This article is the second in a two-part series. Read the first part here.
by David West
Unlike enterprise and PC security, where the responsibility lies mainly with the end user organization, security for the smart home is primarily the responsibility of the OEM building the devices. However, the OEM is not solely responsible. Everyone involved in the development and deployment of the device plays an important role.
The role of the OEM
The OEM plays the primary role in security. They are ultimately responsible for specifying security requirements, implementing security in the smart home devices, and testing to ensure security requirements are met under a variety of conditions. The OEM is also responsible for selecting the operating system and processor, and for using security protocols, secure authentication, and protection mechanisms, such as an endpoint firewall. The OEM must also check and recheck their application level software for vulnerabilities that could be compromised by a determined attack.
The role of the OS vendor
While it is the role of the OEM to select the operating system, the OS vendor (or open source community creating and maintaining the OS) is responsible for ensuring the security of the OS itself. Typical communication protocols and services are bundled with the operating system and often provide the main attack vectors for hackers. The OS vendor is responsible for ensuring the security of each of the components they provide.
The role of the chip vendor
Chip vendors also play a key role in embedded device security. They are designing and manufacturing processors with built-in code verification capabilities, physical tampering detection, and encryption engines. Each feature allows OEMs to develop and deploy devices which verify they are running authentic code and detect when someone has physically opened a device. Once these events are tripped, they can then shut the device down or report the event to prevent additional tampering.
The role of the specialized security companies
OEMs, end users, and even RTOS companies do not always have the expertise ensuring all aspects of device security are addressed. Companies specializing in embedded device security provide expertise, tools, specialized security solutions, and security audit services. These companies play a critical role in embedded device security by verifying compliance with security standards, providing education to OEMs and end users, and testing devices to ensure they are not vulnerable to cyber-attacks.
The role of the end user
The end user is depending upon the OEM to build smart home devices and networks equipped with adequate security capability. However, the end user must ensure the device is deployed in a secure manner. They must properly set complex passwords, enable authentication, and perform any other steps required for security. Most security breaches are caused by simple carelessness. People are prone to using weak or default passwords, leaving their device open to attack.
The Role of Home Service Provider (cable company, broadband supplier, cellular phone company)
When Smart Home services are hosted by a service provider, they play a key role in security. Service Providers have the resources ensuring security is included in the network design and have enough market muscle to influence OEMs to build security into their products. An OEM is much more likely to implement security features to a service provider purchasing thousands of devices than they are to listen to an end user buying a single device. Service providers also ensure devices are deployed with secure passwords and with property security settings. The network needs need to be protected as well as the specific devices and other endpoints connected to the network.
The only way to ensure smart home security is through the coordinated effort of everyone involved in the development and use of the product. Unfortunately, no one group can, by their efforts alone, ensure a device is secure. However, a failure to implement or properly use security at any stage in the process results in significant security loopholes.
David West is the director of engineering for Icon Labs.