Security Should be a Factor
Apple has taken a fair share of criticism from tech writers lately because their HomeKit ecosystem hasn’t grown as fast as Amazon’s Echo ecosystem. But doing something right takes time. With the news of a massive internet outage yesterday carried about by a botnet of internet connected devices, this may get more visibility going forward.
Apple HomeKit devices are immune to the type of Mirai DDoS attack for many reasons that you can read about here. But quickly:
Apple’s emphasis on security and requiring an authentication coprocessor has slowed the number of HomeKit devices available compared to something like Amazon’s Echo. This is the main reason HomeKit has been getting so much criticism. And it’s not even Apple’s fault that device makers are dragging their feet in joining the program. Should Apple be blamed for holding hardware makers to a high standard of security? Tech writers should be hailing Apple as an example of doing it right and setting a proper example.
By comparison the Echo is running wide open for anyone to join. There are no authentication coprocessors, no prime256v.1 elliptic curve keys, no X.509 certificates. Of course Amazon’s device list has grown faster. It’s less secure. It’s like comparing one country that doesn’t require driver’s licenses to another country that does and noting how many more people drive in the one that doesn’t. That may be true but it ignores the issue of public safety.
To be fair, I’m not saying that Echo controlled devices took down the internet. What I am saying is that Amazon doesn’t make security demands on connected devices the way Apple does. An Echo controlled device isn’t inherently unsafe. It’s just that security is up to the device manufacturer. So it is buyer beware. So if you like that Echo, you had better be prepared to undertake a full product review before you bring anything into your home and attach it to Alexa.
With Apple's HomeKit, device manufacturers are not even allowed to join the program without building Apple’s authentication coprocessor into their device. All the buyer has to see is the little HomeKit symbol and it's good to go. It’s kind of like Apple’s App Store in that the burden falls on Apple to vet products up front as opposed to each consumer having to launch hours of product investigation.
So when all the news came out yesterday about zombie internet connected devices being the root cause of the attack, I wondered if security might finally get raised as a priority. I’m not worried about getting hacked, because I’m not using an Amazon Echo and cheap devices. But, it looks like all the people who don’t care about security can have an impact on everyone who does. And if that takes the internet down, it could be a serious problem.
- HomeKit devices don’t broadcast over the web. They communicate with each other directly via iCloud Remote.
- Apple requires an authentication coprocessor in all made-for-HomeKit devices.
- Unique keys and certificates are generated with each pairing.
- Made-for-HomeKit devices never use a default ID and password.
Apple’s emphasis on security and requiring an authentication coprocessor has slowed the number of HomeKit devices available compared to something like Amazon’s Echo. This is the main reason HomeKit has been getting so much criticism. And it’s not even Apple’s fault that device makers are dragging their feet in joining the program. Should Apple be blamed for holding hardware makers to a high standard of security? Tech writers should be hailing Apple as an example of doing it right and setting a proper example.
By comparison the Echo is running wide open for anyone to join. There are no authentication coprocessors, no prime256v.1 elliptic curve keys, no X.509 certificates. Of course Amazon’s device list has grown faster. It’s less secure. It’s like comparing one country that doesn’t require driver’s licenses to another country that does and noting how many more people drive in the one that doesn’t. That may be true but it ignores the issue of public safety.
To be fair, I’m not saying that Echo controlled devices took down the internet. What I am saying is that Amazon doesn’t make security demands on connected devices the way Apple does. An Echo controlled device isn’t inherently unsafe. It’s just that security is up to the device manufacturer. So it is buyer beware. So if you like that Echo, you had better be prepared to undertake a full product review before you bring anything into your home and attach it to Alexa.
With Apple's HomeKit, device manufacturers are not even allowed to join the program without building Apple’s authentication coprocessor into their device. All the buyer has to see is the little HomeKit symbol and it's good to go. It’s kind of like Apple’s App Store in that the burden falls on Apple to vet products up front as opposed to each consumer having to launch hours of product investigation.
So when all the news came out yesterday about zombie internet connected devices being the root cause of the attack, I wondered if security might finally get raised as a priority. I’m not worried about getting hacked, because I’m not using an Amazon Echo and cheap devices. But, it looks like all the people who don’t care about security can have an impact on everyone who does. And if that takes the internet down, it could be a serious problem.
RSS Feed