They're pretty much all of the same risk type. There are a couple companies out there that are doing connected smoke alarms and thermostats and the alerting-type systems, which are fairly unique in that they will ride on your existing Wi-Fi network; however, if you don't have a Wi-Fi network, or if you choose not to use it, they will create their own Wi-Fi segment [using Wi-Fi Direct] so they can communicate with each other and provide access through a single keypad. Those are really nice because they mitigate risk by segmenting them from your Wi-Fi network.
Do you personally use any of these gadgets and services we discussed?
I do not personally use them, because I don't trust them.
What's the most important advice you can give consumers who are diving into the IoT?
There'd be two things: Put [the IoT devices] on a separate network, on a VLAN; and only communicate to them with a VPN. Don't allow any non-encrypted traffic to communicate with them. So segment them and communicate them with a VPN. Use different user IDs and passwords. And use complex passwords. Alphanumeric, upper case, lower case, special characters. Not just "12345" for a password. Complex passwords.
Secure your environment. And don't have your alarm system, your heating and air conditioning system, on the same internal network as your PCs. If they are easily hacked — and they are — and attacked, you don't want them to be on the exact same network.
You can put them on a virtual network using all of the consumer-based switches and systems that are readily available out in retail stores. Configure a virtual local area network (VLAN) to secure your environment.
The average consumer is not particularly security-savvy. They're probably not going to use a VPN or a VLAN, or turn off the broadcast function on their Wi-Fi router. With that in mind, do you suggest that consumers avoid IoT devices, or connected home devices, altogether at this point? Is the risk too high to justify the potential gains?
That or engage a professional to install security measures for you. Let's say you do that. I have my home security system, I've tightened down my Wi-Fi and everything. Like you said, the average consumer is not security conscious. They pay somebody else to do that for them.
Then they drop their phone somewhere and it doesn't have a PIN on it. They have applications on their phone that allow them to control all of their IoT devices. We have to start securing our mobile devices even more critically because all of the applications are there to control our entire lives. And yet, statistics show that more than 80 percent of people don't even put a PIN on their phone. I was in a meeting of about 25 CFOs of multi-million-dollar accounts, just this week. I asked how many of them had PINs on their phones, and less than half a dozen had PINs.
Sign up for CIO Asia eNewsletters.