Last month, smart home provider Insteon appears to have shut down, rendering the Insteon hubs inoperable. Users were unable to control their IoT devices connected to the Insteon hub, such as smart lighting and appliances. The culprit appears to not be malicious malware but rather financial circumstances that have caused the company to cease operations. While details have still not been confirmed, numerous online forums and news outlets have confirmed that the Insteon hubs stopped working around April 14. Insteon was owned by Smartlabs, which was a holding company consisting of Insteon and Nokia Smart Lighting.
The good news is that there are possible work-arounds for Insteon customers, but they involve potentially more costs and integration work and possibly even redeploying an entirely new solution from another smart home supplier.
While this incident is not cybersecurity-related, here are some key takeaways for anyone managing an IoT deployment for personal or professional use:
- Smart home tech has promise, but canceled products are still a reality. The smart home market has exhibited strong growth, but the market is littered with numerous products that have been canceled, often with little warning or alternatives for users. Sadly, the Insteon case is not the first case of a smart home product being discontinued, and it will not be the last. This doesn’t mean interested consumers should shy away from smart home products; as they evaluate products, they should understand if/how that product can be supported (or migrated to another vendor) and make that a key selection criteria.
- Cloud-connected devices are a double-edged sword. Cloud-connected IoT devices deliver multiple benefits, including simpler configuration and real-time software updates. But cloud lock-in limits flexibility. When Insteon’s cloud servers went offline, users’ hubs could not connect and were functionally inoperable. And because the system was not designed to operate locally without a cloud, users were stuck with bricks. This means users need to assess if devices require cloud connectivity or if a local operating mode is supported.
- Bricking of devices can occur for multiple reasons. This Insteon news is a cautionary reminder that the bricking of connected devices can occur for other reasons besides malware. Also, if the IoT devices operate in a hub-and-spoke model, the takedown of the hub could render the entire deployment inoperable, whether it is malware-related or something else. If the attack/incident is severe enough (such as ransomware), it could mean starting from scratch. This means that protecting the control system through standard practices (limited administrators, network-level protection, endpoint security) should be part of any IoT deployment and that standardizing on devices that can operate, even in a limited mode, while the hub is down will help businesses and people stay operational.
- Standards matter. While Insteon had a solid customer base, its reliance on proprietary RF for connectivity instead of Bluetooth, Wi-Fi, or Zigbee likely contributed to its demise — pandemic-related supply chain disruptions probably didn’t help, either. Standards are necessary to enable migration to other vendors in situations like this. The good news is that the new Matter standard is emerging as a compelling alternative. And while Matter is not expected to launch until later this year, Matter offers a lot of promise and reduces the chance of further Insteon-type scenarios.
In the meantime, organizations (and individual consumers) should assess their current IoT implementation and assess that implementation’s resilience to weathering something like a cyberattack or a vendor terminating operations. Otherwise, the risk of the “internet of bricks” will persist.