Retail Observer

OCTOBER 2017 RETAILOBSERVER.COM 47 A s homes fill with increasingly more connected devices, the risk of a security breach keeps growing exponentially. The situation has become serious enough that experts are suggesting Congress make security laws to keep consumers safe. It's easy to see how this latent, broad-scale vulnerability could spiral into a genuine societal problem. In some ways, a smart home breach is the worst hacking of all. Your bank can figure out pretty quickly that you probably didn't empty your debit card, halfway across the globe, on purpose. But what happens when a lock gets hacked and nobody's home? Worse, what if children are home? Making sure that questions like these never come up is the most mission-critical challenge facing the companies that make, sell, and install smart home technologies. Failure on this single issue could easily derail what is estimated to be a trillion-dollar market. BI Intelligence forecasts that there will be 22.5 billion IoT devices by the year 202. But it's all at serious risk if consumers, businesses and governments come to believe that connected things are, in fact, making our society less secure. Many already do. On the consumer side, the potentially hackable IoT landscape already comprises many thousands of different products; some from long- established home technology leaders, others fresh off a Kickstarter campaign. All of these devices, whether custom- or DIY-installed, communicate with each other (and ultimately, with the Internet), through one or more wireless protocols, such as Z-Wave, ZigBee, Bluetooth, Wi-Fi, EnOcean and others. The protocols themselves are generally strong and feature built-in security—the industry standard is AES-128 encryption. However, the methods that individual brands and smart home systems use to transmit data and instructions via these protocols, both inside and outside the home, can vary greatly in sophistication— and unfortunately, in attention to security. In many cases, consumers invite their own security breaches by simply being unaware and not properly securing their home networks. For non-technical users, it's not (yet) commonly understood that IoT objects are as accessible to malicious activity over the Internet as an unprotected desktop computer. As just one unhappy example, many usernames and passwords for Internet-connected smart home devices never get changed from the factory defaults of "admin" and "password." But beyond these basic precautions homeowners often don't take, serious and alarming vulnerabilities in IoT 'things' are more widespread than is generally recognized, and attackers can invade from multiple directions. A breach can come remotely through the cloud, or from an attack on individual local devices like window sensors and door locks. Passwords and PIN codes can be intercepted and copied within the several short seconds it takes to include new devices to a smart home system. In some crude system implementations, smart devices actually send unencrypted signals to each other with regularity. Rock-solid protection against most cyber intrusions will one day be a given; consumer will demand it. However, in these early days of this technology, IoT safety has yet to become a front and center concern for manufacturers, retailers and installers. It absolutely should be a concern, because right now invulnerability is a bigger selling point than functions, ease or price; all three of which have been fueling the current smart home boom. For retailers, being able to explain and help customers understand the need to secure their smart home should be priority. Among the various smart home protocols, Z-Wave is the longest established, and as a result, has invested the most focus on cyber protection. The technology's most recent implementation for security, called S2 Framework, secures communication for both individual devices, and cloud communications. When new local devices are included into the network, a QR or PIN code is required on the device itself, so there's no window of unencrypted activity for hackers to exploit. For cloud-accessible systems, the S2 technology routes all communications through a secure transport layer security (TLS) tunnel. Security measures taken by smart home companies need to pre- empt the two biggest common hacking methods. 'Man in the middle' attacks are well-described by their name; the hacker tries to intercept communications between two points and alter them. Likewise, 'brute force' attacks are just what they say; automated, exhaustive attempts to try every possible data combination to break into the system. Consistent, pervasive encryption is the only real deterrent against these breaches and hijacks. Soon, all smart home systems, regardless of brand or protocol, will be expected to include measures against these attacks. In the meantime, new IoT devices and solutions keep hurtling to an exploding and unsuspecting market. All of them are bringing delightful new conveniences to an eager consumer base. The winners in this space won't just be the companies with the flashiest apps or the sleekest sensors. The winners will be the companies that can successfully do the dirty work of keeping the smart home clean. Mitchell Klein is the executive director at Z-Wave Alliance, and a results-driven leader in the CE and smart home industries with over 30 years of experience. Klein is a sought-after speaker, panelist, and spokesperson at Smart Home and IoT events and conferences world-wide. www.linkedin.com/in/mitchellklein2 Mitch@Z-WaveAlliance.org RO

• Cover