At Drop, we work with the top brand’s appliances, operating in millions of homes..
I’ve been working with the connected home for 10 years, and in that time I’ve seen all the ways that security flaws can be manipulated.
From careless security design, such as the weakness in AGA’s top of the range “total control” model that left the potential for the famous cast-iron stove to be controlled via text message by hackers, to botnets hijacking consumer’s bandwidth to take on a behemoth like PayPal.
For the kitchen, we’re already in a potentially dangerous room, and for appliance makers who have held safety as a top priority since we started cooking indoors, security is the new frontier. One they have to wrestle with and weigh the best options for, from cost to convenience.
What Are the Main Concerns?
The percentage of American homes with smart appliances is set to double within the next five years, and with that comes security concerns. Consumers love the convenience and caché of internet-connected devices, but rarely understand the depth and breadth of the information exchange it takes to make them run smoothly.
The truth is, brands bear the burden of ensuring that their users are safe and when they fail at that mission — whether it’s the fault of a targeted attack, or simply a lax password set by the user — it can result in a short-term PR nightmare or a complete loss of consumer trust.
For example, a massive distributed denial-of-service attack, or DDoS, in 2016 on Dyn, a company that manages internet infrastructure, took down websites including Spotify, Paypal, Reddit and Twitter, and was traced back to connected devices within the home that were not secure.
In the 2016 attack, hackers were able to flood Dyn’s servers with traffic, until they collapsed under the load, by harnessing consumers’ bandwidth via their devices. They were able to access web cameras, smart fridges, and even baby monitors, to infect them with malware called Mirai, putting the manufacturers of those products in the spotlight with consumers who had trusted them in their homes.
Brands investing in simple security measures, like secure passwords and third-party security certification, could have prevented this from ever happening.
Security Through Obscurity For Connected Devices
Some manufacturers have developed products with speed to market and low cost as higher priorities than security — with outdated software stacks and poor engineering choices that leave back doors and vulnerabilities. Some take a ‘Security Through Obscurity’ approach which hides security flaws rather than resolving them, and relies on no one knowing they’re there to not attack them.
It’s like hiding your treasure under a tree in the forest. It’s perfectly safe, until it isn’t.
Safe by Design
Kitchen appliances are inherently risky — they have motors, blades and heaters — and so even before taking security for connected appliances into account, they have to be certified for safety in the relevant legislative region before they have any chance of reaching consumers.
These processes provide a trust mark, like the CE marking in the EU, that consumers come to expect. Ensuring kitchen appliances are safe has always been an element of their design.
The design of how appliances can be controlled remotely, or accessed by the internet, needs to be equally carefully considered from the start. The EU, U.S., Japan and Canada have their own standards for inspecting and verifying the safety of appliances, and awareness is necessary for bringing a secure appliance to a global market.
Although existing safety standards address remote control capabilities in general, internet security is such a new and changing field that regional legislation struggles to stay up to date. In this case, a commercial testing laboratory has taken the unorthodox step of establishing their own, which has become the defacto standard for Internet security in the smart home. UL’s IoT Security Rating assesses critical security aspects of smart products against common attack methodologies and known IoT vulnerabilities, to create a ‘security baseline’ among the consumer IoT industry.
These certifications range from bronze to diamond, with bronze-certified devices required to meet standards like not allowing default passwords, secure communication connections and the ability to securely remove all sensitive data with a factory reset. Leveraging this rating can help appliance brands achieve product differentiation. For instance, GE Appliances, a company we’ve shipped integrations with since 2017, became the first household appliance brand to achieve gold level certification from UL in May of this year.
Stacey Higginbotham, an expert on the internet of things and technology in general, notes that while UL’s IoT rating has its issues, a gold-certified device is secure enough for most home appliances.
”Companies have to make trade-offs between security and convenience, and also between cost and convenience. Implementing the highest levels of security on a common device doesn’t always make sense if the data it has isn’t sensitive, or if it’s not a device that can be controlled remotely to create physical damage.—Stacey Higginbotham“Let’s talk about UL’s device security rankings”
Standards and testing methods like these are a step in the right direction for the smart home industry as whole, and empower customers to make informed choices. But knowing what can compromise your appliance or device is the key to building it into the DNA or your product, versus reacting to vulnerabilities as they’re uncovered along the way.
Looking To the Connected Kitchen for IoT Security Done Well
When it comes to the smart home, the kitchen is by necessity the epitome of a secure room. Kitchen brands have safety in their DNA and know the importance of consumer trust. At the same time, the popular use cases of matching users with the recipes, ingredients and results they expect are well understood, have modest computing requirements and are readily secured.
The optimal chipset for devices varies from ovens to microwaves to countertop appliances. Drop has been working for over 8 years to evolve the technology approach that brings consumers closer to the brands they trust the most in their home. This takes testing, monitoring and updating to always use the best option in terms of performance, ease of use, and keeping the bill of materials cost down.
Finding the balance between simplicity and capability took time, but our favored chipset is not only cheaper to use but designed to be safer from these kinds of attacks from the ground up. 500k of memory is enough to keep the appliances running smoothly, and support the latest security standards, but is still 2,000 times less memory than the smallest, simplest mobile smartphone, guaranteeing that code is lean and clean. Efficient, capable, secure.
Building these software-security frameworks into the hardware of connected appliances paves the path for easier security down the road, and an awareness of this security by design is crucial in launching an appliance that succeeds.
If you’re interested in how we help our partners think about their security for connected appliances in a way that works for their hardware, software, customers and brand, schedule a demo with Cynthia West, VP of Global Sales.