i3 | January 04, 2021

Whiskey, Hackers and the Devil’s Share

by 
Mike Bergman

How can you tell if a connected gadget has been hacked? You might not see it when the device gets compromised. But it can be costly.

It’s a little like when whiskey is aged in barrels. “Angels share” is the part that evaporates through the wood. It’s invisible, but a few percent — by volume — per year of aging is lost this way. Distillers willingly give up the unseen angel’s share because the whiskey becomes smoother as a result, but that invisible tradeoff costs them a significant amount of their product in a 12-year aging process.

Separately, a retailer recently commented that cybersecurity issues “just don’t seem real.” Meaning, when connected home products are hacked it is invisible; it is difficult to know that they’ve been hacked.

Why Worry about It?

One reason is that hackers like to rewrite the software when they get “in” to a device. Unfortunately, that new, hacker-provided software may have bugs that cause problems, but the hacker only cares about stealing data or building a botnet. A hacked device only needs to work well enough to escape being replaced.

As a result, the hacked home gadget keeps working — but can have symptoms like odd behavior, failed features, slowdowns and freezes. When this happens, the consumer may return their new gadget to the store, or call the installer to come out and take a look at it. Those consequences are a sort of shrinkage, an increased cost of doing business. These costs hit the retailer, installer and manufacturer. There is also reputational risk for everyone, especially the manufacturer.

And consumer perception has been shifting away from buying connected home products without some assurance. One survey, “Consumer Attitude Towards IoT Security” from Karamba Security in November 2019, found that most consumers reported that they will only purchase a connected device after researching the product’s security (23% of respondents), or will not purchase a connected device at all (51%). That’s nearly three in four saying that security matters, and it is an indication of potential lost sales.

These hacker-induced costs of doing business are like the angel’s share, in that it’s an invisible loss. But nothing gets better when hackers compromise a customer’s device. Maybe these losses should be called “devil’s share”.

At this point, we turn to the development teams to take action. See our feature on page 20, for how cybersecurity is impacting the retail channel.

The experts who develop CTA cybersecurity standards are working on these issues. Development teams can now refer to the new cybersecurity “Baseline” for connected devices, CTA-2088 (“Baseline Cybersecurity Standard for Devices and Device Systems”).

The CTA baseline is a clear, unambiguous list of cybersecurity capabilities that any connected consumer device should have, whether thermostat, fitness tracker, oven, security camera or smart TV. And it has the potential to be very effective. A recent study of nearly 200 hacked devices showed that over 95% of those hacks would have been stopped had the device met the baseline requirements in CTA-2088.

The word “baseline” implies “minimum.” Everyone should at least meet the baseline, to protect their products, brand and customers. Excellent companies will exceed the baseline, of course, and some are even making their technology and expertise available to their vendors and customers to improve the ecosystem.

The baseline, CTA-2088, was developed by the R14 WG1 security working group. It is applicable to most connected devices including smart home products. Some markets or sectors need more in their baseline. Two CTA working groups are dealing with the specifics of drones (R14 WG3) and consumer robotics (R14 WG4). Contact standards@CTA.tech for more information.

Discussions at CES 2021 will examine cybersecurity strategies.

Subscribe to i3 Magazine

I3, the flagship magazine from the Consumer Technology Association (CTA)®, focuses on innovation in technology, policy and business as well as the entrepreneurs, industry leaders and startups that grow the consumer technology industry. Subscriptions to i3 are available free to qualified participants in the consumer electronics industry.