How Can Companies Make IoT Products More Secure?

A panel of cybersecurity experts addressed a range of issues during a forum at the Consumer Technology Association's annual trade show, CES.
By Mary Catherine O'Connor
Jan 11, 2016

It's not difficult to find stories about consumer-goods companies that have introduced Internet-connected products only to suffer either a direct financial loss due to a criminal cyber-attack, or a reputational hit through a white-hat attack publicly exposing serious data vulnerabilities.

Last fall, security researcher Matt Jakubowski showed that he could eavesdrop on a family via Mattel's Hello Barbie doll, which connects to a home's Wi-Fi network to enable a cloud-based service that listens to what a child says to the doll and then generates responses. Toymaker VTech suffered an even worse attack, when a hacker showed that he had accessed the names, e-mail addresses, passwords and home addresses of 4.8 million parents who had bought connected toys for their children.

The cybersecurity panel at CES
So what should companies that are currently selling or are planning to sell connected products do to ensure the privacy of their customers' data, and to reduce their own corporate risks? On Wednesday, Jan. 6, a panel of cybersecurity experts explored those questions during a cybersecurity forum held at the Consumer Technology Association's annual trade show, CES, in Las Vegas.

Brian Krebs, who writes about cybersecurity at, says manufacturers of consumer goods are under pressure not only to ship new electronic products quickly, but also to add increasingly more features to each iteration. "They then ship the products with those features enabled, while it would be far better to have the consumer enable them," he says, citing what he considers a common-sense first line of defense to product security, since some consumers would not turn on sensors or radios in those devices unless they needed to do so in order to initiate the services that such devices provide.

Loading a product with features that collect and share data increases what cybersecurity experts call the attack surface—that is, the breadth of digital pathways into the product or the data streams it generates, and through which a nefarious party could compromise the device's security. So Krebs believes manufacturers ought to be more thoughtful about what features they add to products in the first place, and should not assume that they could add adequate security protections to those devices after they are already in consumers' hands.

Simply enter a question for our experts.
Sign up for the RFID Journal Newsletter
We will never sell or share your information
RFID Journal LIVE! RFID in Health Care LIVE! LatAm LIVE! Brasil LIVE! Europe RFID Connect Virtual Events RFID Journal Awards Webinars Presentations