Article posted: Mar 10, 2017
By Marcus Hartwig, GM Americas
Google's Nest thermostat and other consumer IoT devices are flooding the market. By 2020, Cisco predicts 50 billion IoT devices will be connected. Not surprisingly, security is a major concern for these connected devices. After all, no one likes the idea of hackers infiltrating smart devices, like DVRs or cameras, the very devices that were hacked to bring down DynDNS last October.
This week, Google took a stand for security, announcing its Nest company will provide two-factor ID for its Nest Learning Thermostat, Nest Protect and Nest Cam products. According to CNET, Nest will offer a unique verification code sent to the user's phone via text to use with a regular password when logging in. Nest's hope is that by adding two-factor ID, it will be more difficult for hackers to access its customer accounts.
It's a great first step for Nest, but unfortunately the company is using a less inferior ID method – one-time passwords (OTPs).
Many of us in the security industry believe OTPs are far inferior to a true cryptographic logon using other two-factor IDs, such as smart cards, virtual smart cards or RFIDs. I wrote a blog last Fall applauding the National Institute of Standards and Technology's (NIST) opinion that SMS-based identification should be put to rest and suggesting the industry take it one step further to eliminate even less secure OTPs.
When NIST speaks out against a technology, everyone should listen. NIST guidelines are generally regarded as the gold standard for our industry (specifically around cryptography ciphers, key-length and more). SMS, like OTPs are simply inferior to a true cryptographic logon using smart cards.
If Nest truly wants to product its customers from data leaks via Nest smart products, it must consider more secure two-factor authentication methods. While the initial cost may be a bit higher to outfit customers with biometric or other safer two-factor technologies, it's worth the upfront expense to truly secure these smart devices from nefarious hackers.
Want to hear more about the much safer alternative of smart cards and how easily they can be managed? Contact us!