We Need to Talk about Cybersecurity for Older, Unsupported IoT Devices
How do we continue to secure a smart home after manufacturers discontinue support for older home-automation hubs, smart TVs, connected lights and other IoT devices? Krika’s Bruno Napoli weighs in.
With such swift changes in smart-home technology these days, vendors area cranking out new-and-improved IoT devices faster than ever. How are we to secure our connected homes when manufacturers move to the next big thing and discontinue support – including firmware updates for the latest security threats – for existing products and services?
Many providers keep security provisions in the cloud, along with apps, connectivity services and other things that make a smart product tick. When they decide to end support for certain products, sometimes they do the painfully right thing by killing the cloud service, effectively bricking (making as useless as a brick) those products.
Clients kick and scream (and so do indignant tech bloggers), as when Google bricked Revolv.
It’s painful because customers have spent money on the now-obsolete product, but also time and money on integrating with other connected devices. Why can’t the manufacturer just let the products continue to work, without adding new features or even providing tech support?
Unfortunately, when a vendor ends support, they don’t just stop adding bells and whistles to a product or platform. They also stop pushing updates for the latest cybersecurity threats. The last thing they want – or the customer wants – is to have a bunch of vulnerable Web-enabled products out there potentially threatening the entire household, including connected products and people.
But customers only understand that they paid for a product and now it doesn’t work.
Consider the alternative: The vendor quietly goes away, leaving users to enjoy their products for many years to come, with no complaints until their homes get hacked.
This is a far worse scenario, and probably far more common than the “painfully right” alternative, especially given the rash of IoT start-ups, of which 99% will fail.
Selling Networking Security without Scaring Consumers
“We live in a fairy tale where manufacturers sell products with a minimum of information about upgrades in order to not scare consumers away,” says Bruno Napoli, principal of Krika, developer of network monitoring solutions for connected devices. “People don’t care about upgrades as long as everything is working.”
What does that mean for home-technology resellers and installers?
“The new challenge for professionals now is to find a way to talk about this,” Napoli suggests. “If we frighten our clients, there is a chance they won’t buy anything.”
Most people accept that buying a car entails regular maintenance – little things along the way, as well as major investments as the vehicle ages and new technologies and regulations arrive.
It seems consumers don't have such expections for consumer electronics, despite those products' rapid obsolescence in both performance and security.
“Let’s be crystal clear,” Napoli warns. “Any time a professional installs a connected device like a Wi-Fi access point, a home automation controller or a Blu-ray player on a local network, even if it is via Ethernet, it creates a security breach. It’s a little time bomb, and one day or another, a virus or a worm might attack it.”
Clients should be encouraged to invest in a remote network monitoring service to continuously check for breaches or threats. If they don't, clients should sign off on risks pertaining to future data breaches.
“But that is in a perfect world,” Napoli says, “and in reality, doing this could be an awkward moment for a professional.”
Cybersecurity, Tech Obsolescence and Difficult Conversations
Napoli recommends the home-technology industry discuss this important predicament (and opportunity), defining best practices for addressing technology obsolescence.
Here are a few topics he suggests:
- As no system is 100% secure, can professionals only indicate they will “try to keep the system as safe as possible?” How could we write such a fuzzy concept in a maintenance or service plan? How would a judge interpret this?
- How quickly should a professional with a maintenance contract be expected to upgrade clients’ systems after new firmware is released? One hour? 24 hours? 1 week?
- What do we do for “durable” goods like TVs, when clients typically keep them until the last pixel goes dark? Manufacturers won’t support them after two years (if we’re lucky) and a TV can last eight or 10 years. Do we have to force manufacturers to support devices for that long? To keep pushing through security updates at the very least?
- Can we somehow develop a standard method of monitoring new patches and firmware … and pushing them out to affected households? Or must we check vendor Websites daily for any urgent fixes?
- How can we encourage the masses to adopt remote-supervision services that enable pros to alert clients of major updates, or implement those (vetted) updates automatically? There would be an ongoing cost for such a service, but so far consumers don’t seem to be too excited about it … or the industry just hasn’t been effective at selling it.
- Even if Wi-Fi seems to be the obvious channel for hacking a house, some 90% of potential attacks will come from the Internet itself – via an email attachment, a rotten application, or direct modem attack. A real firewall updated regularly could be a good solution, but here again such a service carries ongoing fees, and home-technology providers don’t seem willing or able to sell it.
- What’s the alternative? Throwaway technology that can be discarded every two years because it’s cheaper to buy new gear than to maintain the old? Our landfills probably aren’t ready for that.
Napoli hopes to get a serious dialog going within our industry to prepare for these inevitabilities, and believes the important narrative should be defined by the home-technology channel.
“If the story does not come from you, the professional,” he says, “you will lose your clients’ trust.”
Julie Jacobson, recipient of the 2014 CEA TechHome Leadership Award, is co-founder of EH Publishing, producer of CE Pro, Electronic House, Commercial Integrator, Security Sales and other leading technology publications. She currently spends most of her time writing for CE Pro in the areas of home automation, security, networked A/V and the business of home systems integration. Julie majored in Economics at the University of Michigan, spent a year abroad at Cambridge University, earned an MBA from the University of Texas at Austin, and has never taken a journalism class in her life. She's a washed-up Ultimate Frisbee player currently residing in Carlsbad, Calif. Email Julie at [email protected]
Control & AutomationAmazon’s Decision on ZigBee vs. Z-Wave Makes No Sense
Google, Nest Share Vision for Home-Technology Pros
Mental Health Benefits of Owning a Smart Home
Amazon’s New Custom Smart-Home Service: Who Cares if They’re ‘Sincere’?
CEDIA Dealers Shouldn’t Trust Amazon as Smart-Home Partner, Says Industry Veteran
View more on Control & Automation