At CES next week, expect booth after booth of smart devices — and a host of approaches to their security.
You know, locks, cameras, appliances, doorbells, electrical outlets — anything you can put a sensor on. Many of these will be made by brand-new companies, hoping to capitalize on the mania for devices that can talk with each other.
The chatter between all those gadgets — known collectively as the internet of things — is going to be cacophonous. Machina Research estimates the IoT market will jump to 27 billion devices by 2025, up from 6 billion now, and will generate roughly $3 trillion in revenue.
You may find a lot to like in the internet of things. Wouldn’t it be nice if your lights turned on when you pulled into the driveway? That could happen if your car is talking to your house. Need to double-check that you locked the house before you board a flight? The internet of things can do that too, assuming your doors are connected to your home’s Wi-Fi.
You may, though, not like the vulnerabilities that come with that convenience. Those conversations create the opportunity for digital eavesdropping. And once the bad guys access your home — even virtually — private and personal information doesn’t stay that way.
That’s why you’ll be hearing a lot about IoT security at CES 2017 in Las Vegas, where more than 500 exhibitors making internet-of-things sensors will pitch their wares. Hundreds more will hawk accessories, appliances and security for your smart home. It’s all part of the annual tech extravaganza that is CES, which last year brought you LG’s rollable OLED screen, Parrot’s Disco drone and Samsung’s internet-connected super fridge.
The emphasis on the internet of things won’t be limited to the slew of companies on the expo floor — including Ring (video doorbells), Blink (home security cameras) and Petcube (cameras for Fido and Tabby) — but will also encompass the variety of conference sessions on topics ranging from IoT business models to overviews of what the “domestic digital future” might look like.
Squeezing in security
Jenny Fielding, managing director of the IoT program at startup accelerator Techstars, is flying into Las Vegas especially to hear pitches on wearables and on the internet of things. She’s already worked with companies like robotic toy company Sphero and industrial IoT company Pillar Technologies, and at CES she’ll be looking to invest in a wide range of IoT areas, from industrial applications to the home front.
She knows that IoT startups, consumed with getting a company and a product off the ground, may not always give security its due. The fundamentals — and sometimes the frills — of hardware and software often take priority. The philosophy has been, if consumers aren’t thinking about the security of their smart baby monitor, why should a startup?
That’s starting to change.
“You’re running a startup, and you’re doing a million things and you also have to think about securing your end users’ data and hardware,” Fielding said. “It’s something startups are realizing, that it is important to have certain levels of security around their applications.”
It’s can be a struggle, though.
“The first thing to realize is security is not a feature that sells anything,” said Earlence Fernandes, a researcher in IoT security at the University of Michigan. Security isn’t the core function of these devices and that’s one reason there are so many insecure devices on the market, he said.
AT&T’s 2016 Cybersecurity Insights report expressed a similar concern: “Items like network-connected wearables or smart coffee pots will become of increasing interest to hackers due to the often limited attention paid to security in their development cycles.”
At the Defcon hacker conference, a software engineer demonstrated how he could hack August’s first- and second-generation smart locks. The company quickly fixed the vulnerabilities.
Such problems are widespread, researchers say. An estimated 70 percent of IoT devices had vulnerabilities ranging from password security to encryption, according to a study conducted by HP in 2014. In the same study, HP found an average of 25 vulnerabilities per device in the 10 most common IoT products on the market.
‘No hack-proof system’
Butterfleye, which makes smart home security cameras, is looking for ways to design IoT devices that don’t rely on the owner’s home network. The San Mateo, California-based company uses two forms of encryption and stores information in the cloud, rather than the device itself.
Butterfleye will be at CES. Brandon Nader, senior marketing manager, says a hacker would have to be inside your home with access to the camera, as well as have your phone in hand, and be logged into the app, in order to access the video.
“There is no hack-proof system,” said Brandon Nader, senior marketing manager for Butterfleye. “The objective is to go as far as you can to make it really hard for that to happen.”
Security hasn’t been a selling point in the past, but consumers are starting to take notice. They’ve been barraged by reports of hacks that could hit them personally — those big breaches at Yahoo, for instance — and of incidents for which some of the blame could fall on devices in their own homes.
In October, Twitter, Netflix, Reddit, Spotify and other big services were knocked offline when a distributed denial-of-service attack, commonly known as DDoS, hijacked security cameras, baby monitors and other IoT devices that had been infected with malware. The malware had commandeered the devices, directing them to bombard key sites with enough traffic to paralyze them.
The ability to take over devices also means hackers can gain insight into what you’re doing and when. For example, someone could figure out when you’re home based on your smart thermostat’s presets. You don’t leave the heat cranking when you’re not home, do you?
“Security has moved from the tech pages to the main pages,” said John Curran, managing director of communications, media and tech at Accenture.
A 2015 Accenture report showed that 54 percent of consumers were cautious about what they shared because they didn’t feel confident their online data was secure. They did, however, prefer trusted brands.
That may benefit startups — including those in CES’s startup central, dubbed Eureka Park, introducing themselves to the world for the first time — that make security a priority now. Eventually, it could help ensure that these companies survive long after they tear their booths down for the year.