Cybersecurity is top of mind for makers of internet-connected HVAC thermostats and controls
As more devices are connecting to the Internet of Things (IoT) each day, it comes as no surprise that data breaches are becoming an all-too-common occurrence. In fact, according to the Identity Theft Resource Center, a nonprofit organization that supports victims of identity theft and broadens public education and awareness in understanding identity theft, data breaches, cyber security, scams, fraud, and privacy issues, there have been 708 reported data breaches affecting 28,816,859 people in 2016 so far.
These numbers are not lost on industry manufacturers that continue to bring to market new and innovative Wi-Fi-enabled devices meant to increase comfort, save energy, prolong equipment life, and keep homeowners and contractors connected to their equipment and each other. That is why many of these manufacturers have been actively working to ensure customer data are safe and secure.
Once connected thermostats began to gain a major foothold just a few years ago, thermostat manufacturers suddenly faced new concerns regarding data storage and connectivity. These concerns required immediate attention.
Honeywell Intl. Inc. began offering its Total Connect Comfort (TCC) in 2010, which was the company’s first internet-connected thermostat, though Honeywell has offered internet-connected home security systems for a much longer period of time, said Kevin Staggs, an engineering fellow, Honeywell.
“Honeywell takes data privacy and security issues very seriously, and we understand these matters are top concerns to our customers,” Staggs said. “We have designed our connected thermostats with security in mind. The devices are designed to only communicate with certain Honeywell servers, and we use a variety of security technologies and procedures to help protect customer personal information and data from unauthorized access, use, or disclosure.”
Additionally, Honeywell doesn’t share its customers’ data without express consent and is committed to protecting the security of customer data, Staggs added. “The security of the data flowing between the thermostat and the cloud is a primary concern, and we address that by using secure and encrypted communications between the thermostat and the cloud. It’s important to note that thermostat communication with the cloud is limited to information about controlling the thermostat — current temperature, desired temperature, and mode, such as cooling or heating — and contains no information about location of the thermostat or any other personal information. Registering a thermostat with our cloud service does require users to provide contact information, but that information is not made available outside of the cloud.”
When Bosch Thermotechnology Corp. introduced the CT100 Smart Room Thermostat a year ago, engineers kept security in mind and also designed the product to store all its user data locally within the thermostat itself — not on remote servers in the cloud — which helps increase security, said Joey Sung, product manager of controls and connectivity, Bosch Thermotechnology Corp. “For the Bosch CT100, all user data is stored on the unit itself and never transferred or sent out,” he said. “In addition to user data, all data connections are fully encrypted.”
Like Honeywell and Bosch, Lennox Intl. Inc. has followed industry protocol for protecting user data, said John Whinery, vice president of product management, residential HVAC, Lennox Intl. Inc. “Lennox introduced the iComfort Wi-Fi Thermostat in 2012 and followed it with the introduction of the iComfort S30 Thermostat in 2015,” he said. “Lennox has always maintained a focus on the privacy of its customer data and the potential for it to be compromised. Lennox follows industry standards with regard to the areas of authentication, encryption, and trusted firmware updates.”
Overall, security has to be the foundation on which any IoT solution is built, and this is all-encompassing, said Kerry Sylvester, chief information officer and director of information technology, WaterFurnace Intl. Inc. “Security is more than firewalls and SSL certificates — it has to be built into the application software, IoT hardware and firmware design, and communication protocols. WaterFurnace did this when designing and implementing our Symphony offering.”
Symphony is a web-enabled home comfort platform specifically designed for WaterFurnace’s geothermal heat pumps. It provides detailed feedback on a unit and the tools to control it from any smartphone, tablet, or computer in real time.
“WaterFurnace’s top priority has been and always will be protecting the end consumer from identity theft or other financial loss,” Sylvester continued. “The simplest way to mitigate this risk is to limit the amount of personally identifiable information [PII] we require to establish an account. We do not collect high-value PII that hackers seek for resale, such as social security numbers or credit card information. This measure alone makes our Symphony IoT offering a low-value target to would-be cyber thieves.”
Johnson Controls Inc. offers two connected thermostats that grant users exceptional access to their HVAC systems. Aside from being connected remotely, these thermostats feature two-way connectivity with the equipment itself, which is unique and important to provide customers with tailored control of their systems. Because of their focus on proper and efficient system control, these thermostats ensure systems are operating optimally.
“We first launched our cloud solution in 2014 for our residential products,” said Jedidiah Bentz, director, advanced systems, controls and technology, unitary products group, Johnson Controls. “It was the next step in our strategy to not only provide acute system knowledge in the home but also share this knowledge on the go. Connectivity offers so much flexibility and educational opportunities for our customer base. Our newest thermostat, the YORK® touchscreen thermostat with proprietary hexagon interface, is engineered and designed to integrate with any conventionally wired HVAC system, which seamlessly connects homeowners to their HVAC systems via their smartphones, tablets, or computers.”
A CHANGING LANDSCAPE
Over the past few years, hacking has become more of a concern for thermostat and controls manufacturers, who have been working proactively to ward off such attacks.
“While we believe Bosch products are still safe due to their secure connections, we are keeping this concern top of mind,” Sung said, adding that with the CT100, everything is stored on the control itself; therefore, the homeowner owns their data and has full control over them.”
At Lennox, cybersecurity practices are ongoing to address potential issues as new types of attackers are discovered. “Currently, with our cloud-based solutions, we have a key focus on protecting customer data and reducing risks for unauthenticated access,” Whinery said. “Lennox engages with top security leaders in the industry to perform third-party audits of our cloud and device configuration settings, product codebase, and data to help identify opportunities to reduce risks.”
