A recent study by Frontier Communications surveyed more than 1000 people on smart home technology. One aspect of the study was people’s beliefs on the security risks related to smart home technology. Key findings in the study were:
- “59% of respondents were extremely or very concerned about cybersecurity risks related to the use of smart home devices”
- “79% of respondents said they would switch brands due to a security breach, while 37% had experienced such a breach related to their smart home device(s)”
- “Millennials (60%) and Gen Xers (60%) were the most concerned about cybersecurity risks, while baby boomers (49%) were the least concerned”
The most concerning smart home device risks found in the study were:
- Having sensitive information stolen (63%)
- Being watched (61%)
- Having financial information accessed (55%)
- Being recorded (43%)
- Being robbed – based on a homeowner’s address being leaked (38%)
- Having health information accessed (33%)
- Wi-Fi Sharing (23%)
Reinforcing these fears, consumers are inundated with articles on vulnerabilities in networking and smart home devices. The list of articles on this topic is almost endless. Here are just a few:
- ars TECHNICA – Vulnerabilities in billions of Wi-Fi devices let hackers bypass firewalls
- BBC News – Six million Sky routers had serious security flaw
- PBS News Hour – Security flaws found in popular smart home devices
- Bob Vila – The 10 Biggest Security Risks in Today’s Smart Home
While some articles are written for the technically savvy individual, large numbers are written for the average person who may still have little ability to understand the technical details and read beyond the headlines.
Given the high percentage of people with cybersecurity concerns and the endless reinforcement of these fears in the news, neither smart home integrators trying to sell smart home solutions nor smart home device manufacturers can ignore that these findings are a barrier to adoption. The question then becomes what to do about it.
Smart Home Device Manufacturers
I believe that the first step that should be taken by a manufacturer is to make consumers aware that cybersecurity is taken very seriously by them. Unfortunately from a manufacturer standpoint, this is an uphill battle. Manufacturers seem to have shied away from any news about security flaws in the belief that this would scare consumers. When flaws are found or exploited, manufacturers receive a wealth of negative press.
To build consumer confidence, I believe manufacturers need to take a different approach that works to offset this negative press.
First, manufacturers should be educating consumers on the facts of life about vulnerabilities. The complexity of today’s products makes it impossible to find/fix every single vulnerability before a product is shipped to consumers. Given that basic rule, manufacturers need to be open and publicize the amount of effort, resources, and money that they spend on finding/fixing vulnerabilities before a product is sent to consumers. They also should promote the steps that they have taken to continue to find/fix vulnerabilities while a product is actively being used by consumers
For example, a new product announcement could include the amount of time and effort taken during the product’s development to find/fix vulnerabilities to assure that the highest quality product was delivered to consumers. In addition, a company could issue a press release every time new quality assurance personnel, which will be dedicated to vulnerability testing, are hired.
I also think that manufacturers need to include cybersecurity insurance with each product sold that protects a consumer from damages should the product be hacked and the consumer harmed. This demonstrates a manufacturer’s commitment to stand behind their product. Obviously there would be a cost to including this kind of insurance with a product. However, I think that consumers would be willing to pay a little more for a product that included cybersecurity insurance versus a competing product that did not.
For years, many manufactures have included a “100% satisfaction guaranteed” commitment with their products in the form of a logo on the packaging. A similar logo for “cybersecurity protection included” that would highlight this benefit to consumers could also be included on the product packaging.
Cybersecurity and the Smart Home Integrator
From a smart home integrator perspective there first needs to be a focus on understanding what cybersecurity risks the customer is most worried about. Different customers will be worried about different things and there needs to be an effort made to understand the customer’s “hot buttons.”
Similar to a manufacturer not wanting to talk about product vulnerabilities, there may be a hesitancy to bring up cybersecurity risks with a potential customer. However, I think it is much better to understand what concerns the customer has instead of going through all the effort to create a smart home design only to find out the customer won’t accept it because it doesn’t address their fears.
Once the customer’s cybersecurity concerns are understood the integrator can make sure that the proposed smart home system design addresses these concerns and that the smart home products included in the design eliminate, or minimize, the risks voices by the customer.
For example, if a customer is worried about the potential of smart home devices accessing private financial and health information, then the design should include a router that supports VLANs. All smart home IoT devices would be placed on a separate VLAN where they are isolated from the homeowner’s computers and can’t access any of this data.
Again, for example, if the customer is worried about being watched by IoT devices with cameras, then there are several things that can be included in the smart home design to address this concern.
- Do not place any IoT security cameras inside the home; only use them outside
- If there is a need to place IoT security cameras in the home, then only place them in public areas of the home, such as the living room and foyer. Do not place any in private areas of the home, such as bedrooms
- Any IoT security cameras placed inside the home also can be physically powered off until a security system detects an intruder. The power supply for the camera can be plugged into a smart outlet, or the camera’s Ethernet cable can be plugged into a power-over-Ethernet (PoE) port on an Ethernet switch that allows the port to be powered on/off. Only when the alarm system detects an intruder should the camera be powered on and begin operation
- If smart speakers that include cameras are part of the design (such as an Amazon Echo Show), only use models that have a physical camera shutter.
It will take some effort to educate the customer on the details of the proposed smart home design and how the design addresses their cybersecurity concerns, but I believe the effort is well worth it as it demonstrates that the integrator understands the customer and is focused on their needs.
Cybersecurity is a significant concern among consumers and stands as a barrier of adoption of smart home technology. The press is dominated by articles on vulnerabilities of smart home IoT devices, hacking incidents, etc. Manufacturers need to be more open about the efforts they take to keep their smart home IoT devices safe to offset this negative publicity. They also should include consumer protections for hackers exploiting vulnerabilities in their products that cause damage to the consumer.
Smart home integrators need to understand the cybersecurity concerns of their customers, develop smart home designs that address these concerns, and make the effort to educate customers on how the design meets their needs.