I was giving a speech last week, talking about mobile device security, and one member of my audience asked me this question. I gave the typical IT answer, “it depends,” and then realized I needed a little bit more of an explanation. Hence this post.
Yes, in general, Android is less secure than All The iThings, but there are circumstances where Apple has its issues too. A recent article in ITworld lays out the specifics. There are six major points to evaluate:
- How old is your device’s OS? The problem with both worlds is when their owners stick with older OS versions and don’t upgrade. As vulnerabilities are discovered, Google and Apple come out with updates and patches — the trick is in actually installing them. Let’s look at the behavior of users between the two worlds: The most up-to-date Android version, Nougat, has less than 1% market share. On the other hand, more than 90% of iOS users have moved to iOS v10. Now, maybe in your household or corporation you have different profiles. But as long as you use the most recent OS and keep it updated, right now both are pretty solid.
- Who are the hackers targeting for their malware? Security researchers have seen a notable increase in malware targeting all mobile devices lately (see the timeline above), but it seems there are more Android-based exploits. It is hard to really say, because there isn’t any consistent way to count. And a new effort into targeting CEO “whale” phishing attacks or specific companies for infection isn’t really helping: if a criminal is trying to worm their way into your company, all the statistics and trends in the universe don’t really matter. I’ve seen reports of infections that “only” resulted in a few dozen devices being compromised, yet because they were all from one enterprise, the business impact was huge.
- Where do the infected apps come from? Historically, Google Play certainly has seen more infected apps than the iTunes Store. Some of these Android apps (such as Judy and FalseGuide) have infected millions of devices. Apple has had its share of troubled apps, but typically they are more quickly discovered and removed from circulation.
- Doesn’t Apple do a better job of screening their apps? That used to be the case, but isn’t any longer and the two companies are at parity now. Google has the Protect service that automatically scans your device to detect malware, for example. Still, all it takes is one bad app and your network security is toast.
- Who else uses your phone? If you share your phone with your kids and they download their own apps, well, you know where I am going here. The best strategy is not to let your kids download anything to your corporate devices. Or even your personal ones.
- What about my MDM, should’t that protect me from malicious apps? Well, having a corporate mobile device management solution is better than not having one. These kinds of tools can implement app whitelisting and segregating work and personal apps and data. But an MDM won’t handle all security issues, such as preventing someone from using your phone to escalate privileges, detecting data exfiltrations and running a botnet from inside your corporate network. Again, a single phished email and your phone can become compromised.
Is Android or iOS inherently more secure? As you can see, it really depends. Yes, you can construct corner cases where one or the other poses more of a threat. Just remember, security is a journey, not a destination.
There is a new category of startups — like Lookout Security, NowSecure, and Skycure — who have begun to provide defense in depth for mobiles. Another player in this space is Check Point Software, which has rebranded its Mobile Threat Protection product as SandBlast Mobile. I took a closer look at this product and found that it fits in between mobile device managers and security event log analyzers. It makes it easier to manage the overall security footprint of your entire mobile device fleet. While I had a few issues with its use, overall it is a solid protective product.
You can read my review in CSOonline here.
I began a series of reviews for Network World on securing the smart home. These three articles were published earlier this year:
- Article #1: General issues (4/17)
- Article #2: Amazon Alexa vs. Google Home (4/17)
- Article #3: Linksys Velop router (5/17)
Since then, I have written additional stories, but before I introduce those I want to take a step back and review the decision process that I would recommend in terms of what gear you should buy and at what point during your smarter home networking automation journey. And let’s also take a moment and review the decisions that you have made so far on hubs and wireless access points and how these decisions can influence what you buy next.
While there is no typical decision process for this gear, here are a series of five questions that you should have begun thinking about:
- Do you already own a smart thermostat? If not, make sure you pick the one that will work with your hub device. Nest doesn’t work with Apple’s HomeKit, for example. I will talk about my experience with Nest in a future installment. Also, you might also want to make sure that you can upgrade your older thermostat with something more intelligent, in terms of wiring and network access.
