Is your smart thermostat currently on the front lines of a “botnet” army trying to infiltrate a company’s computer systems in Europe? Or maybe that inexpensive webcam you bought to keep an eye on your dog while at work is actually giving a hacker halfway around the world a view into your home?
While everyone knows the importance of keeping their information and identity secure, it gets confusing for some people when faced with unfamiliar terms like malware, phishing, IP spoofing, drive-by attacks and distributed denial of service. This is reflected in our 2020 Xfinity Cyber Health Report: Among the respondents in our survey who have heard of cyber threats like these, 42% are unable to confidently explain them to someone else and 28% believe no cyber threats hit their home network each month.
As the number of devices in our homes grows, the “attack surface” — the range of opportunities and methods by which hackers could gain access to our identity and data — increases and leaves consumers wondering what is the best approach for protecting their connected homes.
To help provide some answers, we sat down with Larry Maccherone, a Distinguished Engineer in Comcast’s Security and Privacy group. A software engineer, entrepreneur and data scientist, Larry is an industry-recognized thought leader in security and privacy issues.
As a simple test, ask yourself, “Have I updated the firmware on all my connected devices recently...or ever?” That firmware often fixes security holes, so if the answer is “no,” you have devices in your home open to compromise.
Q: Why is securing the connected home so challenging?
A: In large part, the main issue is that cybersecurity is often viewed as a separate product that a consumer buys and bolts on to something else. Years ago this was pretty straightforward — you bought a laptop and then bought anti-virus software to protect that specific device. As long as you kept the anti-virus updated, you had some protection.
Today, our homes have an average of 12 connected devices in them. Some of these devices have screens, including laptops, tablets and smartphones; while others are unattended or don’t have screens and are harder to monitor and protect — these include smart thermostats, voice assistants and cameras. As a simple test, ask yourself, “Have I updated the firmware on all my connected devices recently...or ever?” One of the most common reasons for a firmware update is to plug security holes, so if the answer to the prior question is “no,” you probably have devices in your home open to compromise. But, even if the answer is “yes,” devices may still have security holes that the manufacturer has not yet found, so they are still open to compromise.
Q: How is the industry responding to this challenge?
A: I think the biggest change has been the trend to build security into products and services from the beginning of their development, rather than “bolting on” security after the fact. This removes confusion and complexity for consumers and automatically adds more layers of protection, which is critical.
Think of credit card companies that now monitor accounts and call customers when there is a charge that deviates from your normal behavior. For example, maybe a person typically just charges a few hundred dollars per month in the Philadelphia area and suddenly there is a $10,000 charge at a store in Canada. Years ago, that person would have to review their bill, identify the fraudulent charge, and then call the credit card company. Today, that same person’s account is closely monitored and they receive a timely, proactive text or app notification flagging the potential for a fraudulent charge.
Q: How does security get infused into broadband services?
A: In the technology industry, cybersecurity was once exclusively handled by a totally separate team from those developing products and services. In this old model, the engineering teams just focused on building the product or service and then threw it over the fence to the cybersecurity team to let them worry about securing it. With this approach, the product engineers aren’t thinking about security as they design and build a product, and the cybersecurity team is forced into figuring out how to implement security after the fact. This friction between the team designing products and those securing them creates a problem — it’s like building a car with no safety features, having it roll off the assembly line, and then having safety engineers figure out how to retrofit the car with airbags and seatbelts.
At Comcast and throughout the technology industry, we’ve been on a multi-year path to fundamentally change how we build secure products. One of the ways we do that is through a product design model called “DevSecOps,” which is a technical way of saying that the teams of software developers, designers and engineers who build our products, are also playing a much bigger part in securing those products. This approach results in simpler and stronger security for broadband services.
Q: How does Comcast approach cybersecurity from a development perspective?
A: While we are the nation’s largest broadband provider with 27 million Internet subscribers, you can also think of Comcast as a technology company. We have more than 10,000 developers spread across 500 product teams building everything from the xFi Advanced Security service and xFi pods, to Xfinity X1 and Flex. Every day these teams are releasing new features and capabilities to make our products and services more secure, reliable and valuable to our customers.
We found that the friction between the product and security teams I mentioned earlier was slowing down our development. When I joined a few years ago, we decided to change the culture completely and empower developers with the training and development framework to build security in from the beginning. It’s a philosophy we call, “Security by Design.”
Q: How does “Security by Design” benefit Xfinity customers?
A: Rather than have separate engineering and security teams as I mentioned earlier, we’ve created a culture where they work together as a single team creating inherently secure products and services. This means our customers’ broadband connections — along with all connected devices in the home and the various other apps and services we provide — are continuously updated, improved and enhanced to automatically protect our customers’ identities, privacy and data.
So, now our customers can go in the Xfinity app and see all the threats we’ve proactively blocked from entering their connected homes — because when security is “baked in,” it’s that easy to see how you’re protected.