Concerns Over IoT Security Stifling Smart Home Adoption
Brad Ree, chief technology officer of the ioXt Alliance, warned last week of a legislative patchwork of security regulations in the U.S. as each state adds its own take. Speaking on a panel at Parks Associates’ Connections summit, he cited California SB-327, which took effect Jan. 1 and requires devices to have “a reasonable security feature or features that are appropriate to the nature and function of the device.” The bill was the impetus for the founding of the ioXt Alliance. SB-327 began as an effort by lawmakers to “do the right thing,” said Ree, but it left manufacturers questioning what they need to do. One of the bill’s stipulations is that there can't be a universal password, which is clear, he said, “but what’s reasonable, what’s not reasonable? What are the penalties if I do this thing wrong?”
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
The internet's international nature complicates the bill’s requirements further, Ree said. Regional regulations don’t solve the overall problem, create difficulties for manufacturers trying to build at scale, and “often contradict each other,” Ree said. The California bill “spread like wildfire through the states,” he said. Other states picked it up but wanted to “debate and add or change,” he said. “So what you see is SB-327 gets adopted by Oregon with a couple small twists,” he said. Then Virginia added its own twists.
As states try creating legislation based on the California law, each tweak to the password rules and other stipulations becomes a burden on device makers: “I challenge the light bulb manufacturer who is going to have to build the light bulb that follows the Mississippi password rules,” he said. “Regulations are good,” because they set boundaries, but “done without a proper back and forth with industry, [it] becomes challenging.” IoXt Alliance’s position is that regulations have to be “testable, scalable and customer-impactful,” he said.
Technology is usually a few steps ahead of regulation, said Paula Al-Soufi, F-Secure director-solution offering, which makes it difficult for device makers to keep pace. “By the time the regulation is out, it’s usually very gray, and then the manufacturers don’t know how to deal with it," she said.
Consumer worries about privacy and security have ramped up in the past two years, said Al-Soufi, citing increased awareness of high-profile breaches. Company research shows four in five consumers don’t think device makers are doing enough to secure their products. She noted different approaches to securing consumer trust: through IoT security alliances, “bringing security into the product itself” or a holistic cybersecurity solution that covers all devices.
Consumers’ concerns about privacy and security are “adding friction ” to sales of smart home products, said Ree. Over a third of consumers who don’t intend to buy a smart home product list privacy and security concerns as the top reason, said Parks analyst Patrice Samuels.
Another challenge, Ree said, is recommendations following high-profile security breaches telling consumers to buy products from known brands. That advice “is not necessarily true” and “stifles innovation,” he said. Many small brands are driving innovative solutions, he said: “If you just go buy the name brand because you think that’s secure,” that leaves consumers with “a false sense of security and totally reduces adoption rates.”
IoXt Alliance has about 300 members including silicon and device makers, wireless carriers and ISPs, retailers and industry organizations. The group is trying to “raise the bar” of security in connected products, “remove that fear and doubt among consumers,” provide “transparency” through certification and work with regulators worldwide to offer an “industry-led approach to regulations,” Ree said.