How to protect home devices and appliances from cyberattacks

Jan. 6, 2017
David West, Engineering Director, Icon Labs

In July of 2014, HP Labs did a study of 10 popular Internet of Things (IoT) devices and found security was shockingly bad. The researchers studied the connected devices, looking at end-to-end security capabilities including privacy protection, authorization, encryption, user interface protection, and code security. They found 70% of the devices had at least one major vulnerability. At the end of their study, researchers identified more than 250 vulnerabilities—an average of 25 per device.

Security was clearly an afterthought or not considered at all. That’s bad enough for a product engineer to deal with, but much worse for the unprepared consumer.

An average consumer, or even a security-savvy consumer, has little ability to know which brand of IoT device has better security or any at all, leaving the primary responsibility for securing their devices squarely with the original equipment manufacturer (OEM).

A compromised consumer device may have little impact on the device’s performance, and the consumer may not even realize their device was hacked. Should the OEM care?


On the surface, the hacked device may seem benign. But a device, like a smart refrigerator, may reveal Wi-Fi credentials to a hacker, giving them a beachhead from which they can then attack other, more critical devices on the network. So, it’s about more than just protecting the device itself.

It seems moments after a solution against digital invasion is in place, someone finds a way to circumvent it. Security is, in many ways, an ongoing, never-ending arms race, and hackers are adept at finding ways to exploit security vulnerabilities. The key is to add appropriate levels of security, making it more expensive for the hacker (in terms of time and computing resources) to exploit a device or system. Hackers usually go after the easy exploits. They avoid the challenges that offer little financial or ego benefit.

The first step for the OEM is to evaluate their device’s vulnerabilities, decide what to protect against, and determine how the economics of the device is impacted.

Vulnerabilities in IoT devices

Design vulnerabilities are weaknesses resulting from a failure to include proper security measures when developing the IoT device. Examples of design vulnerabilities in HP Lab’s study include use of hard-coded passwords, control interfaces with no user authentication, and use of communication protocols sending passwords and other sensitive information in the clear. Other, less glaring examples include devices without secure boot or allowing unauthenticated remote firmware updates.

Security capabilities

Adding a few basic security capabilities can make IoT devices dramatically more secure and greatly reduce the risk of falling victim to a cyberattack, including:

  • Secure boot;
  • Secure remote firmware update;
  • Secure communication;
  • Data protection; and
  • User authentication.

[Note: This is a great checklist to have on hand if you are a healthcare organization involved in purchasing medical devices that will have internet-connection capabilities. Ask your supplier if the device has these protections.]

Secure boot

Secure boot utilizes cryptographic code signing techniques, ensuring the device only executes code produced by the device OEM or other trusted party. Use of secure boot technology prevents hackers from replacing the firmware with malicious versions, thereby blocking a wide range of attacks.

 Secure firmware update

Secure firmware updates ensure device firmware can be updated, but only with firmware from the device OEM or other trusted party. Like secure boot, secure firmware updates ensure the device is always running trusted code and blocks any attacks attempting to exploit the device’s firmware update process.

 Secure communication

Utilization of security protocols like TLS, DTLS, and IPSec adds authentication and data-in-motion protection to IoT devices. By eliminating sending data in the clear, it is much more difficult for hackers to eavesdrop on communications and discover passwords, device configuration, or other sensitive information.

 Data protection

Security protocols provide protection for data while it is transmitted across networks, but they do not protect the data while it is stored on the device. Large data breaches often result from data recovered from stolen or discarded equipment. Encryption of all sensitive data stored on the device provides protection should the device be discarded, stolen, or accessed by an unauthorized party. For instance, most office, business, and personal printers have an integrated drive inside storing tens of thousands of documents.

 User authentication

Weak or non-existent user authentication recently resulted in thousands of IP cameras with well-publicized default passwords being enlisted in a high-profile Denial of Service attack (known as the Mirai botnet infestation). A strong user authentication method is a clear requirement for device security.

 The consumer

On an individual level, there is less we can do. If a company produces an insecure product, the consumer can either live with it or not buy it. For those products with built-in security, users must enable appropriate levels of security, change default passwords, and use strong passwords.

The cameras used as bots in the Mirai botnet infestation could have been protected from attack. Secure boot, firewall, or intrusion detection each could have individually avoided the takeover of the cameras enabling the attack. These have the benefit of not requiring the user to remember passwords or unique logins. For as little as 1% of the price for the device, this public disaster could have been avoided.


Security is a requirement for all consumer IoT devices, no matter how small or seemingly insignificant. By adding a few basic capabilities, the security of any device can be significantly increased. These solutions, including Icon Labs Floodgate Security Framework, are effective in blocking cyber-attacks and can be utilized in very resource-limited IoT devices.

Sponsored Recommendations

A Cyber Shield for Healthcare: Exploring HHS's $1.3 Billion Security Initiative

Unlock the Future of Healthcare Cybersecurity with Erik Decker, Co-Chair of the HHS 405(d) workgroup! Don't miss this opportunity to gain invaluable knowledge from a seasoned ...

Enhancing Remote Radiology: How Zero Trust Access Revolutionizes Healthcare Connectivity

This content details how a cloud-enabled zero trust architecture ensures high performance, compliance, and scalability, overcoming the limitations of traditional VPN solutions...

Spotlight on Artificial Intelligence

Unlock the potential of AI in our latest series. Discover how AI is revolutionizing clinical decision support, improving workflow efficiency, and transforming medical documentation...

Beyond the VPN: Zero Trust Access for a Healthcare Hybrid Work Environment

This whitepaper explores how a cloud-enabled zero trust architecture ensures secure, least privileged access to applications, meeting regulatory requirements and enhancing user...