Posted by Andrew Rose on July 1, 2014
I recently visited a trade show dedicated to physical security.
Almost every vendor was advertising IP-enabled ‘smart’ technology, with accompanying apps, that would log and alert on access or motion, prevent tail-gating, recognise smartphones or RFID tags, or track faces or number plates automatically. The sheer number of CCTV vendors alone was stunning, although, truth be told, as a physical-security novice, I struggled to spot any discernable difference between them all!
There were firms who were crossing over into ‘smart home’ technology – selling a series of sensors to control temperature and light; detect issues such as movement, flooding or smoke; and remotely unlock the front door of homes, or secure areas. Although mainly sold on a ‘home security’ premise, these systems were also cleverly brought together into packages which could be used to monitor the activity of an elderly relative, sending alerts if regular patterns of behaviour, or safe limits, were transgressed (i.e. Has the shower been on too long suggesting a fall? Has the box containing essential pills been opened at around the right time? Has the front door been opened at 2am? Etc.)
I spoke to six or seven vendors of similar technology sets and asked how they managed the logical security around their product. Almost every response began with a pause.... then came, “well, you know that nothing can ever be totally secure”, and then they abruptly ended with “we have encryption!”. It became abundantly clear that few, if any, vendors, had thought through the logical security issues and none were including it in their sales training. Other responses, somewhat worryingly, included “our engineers look after that”, “they wouldn’t let us sell it unless it was secure”, and the classic “I’m sure it’s fine….”
Even when I changed tack and started asking about data privacy, and EU Data Protection compliance, the puzzled looks didn’t vanish – if anything the confusion got worse. It was like going backwards in a terrifying time machine, to the days before security awareness and regulatory compliance. One vendor I spoke to stated that, as a specialist S&R analyst, I was “three steps ahead” of their company in terms of security thinking and general paranoia. It’s disappointing to note that he was right, but that wasn’t preventing them from successfully selling their products via an ever-increasing channel.
It’s deeply troubling, but perhaps not unexpected, that the Internet of Things (IoT) is arriving with a fanfare of functionality, but seemingly lacking many basic controls. As we increasingly rely upon these technologies to secure our homes, and protect our families, vendors need to realise that the stakes are rising and that yesterday's levels of care and due diligence are no longer sufficient. Losing millions of credit cards might be perceived as harmful to a brand, but most firms survive and thrive again because customer damage is easily repairable and largely non-personal; wait until that security breach means the customers home or car becomes insecure due to a logical fault, missing patch, or data corruption, and they lose physical assets or their safety is endangered – then we’ll see what brand damage really means.