- Are you in the market for a new TV? If you are, consider what your main motivation is for buying one and which ecosystem (Apple, Google or Amazon) you want to join and use as your main entertainment provider. It used to be that buying a TV was a major purchase, but today’s flat screens are relatively inexpensive. Most new TVs come with wireless radios and built-in software to connect with Netflix, Amazon, and other streaming providers too.
- Are most of your cellphones Android or iOS? While many of the smart home products work with apps on both kinds of phones, that doesn’t necessarily mean that features are at parity between the two phone families. In some cases, vendors will prefer one over the other in terms of their app release schedule and that could be an issue depending on which side you are on. If you are serious about considering Apple HomeKit products, obviously you will need at least one Apple phone for managing its basic features. While Apple’s ecosystem supports the largest collection of smart home devices, overall, many of the smart home products will work on either Google Home or Amazon Alexa as well.
- Do you have sufficient wireless and wired infrastructure to support where you want to place all your devices? As I mentioned in my last installment, one of the major reasons for using a better wireless infrastructure like the Linksys Velop is because of its wider radio coverage area. Make sure you understand what your spouse is willing to tolerate in terms of wiring and AP placement too while you are assembling your new network requirements and scouting out potential AP locations around your home. As part of this decision, you might also need to upgrade your ISP bandwidth plan if you are going to be consuming more Internet services such as video and audio streaming.
- Do you have enough wired ports on your network switch? With all the devices that you plan on using, you probably are going to run out of wired ports. And while you might think that most smart home products are connected wirelessly, many require some kind of wired gateway device (the Philips Hue is an example here) that will consume a wired Ethernet port.
Those five questions should help get you started on your smart home journey. But before you purchase anything else, you might want to consider these security issues too.
- Do you understand the authentication requirements and limitations of each smart home app? One of the biggest limitations of the smart apps is how they set up their security and authentication. In many cases, the app can only use a single login ID and password. If you want multiple family members to use the app, you may have to share this information with them, which could be an issue. You might want to consider a document that lays out your family “rights management” — do you want your kids to be able to remotely control your thermostat or monitor your home security cameras? What about your spouse? This begs the next question:
- Who in the family is authorized to make changes to your smart infrastructure? By this I mean your network configuration and access to your computers, printers, and other IT gear. Again, in the past once this was set up it wasn’t often changed by anyone. But the smart home requires more subtle forms of access and this could be an issue, depending on the makeup of your family and who is the defacto family IT manager.
- You should plan for the situation when you (or another family member) loses their phone with all of your connected apps and authentication information. This is one of the major security weaknesses of the smart home: your apps hold the keys to the kingdom. Most of the apps automatically save your login info as a convenience, but that also means if you lose your phone, it can be a massive inconvenience. Some of these apps will only work when they are on your local network, but others can reach out across the Internet and do some damage if they fall into the wrong hands. Given how often your family members lose their phones (I know of one 20-something who loses her phone twice a year), this might be worthwhile. You might want to record the procedures for resetting your passwords on your various connected apps and other login information.
- What happens when one of your smart devices is compromised? The reports earlier this year about the compromised web server that comes with a Miele dishwasher are somewhat chilling, to say the least. How can you detect when a smart device is now part of a botnet or is running some malware? We will have some thoughts later in the series, but just wanted to raise the issue.
As you can see, making your home network smarter also means understanding the implications of your decisions and the interaction of products that now could create some serious family discussions, to say the least.
The remaining reviews in the series includes:
If the Philips Hue smart light bulb is the first connected home product, probably the most desired home networking product is the smart thermostat. While Nest wasn’t the first in the field, it has become the market leader and was purchased by Google back in 2014. One of the reasons why I chose my test home in suburban St. Louis was because the homeowners already had one installed. I wanted to see how it would interact with the Google Home and Alexa Echo units and what other equipment it would integrate with.
