Reports find security still plagues IoT, smart homes still not taking off

Two reports concerning connected homes were released this week; a forward looking report from Ovum detailing it’s predictions on the growth of smart technologies over the next ten years, and an overview report by Veracode looking at potential security risks with smart devices currently in the market.

We’ll dive into both below, and we’ve covered similar security concerns many times before. The IoT still struggles to collectively follow simple security guidelines and best practices, at both the device layer and in the cloud processes. As adoption of IoT products and services increases, the industry needs to ensure that it provides adequate (if not excellent) protection for the increasingly connected customers and consumers – as today, many are failing at the task.

Ovum’s report was sponsored by network communications specialist WindStream, and estimates “close to 100 million” households with a foundation for connected home devices and services, basing this estimate off of penetration figures for broadband homes and smartphone users. Doing the calculation ourselves, based on the penetration rate and the total number of US homes, we think it’s just shy of 90 million, so we think there is some wiggle-room in the numbers.

Potential rounding errors aside, this estimate also ignores the technological requirements of the broadband lines and smartphones themselves for smart functionality. Home security systems require significant upload speeds if multiple security cameras are installed, and entry level broadband services usually don’t provide enough to cut it – just in terms of raw upload speed to support off-site recordings of all the home’s cameras in case of a security alarm, for instance.

Another consideration when estimating the potential market is what fraction of households from that estimate have an income that would support luxury purchases such as connected home products and systems. There’s no escaping the fact that the smart home is still a luxury.

With a starter sets of connected lighting systems running upwards of $200 for a hub and three bulbs it’s pretty obvious that the low income, or even the majority of the average income, households won’t be making the upgrade any time soon – with that said, we can’t deny the inevitability of the connected home market growing towards this number.

As soon as the price difference between a dumb and a smart product is small enough that a consumer doesn’t have to budget for it (i.e. a $2 bulb instead of a $1 bulb, or a $120 garage door opener instead of a $100 dollar version), the smart home in the consumer space will explode. Unfortunately, we are still some years from this, but the momentum is definitely shifting.

The Ovum report moves on to present an interesting case study; home security systems, which are predecessors for connected home technologies, are still not seeing large scale adoption despite being available for decades – Ovum cites an 18% penetration rate calculated by extrapolating data from figures quoted by ADT – a market leader for home security in the US.

ADT is itself expanding into the connected home sector with its Pulse service, which allows control of its home security system from smartphones and tablets. Although only 12% of ADT customers were reported to use Pulse at the end of 2014, Pulse is reportedly seeing a 64% adoption rate with new ADT customers.

This ties in with our aforementioned thoughts regarding connected home adoption; that it will only happen on large scales when it’s bundled as an optional extra and not a standalone product itself. Evidence supporting this can be found in the automotive industry; customers are more likely to spend more for luxury extras, such as heated seats and leather trim, when they already committed to making a large purchase.

This approach should be the one taken by companies looking to shift their connected home products – while you’re writing that $10,000 check for a fitted kitchen, wouldn’t it be nice to control the lights from your phone for an extra $200, and while we’re at it wouldn’t you like a notification when your dishwasher cycle is complete? Those additional functions are currently available as DIY additions, or as part of a premium installation service, but the tipping point will be when businesses begin offering them as incremental upgrades instead of a nascent product lines.

We agree with Ovum when it says that a main driver of the connected home market is supplier innovation and supply-side market push. Companies realizing the potential market are proactively creating supply before demand in an effort to secure future dominance.

Unfortunately these efforts aren’t entirely productive, and are emphasizing two of the key inhibitors in the market; fragmentation and inoperability, with the other major inhibitors being security and cost – a smart home isn’t so smart if your toaster is incompatible with your television, and equally the attraction to smart products is still, for the majority of consumers, negated by large price-tags.

