{"id":588,"date":"2018-10-18T09:25:20","date_gmt":"2018-10-18T08:25:20","guid":{"rendered":"https:\/\/wordpress-388643-2486556.cloudwaysapps.com\/?p=588"},"modified":"2022-08-02T15:32:07","modified_gmt":"2022-08-02T14:32:07","slug":"the-impossible-job-security-for-long-tail-smart-home-devices","status":"publish","type":"post","link":"https:\/\/safecility.com\/the-impossible-job-security-for-long-tail-smart-home-devices\/","title":{"rendered":"The Impossible Job: Security for Long-Tail Smart Home Devices"},"content":{"rendered":"\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/cdn-images-1.medium.com\/max\/1250\/1*OjXe-kwjchFt20B74ateSQ.jpeg\" alt=\"\" title=\"\"><figcaption>How do we keep intruders out of devices we don\u2019t understand?<\/figcaption><\/figure>\n\n\n\n<blockquote class=\"wp-block-quote\"><p>When looking through the underlying code for the camera, he discovered a default admin password hard-baked into the code, which meant that if the manufacturer itself was breached by a cybercriminal, the hacker could use that password to gain instant access to every camera shipped to customers.<\/p><\/blockquote>\n\n\n\n<blockquote class=\"wp-block-quote\"><p>\u201cI contacted the company to make them aware, and they admitted that the flaw had already been disclosed to them, but that the software was provided to them by a third party, and they were waiting for that provider to do a fix,\u201d he says.<\/p><\/blockquote>\n\n\n\n<p>FT.com \u2018<a href=\"https:\/\/www.ft.com\/content\/7cc695dc-aba0-11e8-8253-48106866cd8a\" rel=\"noreferrer noopener\" target=\"_blank\">How security experts manage their own \u2018smart\u2019 homes<\/a>\u2019<\/p>\n\n\n\n<p>This jaw dropping revelation turned up in the FT on how security specialists deal with smart homes in their personal life. We might be tempted to gloss over as another scary smart home story but it really speaks to how hard it will be to policy smart devices in the long-tail.<\/p>\n\n\n\n<p>I understand the <a href=\"http:\/\/www.longtail.com\/about.html\" rel=\"noreferrer noopener\" target=\"_blank\">long-tail<\/a> in this context to mean the large volume of different smart- devices whose manufacture will be outsourced at the request or specification of the brand owners. These devices don\u2019t have the support of Apple or Google technical teams\u200a\u2014\u200athey rely on outsourced manufacturing to create and mass-produce.<\/p>\n\n\n\n<p>I\u2019ve seen a great deal of writing on security from people I respect taking about the need to build up the in-house skills of IoT or smart home companies or have access to the skills to close down vulnerabilities quickly and manage it into product development. Where this broader principal runs aground is the <em>Shenzhenification<\/em> of smart- devices like our smart home camera above.<\/p>\n\n\n\n<p>The software for the cameras is delivered by third parties in a way that is familiar to anyone who has procured goods from AliExpress or foreign outsourced manufacturers for their business. It is a step above <a href=\"https:\/\/en.wikipedia.org\/wiki\/Drop_shipping\" rel=\"noreferrer noopener\" target=\"_blank\">drop-shipping<\/a>. The goods arrive with your logo a little like mystery meat. The extent of your involvement depends on your in-house competence. Marketing and packaging is usually slick because companies invest in that. Coding, product engineer and QC are less strong, \u201cwhy have a dog and bark yourself?\u201d<\/p>\n\n\n\n<p>What we end up with is a familiar shiny object but minimal grasp of the internals.<\/p>\n\n\n\n<p>Regulatory push for security, or a program like the <a href=\"https:\/\/iotmark.wordpress.com\/\" rel=\"noreferrer noopener\" target=\"_blank\">IoT Mark<\/a>, will force companies to take on the skills to avoid this kind of humiliating admission that they just pass goods someone else (usually far away and not exposed) and affix their label for buyers.<\/p>\n\n\n\n<p>This is a knotty problem, it\u2019s now embedded business practice to outsource as much of the development process as possible. Often this is fine with factories add the quid pro quo of large orders.<\/p>\n\n\n\n<p>Whom they commission to get their development work done is rarely a concern of our brand owner. How much follow-up is possible when they have hard baked an admin password that takes down an entire product range is usually out-of-scope.<\/p>\n\n\n\n<p>A factory is going to get the product developed as cheaply as possible so it can amortise it\u2019s costs early in a production run. The rest is gravy.<\/p>\n\n\n\n<p>Security\u200a\u2014\u200aand many good consultants know this but perhaps buyers need to learn it\u200a\u2014\u200ais a federated area of the business, spread over internal and external stakeholders and at incredible risk of being ignored to deliver cheaply.<\/p>\n\n\n\n<p>How we manage this reality for the long-tail of smart devices as volume grows exponentially directly affects how big our risk of catastrophic breaches gets.<\/p>\n\n\n\n<p>It is something we take seriously, we\u2019ve got a great in-house Product Team and some superb collaborators in <a href=\"http:\/\/www.nimbus.cit.ie\" target=\"_blank\" rel=\"noreferrer noopener\">Nimbus<\/a> to help us. We are a small startup but we cannot afford to leave exposure go unaddressed. Risk management assumes that bad things can happen\u200a\u2014\u200ait is about ensuring that you are able to respond quickly and minimise the negative harm. That is still a work in progress.<\/p>\n\n\n\n<p><\/p>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>When looking through the underlying code for the camera, he discovered a default admin password hard-baked into the code, which meant that if the manufacturer itself was breached by a cybercriminal, the hacker could use that password to gain instant access to every camera shipped to customers. \u201cI contacted the company to make them aware, [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"content-type":"","footnotes":""},"categories":[1],"tags":[],"_links":{"self":[{"href":"https:\/\/safecility.com\/wp-json\/wp\/v2\/posts\/588"}],"collection":[{"href":"https:\/\/safecility.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/safecility.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/safecility.com\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/safecility.com\/wp-json\/wp\/v2\/comments?post=588"}],"version-history":[{"count":3,"href":"https:\/\/safecility.com\/wp-json\/wp\/v2\/posts\/588\/revisions"}],"predecessor-version":[{"id":7713,"href":"https:\/\/safecility.com\/wp-json\/wp\/v2\/posts\/588\/revisions\/7713"}],"wp:attachment":[{"href":"https:\/\/safecility.com\/wp-json\/wp\/v2\/media?parent=588"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/safecility.com\/wp-json\/wp\/v2\/categories?post=588"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/safecility.com\/wp-json\/wp\/v2\/tags?post=588"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}