When manufacturers don’t update smart home devices throughout the products’ lifespans, they can turn into security landmines. That’s why regular updates and patching, and unique authentication processes are key, says iRobot executives Mike Gillen and Mike Tirozzi. In the latest Intelligence of Things Tracker, they discuss smart connected device defensive strategy against an increasingly intricate offense.
Home appliances have come a long way since the 1800s, when the electric oven and dishwasher debuted, or the early 1900s, when vacuum cleaners roared into middle-class American homes. Manufacturers promised these devices would ease the aggravations of housekeeping. They continue to work toward that goal a century later, in an age when “home device” conjures up a very different picture.
Smart appliance manufacturers leverage Internet of Things (IoT) technology to reduce the burden of home maintenance. These technologies may introduce conveniences, but they can also add new risks. Connected floor-cleaning robots may save residents lost time — and back aches — but they may be more trouble than they’re worth if they’re not secure. This is especially true given that traditional vacuums cannot become susceptible to cyberattacks.
PYMNTS recently spoke with home cleaning robot provider iRobot‘s Vice President and Chief Information Officer Mike Tirozzi and Director of Product and Data Security Mike Gillen on the ways smart home providers are tackling such issues and how providers can offer the conveniences of home IoT while minimizing risk.
Continual vigilance
IoT devices are exposed to potential cyberattacks for as long as they are connected. This means they need to be secured against the malware and other threats present at the time of manufacturing as well as those that may be developed long after the products are released. Device security is therefore not a one-and-done deal, but rather something that lasts the product’s entire lifespan. Manufacturers must continually monitor and update their devices’ software to stay ahead of evolving cyberthreats.
“We know that the landscape is going to change, the players are going to change [and] the attacks are going to change as well,” Tirozzi said.
Both Tirozzi and Gillen noted that keeping software secure works best if the provider takes responsibility, as opposed to expecting consumers to remember and know how to do so. All data transmission should be encrypted from the get-go and manufacturers should handle regular software patches and updates.
Intertwined Security
Fraudsters can swoop in when security vulnerabilities are found and left unaddressed, compromising a device and others to which it is connected. iRobot seeks to prevent potential issues in which one hacked Roomba is leveraged to compromise others, and does so in part by giving each device a unique authentication for connecting to the company’s cloud. It can then isolate a compromised robot and shut it down before hackers gain access to other devices or systems. “[This] prevents more of a suite-wide compromise in the process,” Gillen said.
IoT providers also cannot simply focus on their own products and IoT ecosystems. Tirozzi and Gillen explained that a vigilant provider’s securely designed device can still be threatened if it connects with a less-secure IoT offering, a problem that will grow as consumers place more connected items in their homes. Some may even be using smart solutions that do not receive security updates from manufacturers.
“You’ll likely have connected devices where the company that makes them goes out of business,” Gillen said. “[Those] devices aren’t receiving updates anymore because the company doesn’t exist … but they’re still connected in customers’ homes. … Those devices may live on beyond companies’ abilities to support them.”
Companies can minimize opportunities for cybercriminals to interfere with their smart devices by taking several precautions. One common IoT security mistake is providing devices with default login credentials, which becomes a problem because bad actors can compromise all by stealing just one device’s login. Consumers must also be capable of controlling how connected their devices are. iRobot’s products can work with Alexa or Google Home, but only if the consumer actively chooses to link those accounts. The products are also capable of functioning offline, but making connections available as an “opt in” offering is key to giving consumers a sense of control and trust, Tirozzi and Gillen explained.
Consumers are increasingly turning to smart devices to enhance their home conveniences, meaning it is all the more important for providers to step up their security efforts. Those that want customers to regard their offerings favorably will need to ensure they can withstand attacks now and long into the future.