Estimated reading time: 5 minutes
Demand for smart alarm systems is booming. Regrettably, so are the number of cyber-attacks on these IoT products. Now, regulators are bringing in new rules to improve the security built into these devices. So what can manufacturers do to meet the required standards and protect their customers?
Not so long ago, regulators in the consumer electronics space had a straightforward job. They put rules in place to keep people physically safe. They made sure your TV didn't explode.
But then the goalposts moved. Suddenly, consumer devices got connected. Dumb TVs became always-on smart TVs. Thanks to poor cyber security, hackers could take control of these previously benign objects.
And attackers have a huge number of devices to target. “Smart home’ products – from AI-powered smart speakers and video doorbells, to phone-controlled light bulbs and robot vacuums – have never been more popular, thanks in part to the shift to remote working.
For this reason, law makers are now taking the danger of smart device cyber-attacks seriously. They are mandating the adoption of strong security systems.
For example, in 2021 EU regulators introduced the updated Radio Equipment Directive. The legislation lays down new legal requirements for cybersecurity safeguards, which manufacturers have to take into account in the design and production of connected products.
One of its key targets is the home automation and security market. This a fast-growing space. Indeed, the market for domestic monitoring and alarm systems is expected to grow in the next few years – reaching $11.7 billion by 2028.
• General consumer concern about safety and privacy
• Pandemic-related issues (social distancing limits professional installation, people spend more time at home)
• Friendlier device interfaces (voice control makes the tech more accessible to less tech-savvy consumers)
• More affordable running costs (falling cost of mobile and Wi-Fi data)
• A wider available base of professional alarm providers
You might think that smart security systems and alarms would themselves be secure. Regrettably, this is not always the case.
Two major flaws make security systems susceptible to cyber-attacks: vulnerable local networks and weak device set-up.
Let’s take a closer look.
Wi-fi networks can be vulnerable to attacks thanks to weak SSIDs and passwords. Intruders can use social clues or even conduct a brute force attack to access the Wi-Fi router password with little effort. They might even be able to simply cut the wire to de-activate a system, if a householder decides to set it up like this.
Manufacturers also face the issue of network lifecycles. Their devices might, for example, be set up to send data across 2G and 3G networks. In many cases, they might not support a smooth migration path to 4G and 5G networks (necessary as carriers sunset 2G and 3G). This presents a problem: a security system cannot be considered secure if the connectivity is unreliable or intermittent.
Meanwhile, manufacturers often ship their smart home devices with weak ‘install and forget’ passwords. Most householders just use the default factory setting password, which can be easily accessed by attackers. Furthermore, smart home devices often run niche operating systems, whose security solutions are not as robust as those of Windows or Linux etc.
So what can manufacturers do to prepare for the coming regulatory changes, and mitigate against existing cyber threats?
Well, there’s plenty.
And it comes down to something simple: build in security across the lifecycle of the device.
Consider an OEM shipping 100,000 devices. It won't necessarily know where these devices will end up. So it must build the best possible cyber protection into its devices at the factory stage, yet also give its customers the ability to provision later in the lifecycle.
The good news is that lifecycle security is perfectly achievable now.
So here are five steps manufacturers can take to build smarter device security systems – from factory to home.
1. Use cellular modules with built-in security features
Today’s pen-tested IoT modules, gateways and modem cards encode advanced security protection directly into the chip. They enable features such as trusted device identity for safe cloud interworking and deep penetration testing against security threats. They safely store keys on-board for secure digital identification. And each cellular module comes with its own digital identity, which makes it near-impossible to clone.
Manufacturers should always work with authorised and validated partners. For example, Thales’ ‘Cinterion IoT Suite’ platform includes a software updates
feature that sends encrypted software firmware updates to distributed fleets.
Cheap models from non-validated suppliers do not offer these extras, which can cause problems later in the lifecycle.
2. Make sure your devices are ready for next-gen networks
Today’s designs need to allow for a future transition to 5G. All over the world, mobile network operators (MNOs) are sunsetting their 2G and 3G networks and moving towards 4G and 5G cellular standards that have been specifically developed for IoT.
Manufacturers of smart alarm systems must be ready for these upgrades. They must ensure their devices can send data safely over any future generation cellular network without any degradation in security. They must also be ready for new opportunities such as 5G ‘network slicing’ and the roll out of new private networks. All this requires that devices can support an update to new cellular standards.
Happily, smart alarm system makers do have options. The new generation of eSIMs (in combination with connectivity activation services) make it easy to change their selected MNO subscription during the lifetime of the connected device.
3. Provision SIM profiles at the factory stage
Security device makers want their products to be easily provisioned by users ‘out of the box’. This is challenging in a world of physical SIM cards. It requires device makers to manually configure SIMs. It also necessitates a large number of potential SKUs per product.
They can reduce the number of variants by provisioning multiple SIM profiles in one dedicated IoT eSIM. Using an eSIM reduces complexity. There is just one SKU to cover all geographies, and any MNO subscription can be provisioned dynamically during manufacturing. In other words, an ‘empty shell’ eSIM can be configured for any cellular operator when it is turned on for the first time.
4. Provision your chosen network operator on-site
As discussed, new generation IoT eSIMs simplify the manufacturing process for home security system makers. They also make it much easier to activate these devices in the field. Thanks to remote connectivity activation services from Thales, the IoT eSIM will automatically download the MNO profile that best suits the device location, then connect to the network according to the service providers’ pre-defined business rules. From a security standpoint, this is beneficial and it makes over the air updates easier to perform.
5. Once deployed, manage devices remotely
Network connections are never perfect. Outages and faults happen. When they do, they can leave users unprotected and vulnerable. Device makers can help their customers by provisioning their systems with network diagnostic features and the ability to switch to back-up connectivity. These systems let a user define a back-up MNO subscription. This way, if the operational MNO’s coverage fails, the device will switch to an alternative subscription. No need to send technicians.
The consumer electronics and IoT marketplace is full of innovation. Manufacturers are constantly dreaming up new products, and improving existing designs. But manufacturers clearly face threats from cyber hackers and increased pressure from regulators to protect end users.
Their best response is to build strong security into their products at the design stage. They must also make it easy for every user of their devices – at any stage of the lifecycle – to protect their devices too.