The fragmentation issue is complicated by the separate communication protocol requirements of different smart home devices. If your device is wired into the mains and requires a large data throughput, then WiFi makes the most sense. If instead your device is battery operated, for instance a security sensor, then you will want to use a low power protocol like ZigBee or Z-Wave. Additionally, wearable devices are usually required to be tethered to a smartphone, which practically insists that they speak over Bluetooth protocols.

With all of these separate signals, the central hub of a truly connected home will currently require multiple radios and be able to speak the range of languages used by the leading smart technology manufacturers – that or have all products made under one roof, a route which Apple seems to be pursuing with its Bluetooth and WiFi only HomeKit strategy.

The Ovum report goes on to discuss the consumer drives for connected home adoption. The report ties connected home products into Maslow’s Hierarchy of Needs, with Ovum’s opinion on the matter being that “wants and needs will drive connected home adoption.” Although we appreciate the presentation of the separate categories of connected devices being aligned with the needs hierarchy, we have to disagree with Ovum’s assertion. As we’ve seen above, smart home products are still luxuries, and purchases of them will not be driven by needs in the short term.

Veracode’s thoughts on IoT security in the smart home:

The last (but potentially most concerning) issue deterring consumers from adopting connected home technologies is security and trust, the topic of the report by Veracode. As a cloud security specialist, it is certainly in Veracode’s interest to promote the importance of security in the connected home, but not without good reason – as more and more radios begin broadcasting home owner habits the potential for exploitation is growing.

Information that at first glance might be considered as innocent, for instance the chronology of the last six months of light and garage door usage, could tip potential thieves off to periods when the house is likely to be empty. Even information which the consumer knows to be sensitive, such as a query and response list between themselves and their intelligent personal assistant, is often not encrypted – and even if it is do you trust the company who sold it to you in the first place to store that data safely?

Veracode set out in its report to detail the current state of affairs concerning security with a selection of always-on connected devices. Veracode break down the type of internet communications into categories; user-facing cloud services where the user sends information to the cloud via a UI (web-app or mobile), back-end cloud services (where IoT devices communicate with the cloud directly), and device debugging interfaces where diagnostic information about the connected system is being exchanged with the cloud.

The devices Veracode chose are; the Chamberlain MyQ Grarage and MyQ internet gateway, SmartThings Hub, voice-controlled home hub and AI Ubi, and Wink’s Relay and Hub. In a series of tests, Veracode monitored the communications back and forth between these devices and cloud and looked for any potential security risks – of which they found many.

According to Veracode, the most secure device was the SmartThings Hub, which encrypts its communications as a standard, requires strong passwords and TLS certificate validation. This protects the SmartThings Hub from Man-In-The-Middle and Replay attacks. The only weakness with the SmartThings Hub that Veracode found was that its debugging interfaces communicated via a password protected, but still vulnerable, telenet server.

The least secure device, by some margin, was Ubi – a voice controlled device which offers intelligent personal assistant services along with controlling home automation devices. It’s actually shorter to list the ways Veracode found Ubi to be secure than insecure. Ubi can encrypt its communications but it’s not a requirement, and it protects itself from device impersonation by requiring strong authentication between itself and other services. In every other test Veracode threw at Ubi, it failed.

The other devices passed Veracode’s scrutiny on most tests. However, in the world of security it’s not good enough to protect against most attacks – installing a 40ft razor-wire fence around your home won’t matter if you leave the gate unlocked.

A notable offence found present in the Wink Hub, Ubi, and MyQ Garage was that during the initial setup, WiFi network passwords were exchanged with the device over unencrypted WiFi or short-range Bluetooth, probably in an effort to make device setup less painful – it’s never a good sign when the first thing your new connected device does is shout your WiFi password out loud.

Most, if not all, of the security flaws found could be patched in a firmware update, but of course it begs the question why should that be necessary in the first place? If companies expect customers to trust them with the sensitive data being created in their connected homes then they should at least be giving the impression that security is top of the priority-list, and not some afterthought when devices are returned following bad press.