Smart Home: Certified products are in demand

28 February 2018

As much a matter of course as electricity, light and running water: Smart Home applications are a megatrend. Researchers assume that houses which organise themselves will be the norm in a few years. But are Smart Home products really reliable and secure? And what happens to all the data that get collected? It’s questions like this that concern consumers, manufacturers and technology providers such as TÜV NORD. Expert on functional security Matthias Springer sets the record straight concerning current vulnerabilities and future developments.

In early November, a man from the town of Pinneberg in Schleswig-Holstein had some trouble with the Alexa digital assistant from US company Amazon. The manufacturer’s promise is that Alexa will turn your home into a Smart Home. A simple verbal command causes the garage door to open, the shutters to go down or the TV to switch on. But, for this user, something altogether different happened: One Saturday night when the Alexa user was not at home, the voice service became autonomous. Alexa started playing music at ear-splitting volume - until the neighbours called the police, who had break down the door to deal with this breach of the peace. It was later reported in the media that a third-party app was to blame.

For functional security and IT expert Matthias Springer from TÜV NORD, the case highlights some fundamental problems: Smart Home products such as Alexa don’t always work as promised, and there are still issues “with the functionality”. “A customer buying something like this will also ask themselves who’s actually doing what with their data and whether the product is compatible with their other devices and apps,” says Matthias Springer. The challenge for the manufacturers is to allay these concerns - especially as Smart Home products are increasingly being integrated into everyday life. Users can already make use of specific applications using apps or voice commands to control their heating, doors, windows, blinds and lighting. Smart refrigerators and coffee machines which can detect a shortage and independently send off an order and washing machines which automatically adjust the water supply and the washing cycle time are also already on the market.

Matthias Springer and his colleagues at TÜV NORD test and certify, among other things, Smart Home products. They are not looking merely for flawless performance. “We think in terms of both IT security and mechanical safety, which we combine under the umbrella term Security4Safety,” Matthias Springer explains. “Without security there can be no product safety. A lot of vulnerabilities and hacker attacks can moreover be traced back to security holes in hard- and software. Which is why IT security needs to be taken into account and verified right from the stage of product development.” This would reduce the risk for companies of subsequent recalls and compensation claims.`

This comprehensive check is, broadly speaking, still voluntary, as there are hardly any statutory regulations that currently address it. TÜV NORD believes that this needs to change: through a mandatory audit of IT security in the overall context of safety.

The certification process at TÜV NORD happens like this: A manufacturer hands over its product to TÜV NORD. Matthias Springer and his colleagues then run a check of its hard- and software. “I look at the architecture of the component, its communication channels and, of course, the protection measures that have been implemented.” The procedure for software is similar: Here, for example, the source codes submitted by the manufacturer are analysed. As a general principle, TÜV NORD can only test what is in front of it. What the manufacturer holds back remains untested.

The current mega-trend for Smart Homes will become the norm in German households in the future: such was, at any rate, the forecast of Bernhard Rohleder, Chief Executive of the BITKOM digital association, in early 2017. And yet, statutory regulation is lagging behind innovation. This is in part because the workings of the market are still very opaque. Justice and Consumer Protection Minister Heiko Maas (SPD), for instance, declared in February 2017 that he saw no need to intervene in legislative terms. “I think it's better to wait and see which products will prevail,” he said. For consumer protection agencies and security experts, however, this is not an adequate response. The German Federation of Consumer Organisations called for a “comprehensive review of the legislative framework for Smart Home products and applications” in September 2017. It considers that such a review should focus particularly on the identification of liability loopholes in contract law. In plain language: clarification is required as to who will be liable if, for example, Alexa starts playing music so loudly of her own volition that the police need to intervene - the user or the manufacturer? “There are loads of issues that are so new that they aren’t yet regulated by statute law. This is having a negative impact on customer confidence,” says Matthias Springer. This is a problem that is set to become a burning issue for the future. After all, even though Smart Home applications are still not very widespread, Springer also assumes that the Smart Home will become a matter of course in just a few years.