The internet of things (IoT) is poised to transform the residential market with connected digital technologies that offer comfort and convenience and improve energy efficiency. Its role in the Build to Rent sector is proving especially important for giving property owners the opportunity to deliver on those promises. However, IoT security remains a serious concern that needs to be addressed in order to innovate without adding risk.
What security risks does IoT hardware present?
Every connected device is a potential entry point for attackers. In the old days, these devices were largely confined to servers and workstations, and more recently, mobile devices such as smartphones. However, IoT devices, regardless of their application, are embedded computers in their own right – and like any other computer they collect data and transmit it over networks. Moreover, the number of IoT devices is soaring constantly, surpassing 12 billion globally.
You have probably already heard about cases where hackers have managed to gain control of internet-connected cameras on devices like laptops or baby monitors. In another case in January 2022, a 19-year-old security researcher reportedly hacked into 25 Tesla cars using a widely available open-sourced hacking tool. In the context of residential IoT, hackers might target smart heating and lighting systems to determine whether or not a resident is at home, or target connected door locks to gain physical access to a building.
Hackers might also try to exploit an IoT device as an entry point to the wider network, which is exactly what happened to a Las Vegas casino in 2017 – when a hacker targeted a connected fish tank to gain access to the venue’s high roller database. In the case of residential IoT, they may attempt to access a device to spread ransomware, cryptojacking malware, or even hold a home to ransom by locking the doors until the resident pays up.
These are just some of the innumerable threats facing residential and other IoT systems. That said, while they might sound deeply disturbing, these threats should not be taken as a reason for property owners to eschew IoT innovation. After all, the advantages of IoT in the Build to Rent sector are undeniable, and with the right strategy, their use can actually enhance overall building security while also making residents’ experiences more comfortable. For example, a keyless entry system does away with the risk of lost or stolen keys, and digital access rights granted via a smartphone can be revoked immediately if a device is reported lost or stolen.
How to secure residential IoT networks and devices
Given how new residential IoT is, there is relatively little regulatory oversight applied to smart devices. Most vendors are primarily focussed on areas like energy efficiency and convenience, but while obviously important, these should never come at the cost of IoT security and privacy.
The first step towards safely implementing residential IoT is to choose your vendors carefully. Some vendors rush devices out onto the market without paying adequate attention to security. When new devices are released and old ones rendered obsolete, vendors may stop providing critical security fixes and other updates. This also applies to IoT management software, which is why property owners should only work with vendors that fully comply with industry standards and offer attractive service level agreements (SLAs) and support lifecycles.
The next step is to lock the front door, so to speak. All IoT devices are connected to a router, which serves as the primary entry point to the wider network. If an attacker can gain access to the router, then they could gain full control over every device connected to it. To protect the router, you should never use default admin usernames and passwords and only use complex alphanumeric passwords that are immune to guessing or brute-force attacks. If you also want to provide internet access to communal areas of your building, you should set up a guest network that is logically separated from everything else.
As for IoT devices themselves, the same rules apply. Never use default names or passwords, and only ever choose devices that are fully compliant with data security and privacy laws like GDPR. All devices should also encrypt any data they store or transmit, especially if they are intended to handle potentially sensitive data. Another thing to be wary of is cheap IoT devices, especially unbranded ones, which are often highly vulnerable legacy devices that have been retrofitted. Finally, ensure that all IoT device vendors you buy from have an impeccable track record when it comes to security and customer service, and they never use unsigned firmware or outdated authentication and communication protocols.
The next step is to ensure that any software you or your residents use to access your building’s IoT systems is compliant and secure. It should be easy for property managers to set the rules, such as who can access which residential units and when any such credentials expire. End-to-end encryption and multifactor authentication (MFA) are both a must, since the last thing you want is unauthorised users accessing your IoT systems. It should also be quick and easy to revoke access rights if, for example, a device that residents use to access and manage their smart homes is reported lost or stolen.
One easy and effective way to gauge an organisation’s security posture is to ask for a SOC2 (Service Organizations Controls 2) report before doing business with them. SOC2 reports are a measure of a vendor’s capabilities across five areas known as Trust Services Criteria. They are privacy, security, availability, processing integrity and confidentiality. Vendors that have received a SOC2 compliance certificate only do so after exhaustive independent evaluation, making a certification proof of how seriously they take security.
Seeking the balance between risk and innovation
Property managers can leverage residential IoT systems to uphold environmental, social and governance (ESG) commitments as well as enable better resident experiences. However, this does not have to come at the cost of security, provided they carefully evaluate their vendors and take steps to apply multiple layers of protection to their networks.
STRATIS RealPage powers smart buildings, such as Build to Rent properties, to create a more sustainable living environment that enhances resident experience and helps operators meet their ESG goals. Contact us today to learn more about our resident experience platform.