For example, am I correct in assuming that Indigo / Insteon are relatively safe, so long as my Indigo server is reasonably well protected, but Hue and Alexa plugins open new or additional IoT related security issues to my Indigo system?
First off, ANY device you put on your network could potentially be hacked... computers, phones, hubs, etc. However, not all of these devices present an easy target for hackers -- here is my take on a
rough estimation of device "classes" from easiest to hardest target:
IoT Devices Connecting to CloudWhy? Well, these devices are actively speaking with the internet, be it calling out or waiting for connection. Many are poorly made from a security standpoint and thus fairly vulnerable... my bet is that these constitute the majority of the compromised devices out there. Are all these devices bad/poorly done? Absolutely not. Stick with well known manufacturers and keep their firmware up to date. (Note that some devices that fit in this category can "move" to a lower risk by turning off cloud based features.) NOTE: ALWAYS CHANGE DEFAULT PASSWORDS... this is how the vast number of devices are vulnerable since the default username/password is easily looked up by manufacturer.
IoT Devices Not Connected to CloudIf there is no main cloud connection, devices are far more secure... but not impervious. Devices without authentication could be vulnerable to attack if someone where on your network, either by a security flaw in the network or a virus on your computer that searches for IoT. Again, well known manufacturers who post firmware updates to address issues are your best bet here. Turn on authentication and changing default passwords as before.
Computers / Tablets / PhonesThese items should remain pretty secure IF you keep them up-to-date on software/firmware and secure them properly. Opening up ports to your network necessarily opens you up for attack, but there are times that may be necessary (e.g. Xbox Live, shared Plex install, etc.) To be safe, take the time to open ports or access as needed and carefully - don't just stick a computer or device in the DMZ for ease of setup. Use SSL, Reflector, or VPN for outside access to the network. Run anti-virus where possible.
Note the risk here is somewhat user dependent. If you open random email attachments and get a virus then you have introduced a new attack vector. This isn't really the device being insecure, but in the end I guess ends up the same idea.
Local / Proprietary Protocol DevicesZ-Wave, INSTEON, Bluetooth.... these ALL have vulnerabilities, you can't avoid it. However, they also have the advantage of requiring a physical presence close enough to access your network. Your level of paranoia, your physical location, and/or value of your assets may help you make decisions here -- turning on Z-Wave encryption if Indigo enables it in the future as has been hinted at, turning OFF unused bluetooth features (e.g. smart locks), etc. The biggest thing is that these won't be a target from the various scripts that run to find vulnerable systems over the internet. NOW, keep in mind these can also have devices talking to them which fit in an above category (computer Z-Wave interface, August lock controller, etc.)
That is my quick lunch-break take on it...
Adam