The Impossible Job: Security for Long-Tail Smart Home Devices
Posted On 18th October 2018
When looking through the underlying code for the camera, he discovered a default admin password hard-baked into the code, which meant that if the manufacturer itself was breached by a cybercriminal, the hacker could use that password to gain instant access to every camera shipped to customers.
“I contacted the company to make them aware, and they admitted that the flaw had already been disclosed to them, but that the software was provided to them by a third party, and they were waiting for that provider to do a fix,” he says.
This jaw dropping revelation turned up in the FT on how security specialists deal with smart homes in their personal life. We might be tempted to gloss over as another scary smart home story but it really speaks to how hard it will be to policy smart devices in the long-tail.
I understand the long-tail in this context to mean the large volume of different smart- devices whose manufacture will be outsourced at the request or specification of the brand owners. These devices don’t have the support of Apple or Google technical teams — they rely on outsourced manufacturing to create and mass-produce.
I’ve seen a great deal of writing on security from people I respect taking about the need to build up the in-house skills of IoT or smart home companies or have access to the skills to close down vulnerabilities quickly and manage it into product development. Where this broader principal runs aground is the Shenzhenification of smart- devices like our smart home camera above.
The software for the cameras is delivered by third parties in a way that is familiar to anyone who has procured goods from AliExpress or foreign outsourced manufacturers for their business. It is a step above drop-shipping. The goods arrive with your logo a little like mystery meat. The extent of your involvement depends on your in-house competence. Marketing and packaging is usually slick because companies invest in that. Coding, product engineer and QC are less strong, “why have a dog and bark yourself?”
What we end up with is a familiar shiny object but minimal grasp of the internals.
Regulatory push for security, or a program like the IoT Mark, will force companies to take on the skills to avoid this kind of humiliating admission that they just pass goods someone else (usually far away and not exposed) and affix their label for buyers.
This is a knotty problem, it’s now embedded business practice to outsource as much of the development process as possible. Often this is fine with factories add the quid pro quo of large orders.
Whom they commission to get their development work done is rarely a concern of our brand owner. How much follow-up is possible when they have hard baked an admin password that takes down an entire product range is usually out-of-scope.
A factory is going to get the product developed as cheaply as possible so it can amortise it’s costs early in a production run. The rest is gravy.
Security — and many good consultants know this but perhaps buyers need to learn it — is a federated area of the business, spread over internal and external stakeholders and at incredible risk of being ignored to deliver cheaply.
How we manage this reality for the long-tail of smart devices as volume grows exponentially directly affects how big our risk of catastrophic breaches gets.
It is something we take seriously, we’ve got a great in-house Product Team and some superb collaborators in Nimbus to help us. We are a small startup but we cannot afford to leave exposure go unaddressed. Risk management assumes that bad things can happen — it is about ensuring that you are able to respond quickly and minimise the negative harm. That is still a work in progress.