Blog: Consumer Advice

Which IoT product should I buy?

Ken Munro 01 Aug 2017

I’m asked daily by friends, consumers and journalists to recommend secure IoT products. It’s one of the most difficult questions to answer in consumer IoT, as the range and variety of security found is enormous.

However, here are a few answers to the question that may help, together with some basic security advice around IoT.

1. Do you need it?

Does it solve a genuine problem, or is it just marketing fluff? So many IoT devices solve problems that we simply don’t have. Don’t get me wrong; I think there is huge potential for IoT in assisted living, energy efficiency and healthcare, but do you really need to be able to boil your kettle remotely?

Are IoT manufacturers simply exploiting our desire to buy geeks technical gifts because we can’t think of anything better? I would love to know what percentage of the functionality of an IoT device is actually used after the initial excitement of setting it up. How many people play with Alexa for a few days, then simply get bored of using it?

2. What if it goes wrong? Will your cat die?

In the past, we had clockwork cat feeders, used a cattery or simply arranged for a neighbour to feed our pets when we were away. Now we have the option to use a smart pet feeder, giving us additional control over the feeding process.

That’s great, but what happens if the servers hosting the API fail? That never happens, right? It does happen, even to AWS. The service goes down and your pet starves

What if your home Wi-Fi goes down? What it the manufacturer of the device goes bust or decides the service isn’t viable any more? Dead cat or useless feeder? These things have happened:

  • The Revolv app and hub don’t work anymore since Google’s Nest acquired them  [Revolv]
  • Now You Too Can Starve Your Pet With the Internet of Things [Gizmodo]

We need to exercise significant caution when we outsource our responsibilities to ‘smart’ devices. In healthcare, there’s a bit more control fortunately

3. If you do need that gadget, which devices are likely to be secure?

This is a really tough question: in my experience to date there has been little correlation between price, brand and security.

I’ve seen critical security flaws in big name brands, including those advertised heavily on TV. We’ve also seen cheap clone products that are more secure than the brand they plagiarised from!

One area we have seen a difference is in the response of the manufacturer to security flaws. Larger brands have a vested interest and greater resources to put things right.

Small brands (e.g. one-product IoT startups) have less at stake and fewer resources to fix issues, though some have been very responsive to security bugs.

So, one is perhaps better off in terms of security buying from a larger brand name.

4. Check for updates, for the app AND the device

Keeping IoT products up to date is essential – any security flaws found will be fixed with an update. This can happen in a couple of different ways:

Update your mobile app and check to see if there are security fixes for the product too. Sometimes these will be ‘pushed’ from the phone to the IoT device.

However, some updates are pushed ‘over the air’ direct to the IoT device. Check the instructions to see how yours is updated.

One of the best ways is for the IoT product to proactively check for updates on a regular schedule. For example the ‘Ring’ wireless doorbell checks for an update each time it is pressed.

Ensure your phone allows the IoT app to check for updates and apply them as soon as you’re alerted.

5. Passwords

I know, it’s boring. However, a weak password is often the easiest way to hack an IoT product. Did you set a strong, complicated and UNIQUE password that you haven’t used elsewhere?

If you haven’t, DO IT NOW

Then go and get a free password manager to make your life easier

Finally, it’s worth checking if your IoT app allows two step verification (a one time SMS code to your phone) or allows you to use an authenticator app.