Home automation and the Internet of Things revolution is happening as we speak. For better or for worse, every device we buy will have some form of connection to the cloud or a central service for control and monitoring. Already, there are several million devices exposed to the Internet. Here is how the majority of these devices communicate:
The first step is generating an authentication key. There are two ways this happens, one is through a pre-set key, and the other is through a generation of a key through an exchange with the device. The first method is not as secure and is open to abuse. If a malicious party (as happened recently) gets a hold of the key, it can connect and issue commands to the device. The key generation method is more secure.
The initial device uses a key to request an authentication token from the other device. Once the device creates the token, all future communication with that device uses that token. When there are several devices, a token is generated for each and every one. Usually, these tokens or certificates are valid for very short periods of time. The longer they are valid, the more open they are to abuse.
Then there are times when high-bit certificates are used to encrypt communications, and only the decryption key is on the device. However, that level of security is only from companies like Google, Amazon, and Apple.