"Great user experience design is just hard, and yes, integrating security into a great design is also hard," he said. "Consumers will adopt the products with the best experience and the features they need at the price they can afford. Maintaining this balance isn't easy, but the companies that are successful with this balancing act, while making security features a priority, can win."
There is some good news among the bleak predictions, according to Gary McGraw, CTO of Cigital and a long-time advocate of "building security in." McGraw said that the FTC, under its previous CTO Edward Felten and current CTO Steven Bellovin, "has been extremely active in security and software security. Those guys are guru-level experts."
McGraw said while security improvements in smart devices are, "not going to happen overnight," that there is progress in "important areas, like mobile security." Like Cohen, he said progress in appliances like refrigerators can come later. "You take care of the stuff that matters first," he said.
There are mixed views about whether that is happening. The FTC's Ramirez asserted at the recent conference that, "companies that don't pay attention to their security practices may find that the FTC will." She cited a recent settlement the agency reached with TRENDnet, after a hacker was able to break into live feeds from 700 of the company's security cameras and make them available on the Internet.
But there were no reported financial penalties in that settlement -- only that TRENDnet is barred from misrepresenting that its software is secure, that it must address security risks, help customers fix their software and obtain an independent assessment of its security programs annually for 20 years.
And Schneier and Heffner said they have not seen any progress in improving security. "The market just isn't there," Schneier said in an interview.
Heffner said he is, "very encouraged by the FTC's recent actions and involvement, and I think it's a step in the right direction. However, I can't say that I've seen any sweeping changes in the security of embedded systems myself."
There is also a range of views on what can and should be done. SmartThings' Hagins said he thinks before increasing regulation from the FTC, "we as an industry need to take a crack at self-regulation with a certification program that is similar to PCI-DSS (the certification program for credit card and e-commerce transaction security)."
Heffner is dubious about the effectiveness of such an initiative. "The Internet of Things has been around for a long time — just without the silly name — and manufacturers have had years to regulate themselves," he said. "I think it's pretty clear that has failed. What is going to suddenly motivate them to start regulating themselves now?"
Sign up for CIO Asia eNewsletters.