That has been the mantra of security guru Bruce Schneier, chief security technical officer at BT, for some time. In a blog post this past August, he said everything from consumer devices to massive industrial control systems have, "long been hackable."
Why? Schneier blames both consumers and manufacturers, but mostly manufacturers. "Security is very hard to get right," he wrote. "It takes expertise, and it takes time. Most companies don't care because most customers buying security systems and smart appliances don't know enough to care."
Perhaps, at least so far, they have not been given reason enough to care either. While there have been impressive, and disturbing, demonstrations of how easily a skilled hacker can take control of home automation systems, including heat, air conditioning and door locks, there has so far not been any major consumer panic over those risks.
Consumers should not be expected to know enough to care, according to Schneier. "A lot of hacks happen because the users don't configure or install their devices properly, but that's really the fault of the manufacturer," he wrote. "These are supposed to be consumer devices, not specialized equipment for security experts only."
The standard response of manufacturers of smart devices has long been that making their products truly secure would make them too difficult for consumers to use — that security would undermine convenience.
Aaron Cohen, founder of The Hacker Academy, sees some merit in both arguments. While he has long been an advocate for building security into products, he said there has to be a balance between security and convenience.
"Most people put functionality ahead of security," he said. "If you make your TV so secure that you can't turn it on and off, you're not going to sell many of them. If you unplug everyone's computer, you'll make them secure, but you're not going to get any work done."
Cohen advocates the Secure Software Development Life Cycle (S-SDLC), using methods of the Open Web Application Security Project (OWASP), which he said addresses the "low-hanging fruit" risks. And he said he thinks the industry should set priorities, with more focus on securing devices that lock or unlock a home than those that turn the heat up and down or hack a television.
He said much of the risk analysis can focus on financial incentives. "Until they (hackers) can monetize breaking into your TV, is that really the best way for them to make money?" he said.
Jeff Hagins, CTO and founder of SmartThings, who was also on the panel at the FTC workshop, is one of many who say security vs. convenience is a false dichotomy. Hagins told CSO he thinks it is cost, more than convenience, that trumps security, but that both can and should be a priority.
Sign up for CIO Asia eNewsletters.