Smart security products and your home security
As part of National Home Security Month, Michelle Kradolfer, the Secured by Design National Manager looks at the use of smart products in the home and the risks that they can pose.
When you think of traditional home security, the first products that probably come to mind are burglar alarms, security lighting, CCTV and deadbolts. But security products have evolved to now include smart security cameras, video doorbells, locks, plugs and bulbs to name but a few.
There is no doubt that the rise of the Internet of Things (‘IoT’) and smart devices has revolutionised the way we live our lives, at home and at work, with many smart devices allowing you to control them remotely. However, with the increase in IoT products available and a growing ecosystem of interconnected devices, cyber criminals are targeting and exploiting vulnerabilities of the products and within apps as most are mass-produced without security being in the forefront.
All smart security products are meant to give you more control over, and information about, the safety of your home. Smart security simply means that you can control the security product from any internet connected device. All are operated via associated apps, meaning you can protect your home from anywhere in the world, as long as you have an internet connection.
But from a security view point, these items are far from smart and introduce as many security issues as they appear to resolve. Many smart devices may be insecure when they are first switched on, so you'll need to take some quick steps to protect yourself.
- If the device comes with a password that looks easily guessable (for example admin or 00000), change it
- Easily guessable passwords can be cracked by cyber criminals, so make sure you choose a secure one. Advice on what makes a secure password can be found on the National Cyber Security Centre’s website https://www.ncsc.gov.uk/blog-post/three-random-words-or-thinkrandom-0
Some smart locks even let you create ‘virtual keys’ so friends and family can enter the home when you’re not there and many cameras can be trained to recognise familiar faces and alert you to strangers. However, accessing your device like this can make it easier for other people online to access them without your permission, so make sure you have changed default passwords and enabled Multi-Factor Authentication if available. Multi-Factor Authentication provides a way of 'double checking' that you really are the person you are claiming to be, and makes it much harder for criminals to access your online accounts, even if they know your password.
You must also make sure your Wi-Fi router has a unique password as this is an easy access point for the cyber criminal to get on to your “home network”.
When shopping for smart home security products, you should pay attention to product compatibility (can devices talk to each other?), ease of use, mobile app functionality and battery back-up features. If you are not sure how many devices you need, look out for ‘starter kits’ that are sometimes better value than buying individual devices.
As with your computers and smartphones, installing software updates promptly helps keep your devices secure. For each of your smart devices, you should:
- switch on the option to install automatic updates (if available)
- install any manual updates when prompted
- make sure your device's operating system is up to date
Many apps and smart devices use what is known as “shadow IT”. This is where a device piggy-backs or shadows the capabilities of another enabled app. It is therefore important that you check the functionality that you permit. For example, do not accept “location tracking” where it is not necessary for your specific purpose; do not share your “contacts” to apps that aren’t specifically for your communications.
It is also important to remember that if you link your smart devices to Alexa or other ‘virtual assistants’, any voice can activate them, even from outside if they shout loud enough!
Secure Connected Device accreditation for IoT products
The Product Security and Telecommunications Infrastructure Act 2022 has been enacted into law, requiring manufacturers, importers and distributors to ensure that minimum security requirements are met in relation to consumer connectable products available in the UK. Compliance with this law is required by 29th April 2024.
This law applies to all consumer IoT products, including but not limited to:
- connected appliances, such as washing machines, fridges and coffee machines
- connected children’s toys and baby monitors
- wearable connected fitness trackers
- outdoor leisure products, such as handheld connected GPS devices that are not wearables
- connected cameras
- TVs and speakers
- smart home assistants
- connected safety-relevant products such as smoke detectors and door locks
- connected home automation and alarm systems
- Internet of Things base stations and hubs to which multiple devices connect
The national police security initiative, Secured by Design (SBD), launched the Secure Connected Device accreditation scheme in response to the pending legislation for IoT products. The SBD Secure Connected Device accreditation scheme has been developed in consultation with the Department for Science, Innovation and Technology (DSIT), who support industry schemes which help consumers make better informed choices when buying connectable devices.
The SBD Secure Connected Device IoT Device Assessment identifies the level of risk associated with an IoT device and its ecosystem, providing recommendations on the appropriate certification routes with one of the SBD approved certification bodies. Once third-party testing and independent certification for a product has been achieved, the company can apply to become SBD members, with the product receiving the SBD’s Secure Connected Device accreditation, a unique and recognisable accreditation that will highlight products as having achieved the relevant IoT standards and certification.
Why is it important to buy Secure Connected Device accredited IoT products?
in 2021 Which? undertook a study to look at how a smart home could be at risk from hackers, setting up their own smart home. This detected more than 12,000 scanning or hacking attempts in a single week! Without the appropriate levels of security, any internet connected device or app is at risk of being readable, recognisable, locatable, and/or controllable via the internet, thus providing cyber criminals with the ‘key’ in accessing and stealing personal data. This can then be used for a multitude of criminal purposes, including burglary, theft, blackmail, harassment and stalking.
The risk of a cyber attack or breach against an IoT device can be reduced as Secure Connected Device accredited devices have been tested to ensure they have been built to the required security standards.
The Secure Connected Device accreditation is the only way for companies to obtain police recognition for the security of their IoT products in the UK.
Secured by Design continually monitor national crime trends to keep pace with changing patterns of criminal behaviour and new technology, ensuring that standards are updated to reflect these changes.
How can I identify a product or service that has achieved the Secure Connected Device accreditation?
All products and services which have achieved the Secure Connected Device accreditation will have the Secure Connected Device logo displayed, giving you the reassurance that it meets the rigorous requirements of the initiative. All Secure Connected Device products and services are also listed on the Secured by Design website https://www.securedbydesign.com/secure-connected-devices.
Without the appropriate levels of security, any internet connected device or app is at risk of providing cyber criminals with a key to enable them to access and steal personal data. It is therefore vitally important to ensure that all IoT products have the right level of security in place to protect consumers and reduce the risk of them falling victim to cyber crime.
Companies accredited to this new Secured by Design standard are leading by example and are at the forefront of the IoT revolution. In doing so they will help to keep their customers and the public safer from the risk of a cyber breach.
Secured by Design
SBD has operated an accreditation scheme on behalf of the UK Police Service for products or services that have met recognised security standards for nearly 25 years. These products or services are known as being of a ‘Police Preferred Specification’.
There are many hundreds of companies who produce thousands of individual attack resistant crime prevention products which have met the exacting standards of the Police Preferred Specification. This includes doors, windows, external storage, bicycle and motorcycle security, locks and hardware, asset marking, alarms, CCTV, safes, perimeter security products and many others.
Find details of products that have achieved the Secure Connected Device accreditation here.