I've had an internet controlled thermostat controlling my home heating for over a year, but it had never crossed my mind to have a poke around and see how secure it was. I was shocked to find out that anyone on the internet could gain access to my heating in 10 seconds!
But why does it matter? Why are people bothering to look?
I'll address why people are bothering to look first... Because it is fun! People fill their free time with all manner of things - watching TV, going for a run, seeing friends etc. There will always be some people who like having a poke around devices and seeing what security flaws they can find. It is not always for devious purposes – some people would love to be able to say their blog was once slashdotted because of a security flaw they found, but rest assured the juicy bugs will get into the hands of people who can use them to make money or cause trouble. I read a funny story about one man who took delight at being able to turn on the heating in his "evil" ex-wife's house via the insecure thermostat!
Despite what some people say, IoT devices are useful and will feature in houses of the future and the worry is that if product companies do not get IoT devices right there will be a consumer backlash that will delay adoption. Consumers will lose faith in devices and not make best use of them - whether that be making their life easier, or improving the energy efficiency of their home.
But getting IoT devices right can be tricky if you don't approach it in the right way. It's not just about using secure passwords and encrypted https connections. It's about a system level approach that has security at its heart to ensure the development team make the right detailed decisions (the National Express Print-at-Home vulnerability is a shocking example of a developer making a bad decision).
Cambridge Consultants can help you carry out some or all stages of a system level approach to a product development to ensure the finished product meets your requirements and your customer’s requirements. This includes the product requirements capture, the sub system requirements capture, the detailed design work, the design reviewing (including the security aspects), the verification and validation (V&V) and the transfer to manufacture (whether that be UK, US, Eastern Europe or Asia).
IoT devices may be low power, low cost, simple devices, but that does not mean you can get away without a structured development process!