Honeywell uses a variety of security technologies and procedures to help protect customers’ personal information from unauthorized access, use, or disclosure, including limiting customer data exposure in the cloud. Additionally, they “regularly assess [their] cybersecurity practices and make improvements as a result of those assessments,” Staggs said.
“We use a variety of security technologies and procedures to help protect customers’ personal information,” he said. “For example, we store the personal information customers provide on computer systems with limited access that are located in facilities to which access is restricted. In addition, we do regular assessments of our systems, including our cloud-based systems, and are continually making improvements as a result of these assessments.”
Although the security concerns for Mitsubishi are the same as they were in 2002, when the company began offering its first connected control, their importance has become increasingly elevated as the propensity for cyber attacks has become more prevalent, said Matt Smithson, director of hardware and software engineering, Mitsubishi Electric US Inc. Cooling & Heating Division.
“This month, we are releasing the PAC-USWHS002-WF-1 wireless interface, which will replace our current Wi-Fi adapter,” Smithson said. “The interface [was] designed and developed out of our headquarters and engineering center in Suwanee, Georgia, and improves the user experience through super low-latency cloud communication while also introducing features, such as secure boot and secure device authentication. These new security features are made possible through the inclusion of embedded security chips.”
Security is always top of mind for Johnson Controls as the company designs new products. Bentz said the company has made tremendous strides in the area of security and has, in fact, devoted many resources to developing a world-class organization focused solely on the secure execution of its products. “It’s an interesting topic because of the complexity of making it simple,” said Bentz. “First and foremost, we do our best to keep customers’ personal information personal. A lot of security comes by just keeping customer data private to the customer. We recognize that, ultimately, customers and their homes need to be protected, and we will always make sure customers own control of their homes.”
WaterFurnace has also made major security changes over the past few years. “In 2014, the SSL/TLS Heartbleed vulnerability really shook the security community as OpenSSL implementation of SSL/TLS was believed to be secure,” Sylvester said. “Since Heartbleed, a number of other SSL/TLS vulnerabilities have been discovered.
“In 2013, WaterFurnace began building out a next-generation network infrastructure with the specific intent of filtering and blocking attempts to break into servers,” he continued. “At that time, it was clear that a standard firewall and SSL/TLS-secured websites and services were not going to be good enough; 2014 and 2015 certainly proved that.”
While manufacturers are doing what they can to keep customer data secure on their end, much of it comes down to the users, how much they know and understand about cybersecurity, and how careful they are with their own data. Manufacturers realize this and have made consumer education a priority in recent years.
“There are some basic things users can do to minimize their risk of attack, some of which includes recognizing spear-phishing emails and avoiding password reuse,” Smithson said. “I think secure password managers are great tools for encouraging the use of complex, unique passwords. However, even the most vigilant of users are still largely reliant upon the systems they interact with to protect their data. To that end, users should select and use products from companies they trust.”
Like Smithson, Sung also recommended users secure their wireless networks, create strong passwords, and refrain from sharing those passwords with others.
Staggs outlined the importance of adopting strong home network security protocols with appropriate security configurations and the use of strong passwords.
He added: “The majority of a user’s data is not on IoT devices but resides primarily on the user’s home computers and personal devices, such as cell phones and tablets. This underscores the importance of users adopting strong security protocols.”
Whinery said customers should protect their physical equipment and only provide access to authorized personnel using two-factor authentication. They also recommend that customers install the Lennox Apps from the official Apple App store and Google Play store.
He also cautioned against using weak passwords.
“According to the Verizon Data Breach Incident Response Report, more than 60 percent of data breaches occur due to weak passwords,” he said. “We believe having no less than annual reviews of password configuration settings is important to reduce these risks.”
Johnson Controls is working with top agencies and cutting-edge organizations to develop secure, reliable, and functional products. “We conduct ‘hack-a-thons’ and exercise our systems to ensure our products are operating in a manner that is conducive to privacy,” said Bentz. “Comfort is our business, and we know security is a big part of comfort. It’s the cornerstone of our products. We pay close attention to how the definition of comfort is changing for our customers and are adapting our processes, products, and services to align with our customers’ values.”
Sylvester said WaterFurnace is engaged in “vigilant monitoring” and plans to increase the capabilities of its IoT devices as the need arises. In the meantime, company reps “recommend that Symphony users follow the standard recommended best practices for personal information protection, including using strong passwords.”
THE NEXT STEPS
As the IoT continues to grow, new devices enter the market, and new gateways to customer information are created, manufacturers will be working to ensure their products are on the cutting edge of cybersecurity.
“When designing a new product, usability concerns often clash with security concerns,” Smithson explained. “Today’s customers demand a great user experience from their mobile applications. Companies must find ways to offer superior user experiences without shortcutting best security practices. Mitsubishi Electric will continue to develop products with both great user experiences and tight security by involving security architects and user experience designers early in the design process.”
Sung predicts data breaches and hacking will only continue to increase as the number of potential targets become larger. “To mitigate some of these risks, Bosch has taken the proactive approach of ensuring that all of our products meet and exceed the security standard from the development stage of the product,” he said.
The high level of commitment from manufacturers to protect their customers’ information is evident in their products already, and they only plan to continue to ramp-up efforts to ensure user data are kept safe now and into the future.
“We know our customers will continue to take this issue very seriously,” Staggs said. “Our commitment to protecting their data won’t change, and we will continue to design our connected thermostats with security in mind.”
Bentz encouraged contractors to carefully consider which items they choose to sell to consumers. “Anyone can launch a connected solution and many are making the thermostat the hub of the home,” he said. “Be wary of fly-by-night offerings. When shortcuts are made in design, launches can be quicker and perceived value can be mistaken. This is where a majority of risks lie.”
Continue reading Thermostat Manufacturers Work to Keep User Data Safe