Nest is like many smarthome products: there is the actual thermostat itself, an attractive low-slung cylinder that has a built-in 480×480 pixel touch screen and a rotating collar for its main menu controls. Then there is a smartphone app and a web service. The apps run on both Android and IoS devices. (iOS 8 or later, or Android 4.1 or later)
Nest can’t replace all analog thermostat installations, but there is this helpful page that will walk you through what you have now and how your existing thermostat is wired to figure it out. They also have an installation video and troubleshooting tips. My home owners are moderately handy and they had no issues getting it installed. In my informal poll of other Nest users, I didn’t hear any horror stories either.
Once you wire it up to your HVAC system, you have to download its app to your phone and get the software setup. That took about 15 minutes. You can control up to 20 different thermostats and in two different locations from one app and one account. Unlike other smart home products,
Nest allows this account to grant access to two users with two separate email addresses. You still may want to use a throwaway email address to share among your family, if they have authority to change your home temperature conditions. It connects to your home network via Wi-Fi and like other products, initial setup is via Bluetooth.
We set up the Nest with both Alexa and Google Home. Nest doesn’t directly work with Apple’s HomeKit although there is this workaround. We also set up Nest with the ADT Pulse alarm system app that was installed in our test home. More on these connected apps in a moment.
Nest calls its product a learning thermostat, and this is because it automatically figures out your usage patterns on a daily basis. For example, the new generation units will light up to greet you when you come home. You can wait a couple of weeks for it to learn your schedule, or set up a typical schedule like any programmable thermostat. But unlike an analog thermostat, it has a series of sensors, as you might imagine. Besides temperature, it also measures humidity, activity and ambient light. That means it can make smarter decisions about your occupancy and usage patterns. That is one of its chief selling points.
Nest has some built-in routines that help you save money on your heating and cooling bills, called Nest Sense. It has all sorts of automated routines here. One is called Eco Temperatures. Basically, you set up a temperature range that your home will operate at, and if no one is home that is the default mode of operation. Others are called Cool to Dry, Leaf, Airware, Home/Away Assist, and Time-to-temp.
The Nest phone app is cleanly organized and once you get done setting up these various routines, you probably won’t be spending much time with it. With my test homeowners, one said she is so ingrained in using the thermostat directly that when she walks by it in her hallway she thinks about changing the temperature then. The other said he used both the Nest app and the voice commands but still was getting used to using both of them. Part of the issue here is that unlike lighting that you change frequently during the day, you probably don’t think about your home temperature control very often.
Another selling point for Nest is that it has a large range of other products that integrate with it. That is what drove my test homeowners to buy it since it works with their ADT security system. One of my homeowners used the ADT/Nest control because she forgot her Nest app password. So it is nice to have all these different mechanisms to control it, to be sure.
Finally, Nest was easy to setup with both the Amazon Alexa and Google Home, taking less than five minutes to get each one configured. Using it was simple too, and both seemed to perform the same way in terms of controlling the thermostat. My male homeowner said he is starting to prefer the Amazon hub for home control, just because it has so many more connected apps. But he finds the Google hub provides him with more thorough answers to his questions.
Nest is now on their third generation product, which retails for $249. (I tested the second generation.) But don’t let that price scare you: your local electric or gas utility might have rebate offers. (In St. Louis, it was $125 from both companies combined). It comes in four colors.
In today’s installment, I look at the Philips Hue lighting system. This has four main components: a network-attached bridge or controller, the smart bulbs themselves, web-based software and the smartphone software that is used to turn your lights on and off. We tested the product in the same suburban home location outside of St. Louis where we tested our earlier products, connecting Hue to both the Alexa Echo Dot and the Google Home hubs.
Hue comes with three different kinds of bulbs: white-only, white ambiance and multi-color, which includes white. The White Ambiance allows you to do more than just dim up and down at the one color temperature and gives you access to 50,000 shades of white light. I tested the multi-color. Both come with built with radios that communicate via the ZigBee LightLink protocols back to the bridge.
