The three pillars of the smart home are convenience, reliability and security (actually I made these up, but stick with me for a while anyway). If your smart home systems and devices don’t deliver on those three criteria, are they worth it, and worse, are they creating more problems than they solve.
Possibly, according to some work done by security research company Synack, and first reported by Gigaom. Synack looked at a number of popular (mostly DIY) smart home automation and home security devices and found many of them lacking in reliable security features.
Could products like the Nest smart thermostat and the Dropcam wireless security camera actually be giving intruders an open door to your home? Well, that depends one a couple of things, including the technical know-how of the intruder (remember, it doesn’t take much tech savvy to break a window with a rock), the built-in security features of the device—and you (how good you are at securing your own system).
Yes, the problems with smart home security aren’t all with the devices. Some of them are with our own lazy attitudes toward our home network security, especially when it comes to wireless networks.
According to the Gigaom article, the Synack researcher was able to hack into all but one of the devices he tried within 20 minutes (the one he couldn’t hack was a smoke detector by Kidde).
The researcher looked at DIY security cameras, smart thermostats, smart some detectors and smart home hubs/controllers. Interestingly, one of the controllers the company looked at was by Control4 (the exact controller wasn’t identified), which isn’t a DIY system, and when installed by a professional, would also involve enterprise-level network security as well, so this inclusion is a little curious. It’s also important to note that the report didn’t say what the researcher was able to achieve with these hacks. Was he able to simply get into the Nest thermostat, or could he actually do something like change a password or turn the temperature up, or did that also open a virtual door to more systems and more compromise?
Among the smart home hubs, the Lowe’s Iris got the highest marks for security. The Revolv hub (which is no longer on the market) got dinged by the tester for SSH backdoor issues and open ports. SmartThings (owned by Samsung) was criticized for a weak password policy and exposed telnet service.
Among the four security cameras, the firm liked the Dropcam the most.
Among the four smart thermostats, Next received the highest marks.
The most common critique on all products was the poor password policy. While in part, a strong password policy is something that the manufacturers can implement and enforce on their products (requiring, for example a strong mix of letters, numbers and other characters), this is also something each end user can do on his or her own. The same goes for passwords on your Wi-Fi network. If the password into your network is still password or 1234, then you’re asking for trouble.
Also worth pointing out is that the hacker in this case was from a firm that specializes in enterprise-level security solutions. Any standard (not smart) door lock can also be picked by someone who knows how, and any window can be broken by a five-year-old. Does the fact that a network security specialist could hack into these devices mean that all smart home products (or that even these smart home products) are putting you in more danger than if you didn’t have them? I’m not sure that’s the right conclusion here.
However, this news, as well as the revelation earlier this week that some Samsung smart TVs have the ability to listen, record and transmit your conversation, is a good reminder that with all new technology come new technology problems. I’m not particularly worried that someone might be able to hack my Philips Hue lights and randomly change the colors. Could someone hack into my smart home system, and through that connection, sneak into my laptop and steal… something?
Both manufacturers and end users have a responsibility here. The manufacturers need to make sure that their systems are as secure as they possible can be, that their cloud services for storing data are just as secure, and we as users also have the responsibility to lock our smart homes up tight with strong passwords, VPNs, wired connections (when possible) and other means.
Also read: Getting Started with a DIY Home Security System
Smart Locks and Keyless Locks Are Opening Doors to the Smart Home
Sym says
Its good to see this, as an installer the number of homes whos network password is password is comical. Users have a responsibility to as well.