Security and smart appliances.

At Fresco, we work with the world’s top appliance brands, operating in millions of homes. But even these established companies have to constantly contend with what it means to have complete security for their connected appliances. I've been working with the connected home for 10 years, and in that time I’ve seen all the ways that security flaws can be manipulated.

From careless security design to botnets hijacking consumers’ bandwidth to take on a behemoth like PayPal, connectivity in the home has been harmed by past mistakes. For the kitchen, we’re already in a potentially dangerous room, and for appliance makers who have held safety as a top priority since we started cooking indoors, security is the new frontier. One they have to wrestle with and weigh the best options for, from cost to convenience.

What are the main security concerns for smart appliances?

The number of households with a smart appliance is expected to reach 339.6m users by 2026 and with that growth, inevitably comes security concerns.

Consumers love the convenience and power of internet-connected devices, but rarely understand the depth and breadth of the information exchange it takes to make them run smoothly.

The truth is, brands bear the burden of ensuring that their users are safe and when they fail at that mission—whether it’s the fault of a targeted attack, or simply a lax password set by the user—it can result in a short-term media nightmare or more importantly, a complete loss of consumer trust.

For example, a massive distributed denial-of-service attack, or DDoS, in 2016 on Dyn, a company that manages internet infrastructure, took down websites including Spotify, PayPal, Reddit, and Twitter, and was traced back to the connected devices within the home that were not secure.

In the 2016 attack, hackers were able to flood Dyn’s servers with traffic, until they collapsed under the load, by harnessing consumers’ bandwidth via their devices. They were able to access web cameras, smart fridges, and even baby monitors, to infect them with malware called Mirai, putting the manufacturers of those products in the spotlight with consumers who had trusted them in their homes.

Brands investing in simple security measures, like secure passwords and third-party security certification, could have prevented this from ever happening.

Security through obscurity for connected devices.

Some manufacturers have unfortunately prioritized speed to market and low cost over security. These outdated software stacks and poor engineering choices leave back doors and vulnerabilities. Some take on a security through obscurity approach which hides security flaws rather than resolving them and relies on no one knowing they’re there to prevent attacks. It’s like hiding your treasure under a tree in the forest. It’s perfectly safe until it isn’t.

Safe by design is always best.

Kitchen appliances are inherently risky—they have motors, blades, and heaters–so even before taking security for connectivity into account, they have to be certified for safety in the relevant legislative region before they have any chance of reaching consumers. These processes provide a trust mark, like the CE marking in the EU, that consumers come to expect. Ensuring kitchen appliances are safe has always been an element of their design.

The design of how appliances can be controlled remotely, or accessed by the internet, needs to be equally carefully considered from the start. The EU, U.S., Japan, and Canada have their own standards for inspecting and verifying the safety of appliances, and awareness is necessary for bringing secure appliances to a global market.

Although existing safety standards address remote control capabilities in general, internet security is such a new and changing field that regional legislation struggles to stay up to date. In this case, a commercial testing laboratory has taken the unorthodox step of establishing their own, which has become the defacto standard for Internet security in the smart home. UL’s IoT Security Rating assesses critical security aspects of smart products against common attack methodologies and known IoT vulnerabilities, to create a ‘security baseline’ among the consumer IoT industry. Safe by design is always best.

These certifications range from bronze to diamond, with bronze-certified devices required to meet standards like not allowing default passwords, secure communication connections, and the ability to securely remove all sensitive data with a factory reset. Leveraging this rating can help appliance brands achieve product differentiation and protect their customers. For instance, GE Appliances, a company we’ve shipped integrations with since 2017, became the first household appliance brand to achieve gold level certification from UL in May 2020.

Standards and testing methods like these are a step in the right direction for the smart home industry as a whole and empower customers to make informed choices. But knowing what can compromise your appliance or device is the key to building it into the DNA or your product, versus reacting to vulnerabilities as they’re uncovered along the way.

Looking to the smart kitchen for IoT security done well.

When it comes to the smart home, the kitchen is by necessity the epitome of a secure room. Kitchen brands have safety in their DNA and know the importance of consumer trust. At the same time, the popular use cases of matching users with the recipes, ingredients, and results they expect are well understood, have modest computing requirements, and are readily secured.

The optimal chipset for devices varies from ovens to microwaves to countertop appliances. Fresco has been working for over 10 years to evolve the technology approach that brings consumers closer to the brands they trust the most in their homes. This takes testing, monitoring, and updating to always use the best option in terms of performance, ease of use, and keeping the bill of materials cost down.

Finding the balance between simplicity and capability took time, but our favored chipset is not only cheaper to use but designed to be safer from these kinds of attacks from the ground up. 500k of memory is enough to keep the appliances running smoothly, and support the latest security standards, but is still 2,000 times less memory than the smallest, simplest mobile smartphone, guaranteeing that code is lean and clean. Efficient, capable, secure.

Building these software-security frameworks into the hardware of connected appliances paves the path for easier security down the road, and an awareness of this security by design is crucial in launching an appliance that consumers will love.

If you’re interested in how we help our partners to think about security for connected appliances in a way that works for their hardware, software, customers, and brand, get in touch and we’d be happy to help.

About the author.

A software developer, security expert, and enthusiastic cook, Tim Redfern co-founded Fresco(formerly Drop) in 2012 and developed the firmware and electronics of the original Drop Scale. As Fresco’s Head of Innovation, Tim helps Fresco’s partners connect their appliances to the Fresco KitchenOS platform.

Tim Redfern, Head of Innovation and Co-founder at Fresco
Tim Redfern, Head of Innovation and Co-founder at Fresco