To me, a lamp is a necessary evil and something that doesn’t require a great deal of thought. This is because I am someone with zero sense of interior design. I tell you this upfront, which is one of the reasons I was testing these products at a home where both residents have a lot more design-savvy and understanding of lighting placement and mood creation.
If you are a design philistine like me, then you probably won’t get much out of this product and should just stick with ordinary lamps. But if you do take the plunge, make sure you are buying what Philips calls “gen 3” bulbs (which is what I tested). These bulbs have deeper green, cyan and blue for even better mood setting. Philips claims the bulbs can deliver 16 million different colors, but since I am colorblind I couldn’t verify this claim. Nevertheless, you have a wide color palette that you can play with on your smartphone and have a lot of fun finding that exact color to match your mood, your decor, what your spouse is wearing, or whatnot. All the bulbs are LEDs, so are very energy-efficient. They all fit into a standard base and (unlike the early CF bulbs) are small enough to fit in most ordinary lamp housings.
Why bother with smart bulbs? Several reasons. First, you can remotely turn them on and off, both instantly and on a specified schedule, to make your home more comfortable and secure. Second, you can set various moods by having them dim or brighten appropriately. And finally, you have bragging rights when you have your friends over for dinner or parties. By now many of you have already bought your own smart hub: this gives you the first practical application that can readily demonstrate its utility.
When I first got the Hue kit I thought it was mostly “nice to have” but not an essential use case. The more I and my test couple used them, the more we liked them and the more we came to rely on the ability to control them at will and to set different moods. I think this bears emphasis: Hue is creating something new and really giving you a new dimension on how you live and consume lighting in your home.
You don’t need a smart hub to operate your Hue lights, because you can control them via the smartphone app (shown here) or you can also purchase a variety of hardware controllers that can fit inside a standard light switch receptacle or sit on your coffee table if you want a physical object. That is all well and good, but really that gear is just a glorified “Clapper” device that is about as exciting. But using the Alexa or Google Home hubs means you have voice commands for your lights. This means you don’t have to look for your phone and can just turn your lights on or off quickly as you enter a room.
Getting setup from scratch took about 15 minutes on either hub, using a very similar process. The biggest issue I faced was switching my lighting system from the Amazon to the Google hub, which a normal user wouldn’t necessarily do. If you are going to change hub vendors, you should do a factory reset to make things easier. The controller/bridge connects to your home network via Wi-Fi, and it also works with Apple Home Kit hubs too.
The most important part of the hub-related setup is naming your various rooms where the bulbs will be located. The workflow for doing this is different in Amazon Alexa versus the Google Home. With Alexa, it picks up this information from the Hue app. In Google, you have to create your room names on its app.
For the most part, the Hue bulbs worked fine with either Alexa or Google Home. But sometimes Alexa would make a mistake, thinking a particular bulb was on when it was off, or vice-versa. And sometimes Alexa would turn on a bulb in the wrong room. We couldn’t reproduce these errors. It isn’t clear who is at fault here: because sometimes the app shows a bulb is on when it is off. For the majority of time though, things work as intended.
If you are just going to control your lights locally — meaning while you are in your home — then you don’t have to worry about the web server piece of the product. This is needed for two purposes: first for controlling your lights when you are away from home, and second to integrate with any Nest products and other home automation web services. For either purpose you will need to create an account on meethue.com and then use that login on your smartphone app. As with other smart home products, only one account (meaning one email address) per home is allowed. If you want multiple family members to have lighting controls, you might want to create a special email address that everyone can access. Philips is looking into having multiple accounts with different access rights at some point in the future.
Once you get going with the standard bulbs, Philips makes a bunch of different other bulb sizes that can you expand your horizons and play interior decorator. I didn’t test any of these. You can purchase a rechargeable portable light source called Go and lights that come with a variety of their own decorative bases. Given that Philips has been making electric lights for more than a century, this is not unexpected that there will be others joining its Hue product line in the near future.
