As the IoT and smart home landscape expands to include new connected devices, so does the cybersecurity threat of hackers exploiting the weak security protocols of those devices, potentially leading to more impactful malicious activity on a network.
This year has been full of news about the security of those devices, including new government actions, support from the custom integration channel for more regulation, and lots of research into the weaknesses of IoT and smart home products.
Given these well-publicized issues, it’s past time that our channel got serious about building smart home systems on a foundation of cybersecurity and privacy. We compiled a list of stories we covered this year to help give you a sense of just how imperative these issues are.
The U.S. Cyber Trust Mark is Proposed
In a move designed to improve the cybersecurity of consumer IoT devices, the U.S. Federal Communications Commission has proposed the U.S. Cyber Trust Mark. Like the Energy Star label that certifies that a product meets certain sustainability benchmarks, the Cyber Trust Mark will certify that an IoT device meets certain baseline requirements outlined by the National Institute of Standards and Technology.
The Commission has compiled dozens of comments from industry stakeholders and is now expected to put the program in place sometime in early 2024.
Industry Support for Cyber Trust Mark
Several CI channel companies such as Crestron, Amazon, Google, LG, Logitech, Samsung, Yale and August, as well as industry groups like the Connectivity Stands Alliance, Consumer Technology Association have signaled their support for the proposal.
Crestron went so far as to publish a blog supporting the measure, saying that the cybersecurity program for IoT devices is a “rising tide that will lift all boats.”
“A well-planned effort to focus manufacturers on security issues will inspire greater confidence in smart home solutions as a whole and be a benefit to consumers and the entire industry,” the company says.
CEDIA: Integrators Front and Center in IoT Cybersecurity
Also weighing in on the Cyber Trust Mark was professional smart home industry association CEDIA, which highlighted integrators as the “key” to safeguarding IoT ecosystems.
“In-home integrators that professionally install IoT devices are key in the mitigation of security risks in any consumer’s technology systems and this mitigation is not limited to just IoT devices,” the organization says it its remarks. “When designing, installing, and maintaining technology systems through the home, the homeowner is best protected from security threats by working with qualified integrators throughout the project and the life of the system.”
CEDIA says the rise in smart home technology can be overwhelming to homeowners, especially considering that nearly one quarter of users with 20 or more devices in their home have experienced two or more data security breaches in the past year, per the Rural Broadband Association.
Integrators, according to CEDIA, have extensive knowledge on connected devices, and are the best trained on the intricacies of this technology as it relates to the scope of the Cyber Trust Mark.
“Any voluntary U.S. Cyber Trust Mark program will not replace the need to work well-trained integrators with a knowledge of how to install, maintain, connect, and deploy technology systems in the home,” the organization writes. “The need for integrators will increase as consumers demand for connected devices on a secure network at home and work will significantly increase with emerging technologies.”
It’s Not Just Us Raising the Alarm—Your Customers Are Too
According to research from Parks Associates, 54% of U.S. internet households report experiencing a data privacy or security issue over the last 12 months, an increase of 50% since 2018.
The consumer technology research firm’s “Privacy and Data Protection for Connected Devices” report finds that an increasing number of consumers are becoming wary of connected devices, as 62% of smart home device owners express apprehension about unauthorized access and control of their devices.
At the same time, smart home devices are increasingly popular, as U.S. internet households have doubled the number of connected devices in their homes over the past seven years.
Malware-Infected Set-Top Boxes
The nonprofit Electronic Frontier Foundation is urging resellers to stop selling Android TV set-top boxes that the group says come pre-infected with malware.
The organization calls out two China-based manufacturers, AllWinner and RockChip, which provides malware-infected Android TV box models that adds the box to a botnet for initiating coordinated attacks.
When first powered on and connected to the internet, the boxes will immediately begin communicating with botnet command and control servers. Then, the devices connect to a “vast click-fraud network.”
Voice Assistants Susceptible to Unheard Attacks
Two researchers sent their work to the Federal Communications Commission for consideration during the Cyber Trust Mark proceeding, saying inaudible voice commands can silently issue malicious commands to voice-activated IoT devices.
The vulnerability was even declared so severe that it is registered with the National Vulnerability Database with the National Institute of Standards and Technology. Tracked as CVE 2023-33248 and first associated with Amazon Alexa software, researchers say this allows attackers to deliver security-relevant commands via audio signals between 16 and 22 kHz.
Commands at those frequencies are “essentially never spoken” by authorized users, but a substantial fraction of commands issued at those frequencies are successfully executed.
A Range of IoT Devices Are Vulnerable
An international team of researchers has unveiled findings on the widespread security and privacy challenges posed by IoT devices in smart homes, delving into the intricacies of local network interactions between 93 different IoT devices and mobile apps.
The paper, titled In the Room Where It Happens: Characterizing Local Communication and Threats in Smart Homes, reveals a litany of previously undisclosed security and privacy threats.
The research team included researchers from the New York Tandon School of Engineering, Northeastern University, University of Madrid, University of Calgary, the International Computer Science Institute and IMDEA Networks. The research was presented last month at the ACM Internet Measurement Conference last month in Montreal.
Researchers narrow in on the local network and how IoT devices can inadvertently compromise consumer privacy through the exposure of sensitive data within those local networks using standard protocols such as UPnP or mDNS. Researchers say this essentially allows nearly any company to learn what devices are in a home, when the user is home, and where the home is.
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!