Julie Knudson is a freelance business writer who specializes in technology. She also covers small business, hospitality, and risk management. Reach her online at julieknudson.com.
Smart-Home Tech Brings New Cyber Risks
It's important to take security measures as connected devices invade the home front.
March 9, 2018
Homes are smarter than ever. From music that plays at the command of your voice to cameras that provide visual access to your house while you’re away, smart-home technology is changing how we live. But with that evolution, consumers are also discovering new risks.
Why They’re Risky
Most smart-home devices—often referred to as internet of things technology—connect to the outside world through a home’s internal network. Whether consumers add technology to their existing residence or inherit devices as part of a home’s sale, the vulnerability of this network is one of the first issues they should consider. “You’re essentially giving that device full access to your network, behind your firewall and router,” explains Patrick Tiquet, director of security and architecture at software provider Keeper Security. While a smart fridge is probably not interested in your recent vacation photos, Tiquet explains that deep level of access still presents potential privacy risks. “Because most firewalls in the consumer world only block inbound traffic, any IoT device that has malicious code on it could exfiltrate information out of your network.”
The proliferation of devices that include cameras and microphones has also raised new issues for consumers. Everything from baby monitors to smart TVs can become surveillance devices for hackers. What a criminal might do with that kind of access varies. “It might just be creepy, such as watching or listening to you,” says Jeff Wilbur, director of the Online Trust Alliance at the Internet Society, a nonprofit education and policy organization. “They might then record it, or use the information to decide when your house is vulnerable.” If a hacker is able to get control of a smart lock or connected garage door opener, they could go beyond virtual sneaking and gain physical access to the residence.
Deploying a larger digital presence may also change the way people interact with their homes, putting homeowners at risk when technology fails them. Travis Witteveen, CEO of security software firm Avira, says this is an aspect that’s often overlooked as the functionality and convenience of smart devices continues to grow. Witteveen’s new home, for example, is completely connected, including the heating systems and door locks. “It’s to the point that we don’t have light switches in our house,” he says. That became an issue when the control app was inadvertently deleted from a smartphone and, with only one of the Witteveens at home, there was no way to turn off the lights without calling the other for help. “I had to rethink how to set up the digital world so reliability becomes a part of it,” Witteveen recalls. If traditional input methods—keyed door locks and manual switches, say—are no longer available or easily accessible, real estate professionals will need to work with home sellers and buyers to be sure everyone knows where master control panels are located and how commands can be entered into the system in the event of a power failure or technology glitch.
What Could Go Wrong
Cyber risks linked to smart-home technologies aren’t just theoretical. Wilbur points to the Mirai malware, which was used in several attacks in 2016 that impacted consumers across North America and Europe. “Estimates vary, but roughly 100,000 security cameras with no passwords, or with default passwords, were used to attack the core internet infrastructure,” he explains. These devices were commandeered as part of a distributed denial of service (DDoS) attack, which flooded the web with traffic and completely blocked access to major sites once servers could no longer keep up. “You couldn’t get to eBay or PayPal or Reddit, for example, for several hours that day,” Wilbur says. Researchers who investigated the attack considered it a taste of what could happen if IoT device security continues to be sloppy.
Unsecured or poorly secured devices have also been compromised on a smaller scale by hackers. Reports of strangers speaking to children through their baby monitors have frightened youngsters and parents alike. Websites have sprung up that provide a gateway for voyeurs to spy on households through web cameras with inadequate security. “You can go on there and select cameras that are in homes, on streets, even in front of people’s houses, and you can watch in real time through thousands of these hacked cameras,” Tiquet says.
How to Get a Handle on It
Without industry standards in place, it’s up to homeowners to know the ins and outs of their IoT devices. The OTA does offer a checklist for home buyers and sellers, but Wilbur encourages consumers to do as much research as they can on the particular products they plan to use, whether they’re purchasing new technology or taking over existing devices. “Just Google it, because today there isn’t really a central compendium of information,” he says. Though some consumer testing organizations are beginning to explore the security capabilities of smart-home products, those efforts are still in the very early stages. To facilitate the research process, it’s helpful if a seller gathers all their devices’ documentation into one place. The home buyer then has the necessary details on the makes and models to research their new equipment.
While the threat of a stranger breaking into a house by compromising its smart-home devices may be a top-level concern, Witteveen says consumers also need to be mindful of downstream risks as well. Just as platforms such as Google and Facebook harvest user information and habits for analytical use, IoT devices often process and store similar types of data. “All of these devices are sending information about you to services that try to profile you,” Witteveen says. Some manufacturers are based outside the U.S., and that’s another risk factor. “Who’s regulating them?” Witteveen asks. “Which governments are controlling what they do with the data they get from you?” Even if a home buyer isn’t sure they’ll keep all of the technology included in their new residence, real estate salespeople should still remind them to review each IoT device’s terms and conditions, with special attention paid to data privacy.
Firewalls and routers with robust feature sets are increasingly making their way into the consumer market. Other models aimed at home office and small-business users may require a little more expertise to set up, but can also help maintain security around connected devices.
Within the home, most routers now support multiple networks on a single internet connection. Consumers should take advantage of that capability to isolate their IoT devices on a network separate from the one they use for their smartphones, tablets, computers, and other equipment that may be storing or sending sensitive data. Each of these networks should be protected with a strong password to limit potential intrusions. “Also, a lot of these devices come with default passwords, so changing those, or even setting a password if they don’t have one, will go a long way toward helping protect them from being hacked,” Tiquet says. During a closing process, it’s a good idea for a seller to change each device’s password to something unique but impersonal—the date of the sale, for example, or a random character string—and hand that information over to the buyer. The buyer should replace that with their own series of passwords as soon as they take possession of the property.
Tiquet also recommends consumers look into firewalls capable of filtering outbound traffic, instead of the more common inbound-only monitoring: “Some of them also have the ability to scan and look for malware and to identify suspicious behavior.” Many of these features were previously available only on enterprise-level firewalls, but there are now a number of consumer-grade solutions that start at around $200 and offer homeowners good security for their growing inventory of connected devices.