A REFRIGERATOR THAT KNOWS you’re out of milk before you do? A thermostat that cools down as soon as your head hits the pillow and warms back up in the morning, without the touch of a button or flip of a switch? Lights that brighten and dishwashers that churn at the mere touch of a smartphone app?
These marvelously modern appliances are where the “Internet of Things” (IoT) and home automation products converge. And while there is no question in anyone’s mind as to the convenience and security benefits that their remote monitoring capabilities bring, these “smart” systems also come with their own unique set of risks.
Defined as a “network of networks of uniquely identifiable endpoints (things)” that are capable of communicating without any human interaction using IP connectivity, the ecosystem of the IoT is the midst of rapid changes. Just as individuals might utilize the web to communicate with one another, your home appliances, security systems, and utilities can now interact and coordinate functions without your constant input. These web-connected devices can also be monitored and controlled while you’re away, making IoT-enabled gadgets much more efficient and user-friendly than anything that’s ever come before.
However, if you’re a savvy consumer, you’ll have done your research and come to find that Internet-augmented products also offer unprecedented opportunities for hackers and cybercriminals to obtain your personal data. One major problem lies in the fact that many of the wireless communications used by home systems utilize outdated or insecure safety protocols by default. Some products come pre-set with usernames and passwords—such as “admin” —that can easily be exploited by someone with only basic computer knowledge.
Unprotected Home Systems are Vulnerable
To illustrate just how simple it is to gain access to an unprotected home system, Kashmir Hill from Forbes described her brief experience moonlighting as a hacker. By following instructions from a cursory Google search, she intercepted and read the signals sent by smart home components in order to access people’s homes and appliances. She was able to send bogus signals and affect the performance of the equipment, such as turning lights on and off in an Oregon home from her apartment in San Francisco. Hill made contact with each of her targets prior to her amateur hacking debut, but less scrupulous individuals could replicate her actions easily and take control of everything from hot tubs to garage doors.
With all this new technology still in flux, every smart home system or device—even those from home security giants—are subject to intercepted communications. Even if a cyber-criminal lacks the know-how to actively interfere with the proper operation of a security system, it’s possible, through passive listening with a software-defined radio, to determine when signals are being sent and therefore when a security product is active. Of course, this information is very useful to burglars and other: eager intruders.
However, Internet-connected web cameras and “nanny cams” are often the first point of entry in the event of a security breach. They typically present the greatest security risks because they come packaged with the flimsiest automatic security safeguards. In some cases, poorly guarded webcams can be booted up into a special USB mode in which an attacker can install spyware enabling future remote viewing of audio and video feeds. One babysitter from Houston, Texas found this out the hard way, when the voice of an unknown man began speaking to her through a baby monitor.
Homeowners in greater numbers have voiced their concerns regarding these issues, and President Obama has proposed laws that would require companies to adhere to nationally determined standards for the protection of customer information. During a cybersecurity summit at Stanford University, he announced his plans for tough federal cybersecurity initiatives, saying, “Everybody’s online, and everybody’s vulnerable.” Since then, security system vendors McAfee, Palo Alto Networks, Fortinet, and Symantec have joined forces to establish the first “Cyber Threat Alliance” which aims to combine threat intelligence in order to counteract the efforts of advanced hacking schemes.
Protect Yourself
While the government and the private sector hold much of the power in their hands, the ultimate fate of your home’s security lays with you. It’s of tantamount importance to set up secure usernames and passwords for all home automation systems rather than leaving them at their default settings. Avoid reusing any passwords you already set for other purposes, and easy-to-guess sequences like “123456” are completely off limits. You also ought to stay on top of new downloads, and install all firmware or software updates that are available for the devices you’ve installed.
Wi-Fi networks should also be kept as airtight as possible. Start by checking to see what type of encryption your router is using, and research the encryption methods used by any security solution you’re thinking of purchasing. You should seek out devices that employ Advanced Encryption Standard (AES) with a key size of at least 128 bits. This will help prevent someone from being able to decipher the signals sent between the components of the system, even if they’re able to intercept them. Beef up your system’s security even further by setting up your own private VPN network.
Mobile phones typically function as the “hub” of all automated endeavors. Therefore, it’s crucial that yours remain under a close watch at all times. If your smartphone app can unlock your front door or ramp up the thermostat in the midst of winter, it’s vital that you take steps to prevent others from being able to use it without your knowledge. At a minimum, you should enable the lock screen function and download an app that will trace the location of your phone in case it goes missing. As always, do your research carefully because these types of apps may themselves be subject: to security vulnerabilities.
Biometric means of user identification, such as fingerprints and retina scans, might make passwords obsolete in the future. But for now, average consumer products largely remain beholden to chains of upper and lowercase letters, numbers, and special characters to ensure their security. “Smart” home products, like other devices equipped with wireless capabilities, are not immune to the risk of cyber threats. And because they are typically charged with the important responsibility of guarding your home and its interior functions, their security settings should be configured for maximum safety. By remaining vigilant and carefully considering every piece of equipment you buy, you can avoid problems that have plagued others who have not been as circumspect—and enjoy your smart home’s convenient, well-connected capabilities to the fullest.
mark wilson says
Very good article. The gotcha is the “government” is going to enforce a standard or multiple standards of security. Two things: 1. Any “standard” can be cracked…or 2. Who says which government agencies will have direct access to a homeowners smart systems/security etc…
Seems everything done by our governments at any level have a lot of great stuff on the surface but the real basis for it is deep below what’s stated. Can’t blame one party or the other, they all do it IMHO !
I think the best way is something in the industry like the Cyber Threat Alliance taking the issue on …