device. At that point they will have an incentive to keep the product patched and working.
Until then, manufacturers have the Atlantic Council and I Am The Cavalry recommendations.