Why IoT Security is Vital for Protecting Smart Apartments

IoT transforming the multifamily industry with connected digital technologies that offer comfort and convenience while improving energy efficiency. However, IoT cybersecurity remains a serious concern that needs to be addressed in order to innovate without adding risk.

What security risks does IoT hardware present?

Every connected device is a potential entry point for attackers. Years ago, these devices were largely confined to servers and workstations and, more recently, mobile devices such as smartphones. However, IoT devices, regardless of their application, are embedded computers in their own right and, like any other computer, they collect data and transmit it over networks. The number of IoT devices is soaring constantly, surpassing 12 billion globally.

You have probably already heard about cases where hackers have managed to gain control of internet-connected cameras on devices like laptops or baby monitors. In another case in January 2022, a 19-year-old security researcher reportedly hacked into 25 Tesla cars using a widely available open-sourced hacking tool. In the context of multifamily IoT, hackers might target smart heating and lighting systems to determine whether or not a resident is at home or target connected door locks to gain physical access to a building.

Hackers might also try to exploit an IoT device as an entry point to the wider network, which is exactly what happened to a Las Vegas casino in 2017 when a hacker targeted a connected fish tank to gain access to the venue's high roller database. In the case of residential IoT, they may attempt to access a device to spread ransomware or even hold a home to ransom by locking the doors until the resident pays up.

These are just some of the innumerable threats facing residential and other IoT systems. That said, while they might sound deeply disturbing, these threats should not be taken as a reason for property owners and operators to avoid IoT innovation. After all, the advantages of multifamily IoT are undeniable. With the right strategy and research, their use can actually enhance overall building security while also increasing residents' comfort. For example, smart access takes away the risk and hassle of lost or stolen keys, and mobile access (using an app on a smartphone as a key) can be revoked immediately if a device is reported lost or stolen.

How to secure residential IoT networks and devices

Given how new residential IoT is, there is relatively little regulatory oversight applied to smart devices. Most vendors are primarily focused on areas like energy efficiency and convenience, and while very important, these should never come at the cost of IoT cybersecurity and privacy.

What are the steps to safely implement multifamily IoT?

1. Choose your vendors carefully. Some vendors rush devices out onto the market without paying enough attention to security. When new devices are released and old ones become obsolete, vendors may stop providing critical security fixes and other updates. This also applies to IoT management software, which is why property owners should only work with vendors that fully comply with industry standards and offer service level agreements (SLAs) and support lifecycles.
2. "Lock the front door." All IoT devices are connected to a router, which serves as the primary entry point to the wider network. If an attacker can gain access to the router, then they could gain full control over every device connected to it. To protect the router, you should never use default admin usernames and passwords and only use complex alphanumeric passwords that are immune to guessing or brute-force attacks.

   As for IoT devices themselves, the same rules apply. Never use default names or passwords, and only ever choose devices that are fully compliant with data security and privacy laws like GDPR. All devices should also encrypt any data they store or transmit, especially as they handle potentially sensitive data. Another thing to be wary of is cheap IoT devices, especially unbranded ones, which are often highly vulnerable legacy devices that have been retrofitted. Finally, ensure that all IoT device vendors you buy from have a great track record when it comes to security and customer service. They should never use unsigned firmware or outdated authentication and communication protocols.

3. Ensure that any software you or your residents use to access your building's IoT systems is also compliant and secure.It should be easy for property managers to set the rules, such as who can access which residential units and when any such credentials expire. End-to-end encryption and multifactor authentication (MFA) are both a must, since the last thing you want is unauthorized users accessing your IoT systems. It should also be quick and easy to revoke access rights if, for example, a device that residents use to access and manage their smart apartments is reported lost or stolen.One easy and effective way to gauge an organization's security posture is to ask for a SOC 2 (Service Organizations Controls 2) report before doing business with them. SOC 2 reports are a measure of a vendor's capabilities across five areas known as Trust Services Criteria. They are privacy, security, availability, processing integrity, and confidentiality. Vendors that have received a SOC2 compliance certificate only do so after exhaustive independent evaluation, making a certification proof of how seriously they take security.

Seeking the balance between risk and innovation

Property managers can leverage residential IoT systems to uphold environmental, social, and governance (ESG) commitments as well as enable better resident experiences. However, this does not have to come at the cost of security, provided they carefully evaluate their vendors and take steps to apply multiple layers of protection to their networks.