This week’s scary IoT hack involved connected stuffed toys for children. The details of the hack show that Spiral Toys, the maker of the hacked CloudPets toy, treated security as even less than an afterthought. Not only did a contractor for the company’s app leave the buyers’ account credentials in an unsecured database, but Spiral Toys also didn’t even implement basic Bluetooth security.
This toy exemplifies the put-a-chip-in-it or put-an-app-on-it mindset that led us to where we are today. We have millions of devices that represent a fundamental security threat for users and for the internet as a whole. This is not hyperbole. This is a basic fact of life.
To get out of this mess manufacturers have to think about how to secure a connected product from the get go. They have to think about building a secure app, storing data securely in the cloud (and on the device) as well as basic network security and encryption of data in transit. This is not a simple task, and it should begin at the product’s inception.
Historically, consumers haven’t wanted to pay for this level of security, which meant that manufacturers didn’t add it. But forgoing security isn’t an option when you connect something to the internet. A $40 CloudPet that doesn’t have security has a cost that others will have to pay for.
Good security costs a lot. It’s not enough to secure the hardware. Supporting a cloud service and an app means that security is a daily battle, especially if the device gets popular or presents an enticing target (like a door lock).
To get a sense of what good security costs, I asked a few companies what they spent. Most didn’t want to put a number on it or detail their efforts because secrecy helps maintain their security. But a few did share some insights to show how much security for a connected device can cost.
For example, Honeywell’s new camera products that will be out later this month cost $6.33 to secure according to the product rep who I met on the show floor at CES. He explained that that it was divided into 4 sections. They are on-chip security that authenticates each device to Honeywell’s servers, a secure boot that’s part of the chip, end-to-end 256 AES encryption, and a secure SD card on the device. The cameras cost $120 or $170.
Chris Rill, the CTO of Canary, an all-in-one security product, wasn’t as prepared. When I asked him about the cost of security as part of the Canary he estimated it was around $30 over the life of the device. Part of Rill’s challenge was that Canary budgets for ongoing penetration testing and other security costs over the life of their products, which means the cost is a moving number.
August, the maker of the smart lock of the same name, didn’t want to share a specific number, but a spokeswoman emailed me the following response, “August has invested hundreds of thousands of dollars using a well known security auditing firm under retainer that does regular security audits of the August Access system and devices.”
Specific numbers aside, it’s clear that these companies are taking security into account from the beginning and throughout the life of the product. In some cases, they have had to patch vulnerabilities discovered in their products, but the key is that these companies have fixed them and allocate resources for that.
In contrast, the maker of the CloudPets product apparently knew about the database hack for well over a month and had not taken steps to fix the issue or communicate with its customers. In this case, the cost of security may have been more than Spiral Toys was willing to pay, which means the entire industry is going to pay for it instead.