Hue comes in various product configurations, the basic white-only starter kit with two bulbs and the controller is $70. It is available online and in a variety of electronics and lighting stores too.
I take a look at the Linksys Velop Wi-Fi access points. This is the third in my series of reviews for Network World on smart home devices. If you are going to invest in smart home tech, you want a solidly performing wireless network throughout your house. While I had some minor issues, the Velop delivered solid performance and I recommend its use, particularly if you have existing radio dead spots in your home or have to use multiple networks to cover your entire property. You can read the review here.
The first decision you need to make in your smart home journey is selecting the right ecosystem. By ecosystem, I mean the voice-activated smart hub that is used to deliver audio content from the Internet (such as news, weather, and answers to other queries) as well as the main interface with a variety of other smart home devices, such as lighting, thermostats and TVs. In this review I look at two of the three main hubs from Google (the white-topped taller unit on the right) and Amazon (the smaller black unit on the left) and how they stack up.
This is the second in a series of articles on how to successfully and securely deploy smart home technology. The first one can be found here.
Today I begin a series of reviews in Network World around smarter home products. Last year we saw the weaponized smart device as the Mirai botnet compromised webcams and other Internet-connected things. Then earlier this year we had Vizio admit to monitoring its connected TVs and more recently there was this remote TV exploit and even dishwashers aren’t safe from hackers.
Suddenly, the smart home isn’t smart enough, or maybe it is too smart for its own good. We need to take better care of securing our homes from digital intruders. The folks at Network World asked me to spend some time trying out various products and using a typical IT manager’s eye towards making sure they are setup securely.
Those of you that have read my work know that I am very interested in home networking: I wrote a book on the topic back in 2001 called The Home Networking Survival Guide and have tried out numerous home networking products over the years. My brief for the publication is broadly defined and I will look at all sorts of technologies that the modern home would benefit from, including security cameras, remote-controlled sensors, lighting and thermostats, and more.
Smart home technology has certainly evolved since I wrote my book. Back then, wireless was just getting started and most homeowners ran Ethernet through their walls. We didn’t have Arduino and Pi computers, and many whole house audio systems cost tens of thousands of dollars. TVs weren’t smart, and many people were still using dial-up and AOL to access the Internet.
Back in the early 2000’s, I visited John Patrick’s home in Connecticut. As a former IBMer, he designed his house like an IBM mainframe, with centralized control and distributed systems for water, entertainment, propane gas, Internet and other service delivery. He was definitely ahead of the time in many areas.
When I wrote about the Patrick house, I said that for many people, defining the requirements for a smart home isn’t always easy, because people don’t really know what they want. “You get better at defining your needs when you see what the high-tech toys really do. But some of it is because the high-tech doesn’t really work out of the box.” That is still true today.
My goal with writing these reviews is to make sure that your TV or thermostat doesn’t end up being compromised and being part of some Russian botnet down the road. Each article will examine one aspect of the secure connected home so you can build out your network with some confidence, or at least know what the issues are and what choices you will need to make in supporting your family’s IT portfolio of smart Things.
Since I live in a small apartment, I asked some friends who live in the suburbs if they would be interested in being the site of my test house. They have an 1800 sq. ft. three bedroom house on one level with a finished basement, and are already on their second smart TV purchase. One of them is an avid gamer and has numerous gaming consoles. Over the past several months (and continuing throughout the remainder of this year), we have tried out several products. In my first article posted today, we cover some of the basic issues involved and set the scene.
As you loyal readers know (I guess that should just be “readers” since that implies some of you are disloyal), I have been using and writing about email encryption for two decades. It hasn’t been a bowl of cherries, to be sure. Back in 1998, when Marshall Rose and I wrote our landmark book “Internet Messaging,” we said that the state of secure Internet email standards and products is best described as a sucking chest wound.” Lately I have seen some glimmers of hope in this much-maligned product category.
