How many people it takes to screw in a lightbulb depends on the joke you’re telling.
But it only takes one hacker with the ability to access a poorly secured, smart lightbulb in your house to screw with the laptop you’ve been using to work remotely.
Properly securing internet-connected devices is no joking matter for the ioXt Alliance, a Newport Beach-based collection of top-level tech firms that’s looking to create the go-to, universal security standard for protecting all types of Internet of Things-enabled devices.
Large security breaches can start with small, often overlooked objects that are connected to a wireless network, officials note.
“Sometimes when you’re breaking in, it’s not just about breaking into a lightbulb. It’s using that lightbulb to get a foothold into your home network, to then maybe snoop the traffic that’s coming off your work laptop,” ioXt Chief Technology Officer Brad Ree told the Business Journal on Aug. 17.
It’s not just lightbulbs that can be turned on and off by your Amazon Alexa or other home automation systems that are danger points. Imagine hackers snooping on your family through a baby-monitoring camera or by cyber-sneaking through other interconnected devices—ranging from smart home networks to cellphones to smart TVs to portable medical devices—in homes, businesses, vehicles and schools.
“When a hacker gets control of a device, any information that might be populated through that account is certainly potentially exposed to the hacker,” said Dana Tardelli, chief operating officer of ioXt. That includes username, password and financial credentials could be compromised, according to Tardelli.
Transparency, Product Assurances
IoXt aims to prevent those types of occurrences, by, as it states, “defining industry-led global security standards that can be tested at scale.”
The alliance has formulated an eight-point security pledge for its members to follow; key items include no universal passwords for devices, as well as upgradeability and transparency to keep consumers informed and to protect privacy.
“With significant revenue on the line, companies are recognizing the need to provide transparency and assurance to those using or selling their products,” said Ree, who holds over 25 patents and who has developed communication systems for AT&T and General Electric, among others.
The alliance is the brainchild of Orange County entrepreneur Gary Jabara, founder and chairman of Newport Beach’s Mobilitie LLC, the country’s largest privately held wireless infrastructure company (see list, page 22).
IoXt was formed in 2018. It is seeing its role grow as the market for IoT—the growing field of technology that connects everyday objects to the internet—continues to expand. Recent reports peg the IoT market to reach $2.4 trillion by 2027.
IoXt currently counts more than 250 members, a mix of manufacturers and service providers that include some of the biggest technology companies in the world.
Last week saw Amrit Agrawal, principal security architect at Amazon for its Alexa voice service, named to the alliance’s board; other board members count ties to Google, Silicon Labs, Comcast, T-Mobile, Resideo and Legrand.
“We are becoming the global standard for IoT security,” said Jabara, who sees a “massive” market for the alliance’s services, which include certifying IoT devices that meet specific security requirements.
He sees the group’s potential value running well over $1 billion once its operations and certification efforts ramp up.
This month the alliance announced the first batch of devices to be certified under its security program.
They include a set of Pixel phones from Google, an automotive Wi-Fi hotspot device from T-Mobile, a development platform for adding Bluetooth connectivity made by Silicon Labs, as well as several smart home products.
IoXt said four authorized labs are being used as exclusive test providers. Devices receive the ioXt SmartCert after meeting or exceeding the requirements in a designated product category, “giving consumers and retailers greater confidence in an interconnected world,” it said.
Certification fees are expected to be the primary source of revenue for the alliance; initial funding is being provided by founding members of ioXt, according to officials.
“We don’t charge membership fees for the member companies that join and help drive and promote the standard,” Tardelli said. “Where we do collect fees is as manufacturers will apply the standard and get certified—those manufacturers are the ones that pay.”
Industry watchers believe a main challenge for the group will entail getting so many manufacturers to adhere to security specifications when new products are coming out every day, especially in a world where hackers seek to stay ahead of device protections.
Coordination with foreign regulators also may be an issue.
“It would be worth watching to see if they stay independent or if companies like Google get in early and steer the direction,” said Bil Harmer, chief information security officer and chief evangelist at identity security software maker SecureAuth Corp. of Irvine.
Harmer said he applauds the effort and will be “rooting for them” to succeed.
“IoT poses threats at scale never seen before,” Harmer said. He added that “IoT will be a massive unmanageable minefield if we don’t get the device makers under some form of standards early.”
Mike Gentile, chief executive of cybersecurity firm Cisoshare in San Clemente, said the ioXt Alliance is a good step in the right direction by establishing best practice standards for security.
“With that said, it is important to be mindful that these standards, and specifically the eight standard areas that drive the certification, are only the first step to keeping the consumers that use them secure,” Gentile said.
“They will require ongoing security resources and skill set at these certified entities in order to remain in compliance over time.
“There is a lot of work to be done in the cybersecurity discipline, still a lot of risk, but when I see efforts like this I like our chances,” the Cisoshare chief said.