Following news this week that vulnerabilities have been found in the Xfinity Home Security system provided by Comcast, the world’s largest broadcasting and cable company* it is fair to ask how secure ‘IoT security’ systems really are. As Jeremy Cowan asks, who guards the guardians?
Wired.com reports, “Philip Bosco, a security researcher at Rapid7, found vulnerabilities in Comcast’s Xfinity Home Security system that would cause it to falsely report that a property’s windows and doors are closed and secured even if they’ve been opened; it could also fail to sense an intruder’s motion.”
Rob Miller, head of Smart Energy at MWR InfoSecurity, tells IoT Now, “There is a belief in the IoT (Internet of Things) community that using a wireless protocol such as ZigBee means that the device is secure. ZigBee has a number of very effective security features such as encryption of communications, but it is not a silver bullet. (To see a home security guide comparing rival systems go to: https://www.reviews.com/home-security-systems/)
“Developers of IoT need to consider the unique security risks of their products rather than assuming that they have already been solved for them. Many attacks such as denial of service, capture and replay of messages and side channel attacks could undermine an otherwise secure product.”
“IoT is a rapidly growing area, as seen at this year’s CES 2016 conference. Making a device smart is seen as a way of gaining a competitive edge in a range of products, from fitness to home security,” says Miller. “This advantage is strongest when your product is first to market whilst also being efficient and practical. Building a competitive device requires short development times, reduction of component cost and reduction in power usage. This often means that security is marginalised in an attempt to get the product out the door at a reasonable price. The consequences for a simple smart device may be minimal, but when these devices start controlling our burglar alarms or car doors, then the priorities must be adjusted.”
Failures in IoT security
IoT Now asked where the risks lie in IoT security?
“There are two races happening at the moment that are leading to security failures in IoT. The first is over which wireless protocol will become the de facto standard in IoT. Developers and manufacturers of wireless protocols and hardware need to be clear not only what security features their solutions have, but also how to use them safely and where their limits are.
“The second race is which IoT products will become the ‘must haves’ for 2016.” Miller concludes that, “IoT vendors should consider not only the impact of being first to market, but the impact to their brand when the security of their products is exposed to the world.”
* (largest by revenue)
Comment on this article below or via Twitter: @IoTNow_ OR @jcIoTnow
