As the interest in smart home solutions grows, an increasing number of householders are looking at various options for systems and service delivery. Much of their attention is focused on the consumer market, often with a focus on the Internet of Things (IoT) and connected devices. However, given concerns over the security of such equipment, it makes sense for installers and integrators to offer these customers reliable systems based upon intruder alarms.
Currently the mainstream media includes almost daily reports addressing the challenges, risks and potential weaknesses of systems designed for smart home functionality. The over-night emergence of smart home systems and IoT-connected devices has brought with it a raft of problems, often due to the immaturity of that specific market sector, combined with a certain level of naivety on the part of the customer.
One of the issues with manufacturers in the consumer sector is that their emphasis is firmly upon delivering a simple-to-configure and easy-to-use product the places convenience above resilience. The smart home products are typically designed to be installed and configured by the customer, and therefore the required technical and IT-based skills are aimed at the lowest common denominator.
The downside of this approach has been widely reported, with general doubts being raised about the suitability of many products. Because of the emphasis on convenience, security of the devices or the infrastructure they are connected to is often underplayed. This is in order to deliver a plug-and-play system that requires minimal user intervention. This often goes as far as allowing the device to operate either on default login details or without any authentication implemented at all.
This means it is a relatively straightforward task to ‘sniff’ out the devices via the Internet and either attempt a login using the manufacturer’s defaults, or carry out a relatively basic brute force attack. This latter approach is a trial-and-error method using common passwords. Basic tools for this purpose can be downloaded from the web, and carrying out an attack does not require a sophisticated understanding of coding.
Interestingly, the true cause of many of the problems associated with smart home and IoT systems is user error. Of course, the error in question is not taking the security of the device seriously and ignoring the fundamental need to implement robust authentication. Whilst many will retain default logins for ease of use, even more will fail to implement even the simplest steps to reduce the attack surface of the device.
Despite this, if a smart home or IoT system includes a security element such as basic intruder detection or video surveillance, the attacks are typically reported as ‘CCTV systems’ or ‘burglar alarms’ being compromised. Such media coverage never points out that the compromised devices are not part of a professional system, nor do they explain that the vulnerabilities have occurred as a result of end-users ignoring advice and common sense with regard to basic security steps.
The current situation will impact on the professional security systems industry. This is because many leading manufacturers now offer intruder alarm systems that incorporate added value and customer benefits such as home automation, power management, remote connectivity and control of third-party consumer devices and appliances. Because these systems are designed first and foremost for security, they are not susceptible to the typical weaknesses of consumer-based products. For many domestic consumers, this is a point of significant interest.
A recent report by Beecham Research highlighted a growing customer demand for smart home systems that are secure, and cites the need for robust and hardened products and services across the entire supply chain if the sector is to meet its growth predictions.
The report goes on to point out that whilst connected appliances – including home security, entertainment, lighting and heating are already growing in popularity with householders, there is a deep concern about security and privacy. The report goes on to indicate that user fears could even hold up the wider adoption of these technologies.
The popular systems are designed to establish connections between a variety of devices, creating a network that can include power management, media streaming, appliance control and security. If an exploitable vulnerability exists in any of these devices, it puts the entire system at risk. For example, if a central hub is still operating on default authentication, or if weak authentication is implemented, then a cyber attack could take control of any system element. That obviously includes the security element of the system.
Manufacturers of IoT-based systems generally try to meet a very wide range of customer demands, and this includes a variety of communications options. These multiple connectivity routes might give the system a wider appeal, but they also serve to increase the attack surface. To enhance ease of use, consumer-based manufacturers will rarely implement a high level of security on the various connectivity options, requiring the customer to ‘enable’ the options they prefer.
Instead consumer manufacturers typically leave all options open to make initial setup a quicker and simpler task. However, this approach can only be secure if the customer then disables all connectivity options they are not using and ensures that those that are in use are hardened.
Unfortunately the vast majority of householders implementing smart home technology lack the expertise to properly secure their systems. This is not helped by the trend towards minimal instructions and the fact that many consumer manufacturers do not want to highlight negative points. As a result, customers are rarely given clear and accurate instructions about system hardening.
Additionally a number of manufacturers in the consumer space are eager (some might say over-eager) to cash-in on the smart home technology boom. As such the development of products is often rushed and the emphasis is placed on matching the functionality of their competitors rather than delivering a more secure product. Whilst this ignores the concerns of the customer base, offer manufacturers have a philosophy of grabbing market share with the ‘wow factor’ of their products, with a thought of increasing security later. Because of the pace of change of the technological landscape, this later moment often doesn’t arrive swiftly enough.
While many of the organisations in the smart and connected industries acknowledge that more needs to be done with regard to security and privacy, the security industry – and specifically the intruder alarm sector – not only can offer flexible levels of functionality and a host of connectivity options, but also have inherent security and privacy measures built-in as an integral and essential part of their systems.
Ahead of the game
Of all the security disciplines that exist in the systems-based markets, intruder detection and alarms is the one most often associated with the term ‘grudge purchase’. Whilst the benefits of alarm systems are obvious to those in the know, the sales message for those in the residential sector is in a great one.
