Internet of Things Security

There needs to be a shift from prizing visible new features in products to valuing how secure the product is designed to be. Gradually through the years of IoT there has been a shift from the isolated news of novel hacks, such as Phillip’s Hue hack using a drone, to constant security exploits that have severe repercussions.

My advice - before purchasing and using any IoT devices take these few additional steps to help ease your mind if you are concerned about security.

Company Research

The first step would be to research the company that creates your desired product. Remember, you will be implicitly trusting them by connecting the device to your entire ecosystem. This step will require some active searching, since the information will not likely be easily discoverable. Usually, the top search results will be any security products the company sells rather than their security development practices or any news articles dealing with security breaches that occurred with one of their products.

You will want to verify that there is active communication with the public and security researchers around security features. There should be an easy way to submit issues or bugs and the company site should supply users with a status page that is updated with latest events. For example, Phillip’s has a security page that provides a link to submit bugs that are found by the security community and has links for consumers about security updates and FAQ pages that will educate and provide steps to make sure the product has the latest code updates.

Be Aware of the Product’s Update Lifetime

The next step would be to make yourself aware of when security support would end for your desired device. All connected devices have a support timeframe that is defined by the company. Unlike other devices, the lifetime of how long a connected device functions should not be the top priority, and it is not uncommon that the security support only covers a fraction of the device’s lifespan. Just like the company’s security development practices, the end of security support policy is not typically easy to uncover on the company’s website. Luckily, searching for “end of support policy” with the device’s name should lead you in the right direction.

Isolate Devices

One last simple, but vital, step is the setup of the home or corporate ecosystem. As consumers, we need to be aware that not everything should be on the same Wi-Fi. Connected devices are easily discoverable by other devices sharing the same Wi-Fi connection. While that may sound insignificant or even desirable, this is how hackers are able to exploit one device to attack another. This is known as chained exploits. Isolating devices can be as simple as having the smart devices connected to the default ‘Guest’ network on your router, to as complex as creating and configuring a new network(s) for the devices.

This is not meant to deter you from enjoying IoT devices! These devices are created to make your life easier, but it is important to realize that like your computer and mobile devices, malicious actors may still try to infiltrate them. There is also a high likelihood that there are some security flaws that were not discovered at the time that you purchased the product so remember to keep your device updated so that these flaws can be fixed when they are discovered.