NEWSWEEK.COM 23
TECHNOLOGYhas the SmartThings hub, which it acquired in 2014
for $200 million, and now connects to air condition-
ers, washers and TVs. Apple has a home kit which can
control any number of devices through voice com-
mands delivered in range of its HomePod.Gaping vulnerabilities
once these systems are installed, devices
from a growing number of companies can be add-
ed to the home network, including those made by
well-known home appliance manufacturers like GE,
Bosch and Honeywell. Belkin makes a line of con-
nected appliances that includes a Crock-Pot WeMo
Smart Slow Cooker, smart Mr. Coffee maker and a
smart home humidifier. There’s a lot of money to be
made. All told by the end of 2019, more than $490
billion in profits will have been earned on the nearly2 billion consumer devices sold over the previous
12 months, according to the property management
consulting firm iProperty Management.
To try to draw attention to the dangers—and the
things consumers should be asking questions about
when buying new IoT products—Antonakakis andAlrawi, in collaboration with researchers at the
University of North Carolina at Chapel Hill, have
developed a rating system and begun evaluating the
security of a wide array of IoT devices. And surpris-
ingly they found gaping vulnerabilities in devices and
systems produced by even some of the most tech-sav-
vy companies.
The vulnerability of IoT devices goes well beyond
holes in password protection, the vulnerability ex-
posed by the Mirai attack, they argue. IoT devices
can also be accessed and taken over directly through
the home network they are connected to, and that
home network is only as strong as its weakest link.
That means that even if each device comes with a
unique password and username, it’s not necessar-
ily secure. Once hackers find a way onto the home
network through one vulnerable device, the path is
often wide open to the rest of the network.
To secure an IoT device, they argue, manufactur-
ers need to patch vulnerabilities in four different
areas : direct access to the device itself, the mobile
app used to run it, the way it communicates with its
home network and, in many cases, the cloud-based
server that manufacturers use to push out updates,
collect user data, or provide new services.
Getting all that right is not easy. For a vendor to
secure all four parts, Alrawi notes, it needs a good
mobile-app developing team “that knows secure
development,” a “system team that does very good
embedded system development and secure devel-
opment” and cloud experts who can design a secure
cloud “backend” that allows the device to be managed
without exposing it to additional risk. Finally, the de-
vice manufacturers need somebody who has network
knowledge on how to build efficient and secure inter-
net protocols and what protocols to avoid.