There are few of us left who have yet to embrace the transformation of our houses into “smart homes” to improve our comfort and safety, and to lower costs. Devices in our homes now regulate the temperature more efficiently, monitor food to prevent spoilage, track water flow and detect leaks — just to name a few use cases. Given their profound impact, smart devices are here to stay, and not just because consumers love them.
Manufacturers of home appliances will increasingly require them to be networked as a condition of warrantee, much as they already do for industrial appliances. Insurers may begin offering policy discounts for homes featuring certain smart technologies, if they do not already.
However, as we continue our rapid adoption of smart devices, we must also consider the significant cybersecurity risks posed by them. In its “2021 IoT Security Landscape Report,” Internet of Things (IoT) security company SAM Seamless Networks tracked more than 1 billion IoT attacks globally on clients’ networks. Both the numbers of attacks and the nature of these attacks are quite alarming. In one example of an smart home device attack, a hacked Ring Camera was used to taunt little children in their bedroom. In a very different type of attack, attackers aggregate compromised IoT devices into groups, or “bots” and use their combined compute power to conduct attacks against governments and corporations that can cost into the hundreds of millions or billions of dollars, especially when they are used to perpetrate widespread fraud.
Why are smart devices so vulnerable to attack? IoT devices aren’t built like normal computers and, until recently, there have existed few methods to secure them. Computers can run programs such as antivirus that are designed to detect and block malware. IoT devices typically do not have enough processing power to support such applications. Programming and updating them works differently and requires a level of technical knowledge that the average user of home IoT does not possess. In addition, smart devices are often low cost and low margin. They are often produced with cheap hardware in countries that are not trusted from a cybersecurity standpoint. They may also feature open-source software that may not be vetted or maintained by responsible parties. For some of the reasons listed above, it can be difficult to “build security into” these devices (something in the industry we call “secure by design”).
The risk of insecure IoT is a well-known problem within most medium and large sized companies. Their network monitoring tools show how prevalent IoT devices are in business environments and how a single hacked device can result in costly data loss and fines, not to mention business disruption. Their IT security teams leverage highly effective enterprise-grade IoT security products and implement best practices like those recommended by the National Institute of Standards and Technology (NIST), for example, in its “Considerations for Managing IoT Cybersecurity and Privacy Risks.” But IT security teams and enterprise IoT security tools are totally out of reach for almost all home IoT users. As a result, in most cases, smart devices sit on our home networks completely unprotected.
If left unaddressed, the problem of insecure IoT in homes will only get worse. We can easily anticipate a future in which compromised IoT devices could result in physical, destructive impacts. What if hackers could hold your home hostage by locking up your smart devices in exchange for ransom payment? Or, worse, what if they could threaten destruction of your home by compromising your networked fire sprinklers? Would you pay these criminals to avoid this catastrophe? Would your insurance company cover your payment?
As consumers become more aware of stories and scenarios like this, they are beginning to look for ways to address the risk. It makes sense that consumers are turning to their Internet Service Providers (ISPs) for assistance. And the ISPs are responding by making new IoT security offerings available to their customers. These capabilities need to be implemented at the network level (router-based) and allow ISPs, leveraging artificial intelligence and machine learning (AIML) capabilities, to accurately identify home IoT devices and monitor their activity for anomalous behavior.
Having this type of “deep network visibility” allows the ISP and their customers to take action to address the problem or, in some cases, automatically remediate the problem. This enhanced security helps consumers, who will be better protected from personal data leaks and privacy violations originating from compromised IoT devices, and it benefits the ISP as well, who will enjoy greater service continuity, healthier networks overall and an enhanced “brand reputation,” which can be marketed as a differentiator from competitor ISPs.
We will never go backwards to “dumb homes,” in which we can’t program our thermostats or receive an alert when someone accesses the garage. For their part, consumers must be aware of the risk smart home devices present and inform themselves — minimally — about steps they can take to reduce risk. But, ISPs should make it easier for them to take these steps. ISPs have the requisite expertise and visibility across home networks. Several are demonstrating that this can be done in an affordable and user-friendly way. By combining the expertise and reach of ISPs with better-informed and -enabled consumers, we can ensure we are realizing the full potential of IoT devices, while also limiting their risk.