You recently returned from the CES 2016 event and said that while you were wandering the aisles and talking to the vendors, you were shocked by the number of SmartHome and IoT devices that had little or no security. What kinds of devices are you talking about and what kinds of issues?
Smart locks, Baby Monitors, home routers, appliances, printers, etc. have all been hacked with documentation of those hacks. Recently publicized events involving automobiles being hacked have expanded the threat exposure for average consumers. Imagine someone taking over your baby monitor, or remotely unlocking your doors because they were able to hack into your system. That is the type of threat that exists.
Icon Labs focuses on doing more than just protecting our credit card accounts and medical records. Why is it so important to protect the actual devices themselves?
Security should be layered. It is not enough to simply protect the network. A fence around the yard still requires a locked front door and locked windows. Within a network, each individual device that is protected makes the intruder take more time and effort. If all the devices within the network are individually protected, an intruder who gets access to one does not get to the others. We recommend that each device be individually secured with protection such as that from the Floodgate Security Framework. This provides much deeper defense and stronger protection.
In our computers and routers, most of us are using Firewalls and anti-malware – anti virus programs. Why can’t we use these to protect our smart home and IoT devices?
IoT devices including Smart Home devices are built on a different technology platform than PC’s. They have different hardware, different operating system, and typically much less available resource to run these types of programs. Specifically, most PCs are running large complex operating systems such as Windows, Linux or Mac OS X. They have the space to handle large firewall and anti-malware programs. In contrast, most edge devices, such as sensors, smart door locks and home routers, just have a few kilobytes of extra memory space in the processors that make it operate. That is not enough to run a “typical” firewall or anti-virus, anti-malware program. However, small specialized solutions, like the Floodgate Security Framework, can operate within those small memory constraints and can provide the needed protection. This unique approach to providing the Internet of Secure Things differentiates protection for these diverse and unique devices.
I understand that most consumers really have no means to install a cyber protection technology like yours. It has to be built into the device. Who in the development and manufacturing chain should be responsible for this?
Ideally, the manufacturer of the device, or manufacturer of the chips inside the device, should take responsibility. In order to simplify this process we have partnered with chip companies like Renasas to develop a preconfigured security suite with their Synergy platform. A company that chooses Synergy can have a ready built security solution to start. Other companies can use the Floodgate Security Framework to integrate security into their device on the platform they choose. Because it is highly scalable and cross platform compatible with both hardware and software, it is ideally suited for this environment.
I understand that large utility plants, DoD facilities and even medical equipment is at risk. As much of this legacy equipment cannot be updated, it takes a long time to replace this equipment with newer, cyber protected versions. Is there a solution that is now available?
Icon Labs offers a unique small footprint appliance for industrial applications that allows a legacy product to be protected with Floodgate solutions residing on that device. It is low cost and virtually plug and play to implement. This small box, positioned between the machine to be protected and the network connection, can tie in to management systems for visibility and policy management. This addresses one of the major concerns of enterprises, the the ability to know what is happening in the Operational Technology side of the business. Now OT can have the same level of protection as IT.
What do consumers need to know about security – is a solution coming? How long will it take before this kind of IoT security is built into home devices?
A few companies are starting to build in this type of security, but the industry has a long way to go. The building blocks, software like we provide and processor with built-in security, are now available. Over the next few years, more and more end products will be built using these solutions. I expect it to take 5 years or more before we see consistent, strong security in the majority of smart home products.
What can consumers do in the meantime? Can you give us three things that the average home consumer can do to improve security now and help fight off cyber-attacks that can compromise their home electronics?
First and easiest is change the default password on each device you install. This one step will significantly reduce vulnerabilities. When purchasing devices, consumers should ask what cyber-security features are provided. Make sure to select devices that allow you to configure the password and control the security. Make sure you change passwords regularly and don’t use the same password for all devices. This will prevent the breach of a single device from spreading to other devices in your home. Finally, be vigilant when any cyber event occurs or if a device suddenly starts behaving oddly. Often, malware will result in programs crashing, significant impacts on performance or spikes in unexpected network traffic.
About Alan Grau
Alan Grau is President and co-founder of Icon Labs, a leading provider of security software for IoT and embedded devices. He is the architect of Icon Labs' award winning Floodgate Firewall. Alan has 20 years of embedded software experience. Prior to founding Icon Labs he worked for AT&T Bell Labs and Motorola. Alan has an MS in computer science from Northwestern University. He speaks and writes prolifically on security of IoT devices.
About Icon Laboratories, Inc.
Icon Labs, a 2014 Gartner “Cool Vendor” and 2015 Gartner “Select Vendor”, is a leading provider of security solutions for IoT and embedded device, including the award winning Floodgate Defender and Floodgate Security Framework. Founded in 1992, Icon Labs is headquartered in West Des Moines, Iowa.