Last week Network World posted my review of five products. Two of them I reviewed in 2015: HPE/Voltage Secure Email and Virtru Pro The other three are Inky (an end-to-end product), Zix Gateway, and Symantec Email Security.cloud. Zix was the overall winner. We’ll get to the results of these tests in a moment.
In the past, encryption was frankly a pain in the neck. Users hated it, either because they had to manage their own encryption key stores or had to go through additional steps to encrypt and decrypt their message traffic. As a consequence, few people used it in their email traffic, and most did under protest. One of the more notable “conscientious objectors” was none other than the inventory of PGP himself, Phil Zimmerman. In this infamous Motherboard story, the reporter tried to get him to exchange encrypted messages. Zimmerman sheepishly revealed that he was no longer using his own protocols, due to difficulties in getting a Mac client operational.
To make matter worse, if a recipient wasn’t using the same encryption provider as you were using, sending a message was a very painful process. If you had to use more than one system, it was even more trouble. I think I can safely say that these days are soon coming to an end, where encryption is almost completely frictionless.
By that I mean that there are situations where you don’t have to do anything, other than click on your “send” button in your emailer and off the message goes. The encryption happens under the covers. This means that encryption can be used more often, and that means that companies can be more secure in their message traffic.
This comes just in time, as the number of hacks with emails is increasing. And it is happened not only with email traffic, but with texting/instant message chats as well. Last week Checkpoint announced a way to intercept supposedly encrypted traffic from What’s App, and another popular chat service Confide was also shown to be subject to impersonation attacks.
So will that be enough to convince users to start using encryption for normal everyday emailing? I hope so. As the number of attacks and malware infections increase, enterprises need all the protection that they can muster and encrypting emails is a great place to start.
What I liked about Zix and some of the other products that I tested this time around was that they took steps to hide the key management from the users. Zimmerman would find this acceptable, to be sure. Some other products have come close to doing this by using identity-based encryption, which makes it easier to on-board a new user into their system with a few simple mouse clicks.
I also found intriguing is how Zix and others have incorporated data loss prevention (DLP) and detection into their encryption products. What this means is that all of these systems detect when sensitive information is about to be transmitted via email, and take steps to encrypt or otherwise protect the message in transit and how it will ultimately be consumed on the receiving end.
DLP has gone from something “nice to have” to more essential as part of business compliance and data leak hacks, both of which have increased its importance. Having this integration can be a big selling point of making the move to an encrypted email vendor, and we are glad to see this feature getting easier to use and to manage in these products.
Finally, the products have gotten better at what I call multi-modal email contexts. Users today are frequently switching from their Outlook desktop client to their smartphone email app to a webmailer for keeping track of their email stream. Having a product that can handle these different modalities is critical if it is going to make a claim towards being frictionless.
So why did Zix win? It was easy to install and manage, well-documented and had plenty of solid encryption features (see the screenshot here). It’s only downside was no mobile client for composing encrypted messages, but it got partial credit for having a very responsive designed webmailer that worked well on a phone’s small screen. Zix also includes its DLP features as part of its basic pricing structure, another plus.
We have come a long way on the encrypted email road. It is nice to finally have something nice to say about these products after all these years.
Email encryption products have made major strides since I last looked at them nearly two years ago in this review for Network World. This week I had an opportunity to revisit these products, and found that they have gotten easier to use and deploy, thanks to a combination of user interface and encryption key management improvements. They are at the point where encryption can almost be called effortless on the part of the end user.
I reviewed five products: the two that I reviewed in 2015 (HPE/Voltage Secure Email and Virtru Pro) and three others (Inky, Zix Gateway, and Symantec Email Security.cloud). The overall winner was Zix (shown here). It was easy to install and manage, well-documented, and the encryption features were numerous and solid. The only drawback was that Zix lacks a separate mobile client to compose messages, but having a very responsive mobile web app made up for most of this issue.
You can read the complete review in Network World here, and you can watch a screencast video comparing how three of the products handle data leak protection: