Your smart-home devices might be smart, but are they secure?
March 8, 2015 12:00 AM
If you can control smart-home devices via the Internet, chances are good that some even smarter stranger with hacking skills could do the same.
By Maria Sciullo / Pittsburgh Post-Gazette
When cavemen sat around a fire, they probably didn’t give much thought to the potential risks. It was fire, and fire was good.
Fast-forward to 2015, when the same sort of “wow” factor exists with smart-home devices. A thermostat that recognizes it’s time to heat up the house when you wake up? Lights that brighten or dim, turn on and off with the touch of a smart-home app? A front-door lock with multiple electronic “keys” that allow the dog walker into your house during a certain window each day?
Who wouldn’t enjoy such modern marvels? Yet they come with risks. The very thing that makes a smart device smart is its connectivity. Systems with names like Z-Wave and ZigBee join familiar technologies such as Wi-Fi and Bluetooth in creating what’s known as the “Internet of Things,” IoT for short.
Products often rely on mobile apps to connect to cloud-based servers in order for you to “talk” to your security cameras. If you can control smart devices via the Internet, chances are good that some even smarter stranger with hacking skills might stand a chance of doing so.
“Consumers should think hard about the benefits they will gain from an IoT device, and weigh those against a ’worst-case’ risk,” said Mark Stanislav, a Rapid7 senior security consultant and member of BuildItSecure.ly, a pro-bono industry initiative that helps vendors create more secure products.
Rapid7 helps companies manage security services.
“For instance, is the Internet-connected Web camera you want to put into your home worth the potential risk that someone on the Internet may be able to snoop on it if a flaw is found? It’s worth thinking about the placement of a device like that and how much privacy would be lost in that sort of scenario.
“This simple ‘risk-versus reward’ is a great test for consumers to make any time they are about to purchase an IoT device,” Mr. Stanislav said.
Not to be confused with the potentially bigger risk of losing private data — well publicized in the recent Sony hack — this smaller-scale invasion can be nonetheless be disastrous. That smart oven could be turned up to the highest setting, causing a fire. That smart thermostat could be lowered or shut off in winter, leading to burst pipes if a malicious hacker knew the family was away.
”If someone wants to break into a home today, well, they could just check for open doors or maybe jimmy the locks. But in the future, where most people’s homes will have smart locks ... someone could basically hack those locks and a person could literally just walk into the house,“ said Nicholas Percoco, vice president of strategic services at Rapid7.
“As we purchase more smart devices, they increase the number of entry points an intruder could exploit. ... Some of the developers entering the IoT market, unlike hardware and software companies, have not spent decades thinking about how to secure their products and services from hackers,” she said.
According to a recent Consumer Electronics Association and Parks Associates survey, 48 percent of those surveyed who own a smart-home device are under 35 years old. For many, thermostats and light bulbs are the entry-level choice.
“If you’re going to go with a smart device for your home, you’re going to go with a thermostat,” said Mr. Percoco, who co-founded with Josh Corman the loosely knit worldwide organization I Am the Cavalry, which began two years ago after a DEFCON talk that emphasized the figurative cavalry wasn’t coming to save the Internet from security risks.
”It falls to us in the security community to actively engage with manufacturers, to reassert the types of products that are being released, to identify these issues but also to get these issues fixed.“
There are two ways for consumers to go with home automation, because products that work with one system won’t necessarily work with others. Bigger vendors, such as Comcast’s Xfinity Home or AT&T’s Digital Life, offer one-stop shopping for home automation and security. They sell packages of products and services, including security cameras and the means to monitor them from miles away. Apple HomeKit, which has not yet been released, will add to the dizzying array of choices.
“It’s definitely a concern that we have acknowledged,” said Dan Herscovici, senior vice president and general manager of Xfinity Home. “We have industry-grade encryption, and we also have white-hat hackers that we enlist to test our platform.”
Such huge vendors often use third-party hardware and software, but “often do have more advanced information security practices and therefore are likely to stop some of the more catastrophic bugs before they are released into a consumer’s hands,” Mr. Stanislav said.
Smaller product developers often bring higher-end products to the IoT, but buyers must choose carefully.
“In the IoT world, you have manufacturers popping up left and right. You also have ones that are very, very accelerated in trying to come to market as fast as they can,” Mr. Percoco said. “Say there’s an idea for a Kickstarter device. They go out and raise $3 million and they start building it.
“Of course, they want to ship that out as quickly as possible to keep the Kickstarter investors happy, and also so they can sell it. And what is often seen is that when those types of technologies are born and they go right from the idea to the consumer, there are a lot of things that are not paid attention to, from a security standpoint.”
So it’s up to the consumer to be diligent. Change the default passwords. Understand how to apply updates.
Mr. Percoco noted, “there is a certain hygiene that must be followed to make sure all of this is secure. Consumers must choose good passwords. They have to apply patches and updates. ... Some of the updates are automatic so you don’t have to worry about that as a consumer, but some actually wait for you to log into the interface then say, ‘There’s a new update. Would you like to apply it?’”
Nest, which makes a thermostat that is possibly the highest-profile smart-home device in the U.S., is now owned by Google. That, Mr. Stanislav said, has its pros and cons because data collection is another aspect of using smart-home products, and another story for another day.
“Companies like Google have extremely advanced security teams, and they are quite apt to provide beyond-average assurances that their technologies are built and maintained in a secure manner.
“That being said, Google also has deep interests in data and analytics, which could mean your privacy in various forms may be more at risk than with vendors who are simply product companies.
“As the Internet of Things matures, we’ll see more of these big players purchasing smaller brands, which should hopefully have net-positive benefits to IoT security,” he said.
“Right now, IoT is a bit of a Wild West and larger vendors tend to smooth off rough edges when technologies are in flux.”
To report inappropriate comments, abuse and/or repeat offenders, please send an email to
email@example.com and include a link to the article and a copy of the comment. Your report will be reviewed in a timely manner.