Domestic customers are offered two choices: the first is to invest in a system which, when intruder is inside their home, will sound an external siren many people will probably ignore. The second is to supplement the initial investment with a recurring payment for remote monitoring, signalling to an ARC once an intruder has affected an entry. Unfortunately a high percentage of householders are aware that the likelihood of a timely police first response is minimal. Mainstream media coverage highlighting the lack of police resources has seen to that!
In either scenario the customer can feel as if a timely response is unlikely, and as such they can struggle to see the ‘value proposition’ in such an investment. This is increasingly true with young and middle-aged professionals who are prolific users of online and connected technologies. Independent research has shown that often home security is a concern for them, but the lack of perceived value in alarm systems is a barrier to investment.
Because of today’s technological landscape, customers want to be empowered. They want direct and full control of systems and services they use, and they expect added value and flexible benefits. Whilst the ‘traditional’ alarm system did not offer this, today’s more flexible solutions have it in spades.
There are now a number of flexible intruder alarm options available from the established professional manufacturers. These are typically built upon an established robust and reliable alarm system platform. Advances in processing power mean that many control panels can deliver the full complement of security features and functions, but can also support additional functionality such as home automation, video streaming, energy management and remote connectivity without affecting security performance.
The interface with the system is also more flexible, allowing a wider range of control and user interaction. Alongside keypads and prox tags, many manufacturers also offer smart controllers and apps for mobile devices. Whilst some apps only offer keypad emulation, the more progressive manufacturers now supply apps that allow more flexible control and access to additional benefits.
This enables domestic end-users to decide upon the level of security they require, and to add relevant features and functions that further enhance the protection on offer. The power of the system can be further exploited to add ‘lifestyle’ benefits. These allow alarm systems to compete on a like-for -like basis with many IoT-based products. Functionality such as the automation of appliances and other devices, power management, control of heating and lighting, the setting of household modes and the use of AND/OR logic are all available, making such systems a true household management tool.
The fact that end-users want smart and connected solutions for their homes is not in doubt; their biggest reservation with such technologies is security and privacy. Because the smart system offerings from security manufacturers are based upon graded alarm systems, these concerns are immediately addressed. Additionally, because the systems require professional installation, the onus is not on the customer to ensure the system is robust and resilient to attack.
For installers and integrators these new alarm systems not only offer benefits for the domestic sector, but often include integration tools that allow automation and power control to be offered to commercial premises where appropriate. Because they are based upon established security technology, for the engineer the familiarity of a product and its programming processes is retained.
There is also an option for engineers to ‘upsell’ the various smart features and functions to customers with legacy systems where the relevant platform is in use. It makes sense to ascertain whether a manufacturer is delivering their connected options on a new hardware platform or on their existing control panel hardware. If it is the latter, then there is a great potential for upgrade contracts.
Whether correct or incorrect, customers will have perceptions about alarm systems. Simply telling them these are wrong will not win contracts. Instead it is better to address their concerns with positive options. This is entirely possible if the installer or integrator is offering a well-designed professional system.
When presenting these options to potential customers, installers and integrators must remember the importance of underlining the ‘value proposition’. A customer who understands the benefits of the system, and can see how they will fit in to their lifestyle, will always be more willing to invest.
Whilst systems will still offer bells-only or remotely monitored, the addition of apps and additional communications paths allows the user (or other nominated and authorised persons) to receive real-time status updates about their alarm system and their home. Push notifications allow the system to inform them of any incidents or events, rather than them having to interrogate the system to find out what’s going on.
This goes some significant way to addressing concerns about responding to alarms. Incidents can be visually verified, and the customer is empowered to make important decisions. In the vast majority of cases when there are no alarms, the automated communication can deliver peace of mind. It also serves as a regular reminder that there alarm system is working for them!
With a more traditional system, the only interaction a user has is setting/unsettling or dealing with a negative issue: a burglary or a system fault. In such circumstances it is easy to see why the system is not ‘valued’. However, with a smart or connected system the customer interacts with it numerous times a day, often for positive reasons. This regular interaction for a variety of reasons increases perceived value. If you consider smartphones, users often value them for the variety of benefits and services they offer rather than the fact they can make and receive calls!
Some customers will want benefits such as home automation, lighting control and appliance management. Others will prefer communications options, such as receiving notifications the children have returned from school or that an elderly relative is up and about. Typically installers and integrators will be able to use the same products to address both needs, such is the inherent flexibility of the new breed systems.
For many years the domestic marketplace has been a frustrating one for installers and integrators involved in intruder detection systems. The small percentage of householders who opted for alarm systems often demanded the lowest costs yet had the highest expectations. In some cases, after an installation company had invested time and resources in designing systems and presenting quotations, they would finally opt for a DIY kit.
Whilst the industrial and commercial sectors often understand the risks and are therefore more willing to invest incredible professional systems, the domestic market has typically shown minimal returns. However, with demand the smart and connected systems – and secure smart and connected systems at that – the new breed of intruder alarms offers great potential.
Installers and integrators must ensure they stick with professional manufacturers who smart systems are based on proven control panels, and they must also address any negative perceptions that the customer has. By combining the right solution with the right sales message, smart home automation could be the feature that dramatically expands residential contracts.