In our company we’ve reviewed the security of a large number of consumer electronic devices and helped a wide range of manufacturers and operators to understand all aspects of securing their products and systems.
We’re involved with protecting the electronic connected devices that are increasingly forming a critical part of our connected lives from being used to attack us. From automotive In-Vehicle Infotainment systems to smart TVs, security is often an afterthought at best.
More often than not, though, we hear the same question from consumer electronics companies: “Why would we want to add security?”
The consumer product manufacturer point of view
For those of us who work in this industry, this question is not surprising.
From a consumer manufacturers point on view:
- Time-to-market is critical and being late can mean the difference between a whole product line succeeding or failing
- Cost is critical and per-product profit margins are very slim. When you’re making a large number of devices then every cent cost really matters
- Skilled people are limited and therefore expensive (see 2.)
- Most consumers don’t understand the implications of an insecure product so won’t pay for security (even though there is evidence that they are deeply concerned about their personal privacy)
The immediate judgement could therefore be that improving the security of our devices can take time and money and could make those devices less competitive in the marketplace!
This can result in the view amongst many consumer manufacturers that consumer security is not a high priority when developing a product (especially if you take a short-term view as is common in the industry).
Very often, even things like brand reputation protection and protection of their own revenue streams security is not even considered!
How much security?
On the other hand, there is a lot of hype in consumer security. For example, the risk of your internet-enabled fridge within your home network being used to attack you is probably quite low. Even the risk of your smart electricity meter being used by robbers to find out when your house is empty is probably very low (it would be easier just for them to stand outside!)
That is not to say that consumer products don’t have risks – it’s just that as an industry, consumer electronics companies are traditionally not good at recognising them. They make brilliant devices that usually improve our lives but they’re not security companies.
For example if those same smart meters contained the ability to switch off your power supply (and that of everyone else who had one installed) then the security risk to us is much, much greater.
Risks are also hard to determine and can depend on the product use case. For example, a smart TV that records and transmits audio insecurely to a remote server will not pose a real general security risk to the majority of the population, but what if that TV is in a politicians office and being used to spy on them?
What is important to remember is that the amount of security should be proportionate to the risk and consumer product companies need to better understand their risks.
Most security issues in consumer devices are concerned with protecting consumer privacy or revenue streams. The cost of fixing problems during product design is usually a lot less than many companies expect and much less than the resulting damage that may occur to the brand.
Most products we see could easily have been fixed early on by understanding the risks and adding simple, pragmatic, commodity, often free, security improvements. Retrofitting security or rebuilding reputation, on the other hand, takes a lot more time and money.
Even products with higher risk such as smart meters, home network routers, smart energy systems and connected home security systems can save costs in the long run. Incorporating secure product development processes result in security just becoming part of the product and not an add-on.
There are signs that things are changing. High value brands and industries that may have particularly high liabilities (e.g. automotive) are starting to recognise and take security much more seriously. Industries such as smart home, building and energy are also wakening up to the potential threats and seeking advice.
However, many high-risk consumer electronics companies are still slow off the mark. We still hear regularly about insecure home network routers and smart security systems. Hopefully the combination of media hype, consumer pressure and potential regulation will improve this situation in future.
MathEmbedded has been heavily involved with consumer security for many years and has recently created a consumer product security health check service to help companies to understand their risk.