There are fascinating and potentially very helpful smart gadgets being introduced every day into the consumer market. Particularly to create “smart homes” that will make refrigerators, lights, doors, and anything else that can be connected online (so basically anything) Wi-Fi enabled so that you can control, check on, record, and lock them, just to name just a few of the possibilities, from anywhere with a handy dandy app or mobile device.
Wow! This is exciting! We can shut the garage door that we forgot to close when we went to the airport. Nice. Or see that we left one of our children at home alone. Whew; saved from riding in an ice truck with a polka band! Or be alerted when someone is at our door. The age of the Jetson’s has almost arrived!
But wait. Those smart home gadgets certainly allow you to do amazing things when you are far away from home, but does that mean that others could also do the same things? Would you want to have someone else controlling your smart locks and entering your house when you are away? Or, have someone viewing your in-home video monitor? Or getting data from those devices and then using it in ways that could harm you or others in your house in some way?
These are important questions to answer. Most smart gadgets do not have security built in. Many that have security controls have not implemented them to actually be secure. Without effective security built in, it risks to not only the control of your device, but also brings risks to your safety, depending upon the purpose of the device.
And also consider that smart home devices collect a lot of data. To whom are all those devices sending all that data? Are they entities that you even want to have the data?
Let’s think about these issues as they relate to three types of smart home devices.
The (Not So) Smart Doorbell
Smart doorbells are generally marketed as physical security/safety tools. They are connect to the Internet via home Wi-Fi networks and tout the ability to automatically lock doors and send notifications to your smartphone when people approach and hang around your home. Some also come with a video feed and intercom capability to show you who is at your house, and allow you to talk to them, even when you are far away from your house. Brilliant idea! What could be the problem with this nifty safety tool?
Here are some security and privacy questions to ask those smart doorbell vendors:
- Are those connections to the Internet encrypted?
- Is authentication required to get access to the doorbell app on your smartphone?
- How is the password access controlled?
- Are any of the data or video feeds being sent to and stored in the vendor’s, or their contractors’, cloud servers?
- What other types of data is being collected from those using the smart doorbells?
- How are the devices physically secured?
And the list could go on. You may think, why worry about physical security of the devices. But think about it; the tiny computer controlling the gadget is located within it. So, physical access to the gadget could give access to the controls and data.
Vulnerabilities in the physical security have already been exploited. One smart doorbell security device was recently reported to be unsecure. It attached to the house with two screws. By unscrewing the device and pressing the setup button, anyone can get the password from the configuration URL shown.
The (Not So) Smart Thermostat
Many smart home environment controllers and smart thermostats are coming onto the market. These clever tools can give those using them the ability to do such thing as turning appliances on and off, checking on electricity usage throughout the smart home, and target areas where there may be electricity leaks, and control thermostats, just to name a few. Nice! If I’m on a trip to another country, I’d love to be able to have such controls to make it look like someone is in the house. No security or privacy worries about how it works?
That depends upon how the vendors answer security and privacy questions such as these:
- How is the communication to the Internet secured?
- Is the data collected from the home and app shared with any third parties? If yes, which ones, and for what purposes?
- Is any of the data collected published online? If yes, for what purposes?
- How are the physical controllers within the home secured?
Yes, this list could go on as well. And yes, such a home environment controller has already been reported to have such security and privacy weaknesses. The FTC recently reported results of security testing for a popular smart thermostat. Their research revealed that the thermostat sent location data in clear text, so could be easily intercepted on a public Wi-Fi.
The (Not So) Smart Webcam
I have two children. They are now teens. I would have loved being able to look in on them as they slept in their rooms from a remote location when I was doing business travel when they were babies. There are now a wide variety of Wi-FI connected smart webcams that livestream video feeds to websites and/or smartphones giving anxious parents views into their homes to check on their children, and often the caregivers that they have entrusted with their care. No problems with this, right?
Again security and privacy must be considered. Ask the vendor these questions:
- Do others have access to the livestream images?
- Are copies of the videos stored somewhere?
- Do the webcams all use the same default password?
- Are passwords encrypted in storage?
Déjà vu, the list could go on. And unsecured webcams have already livestreamed thousands of images of people’s rooms, and those within them, worldwide. Often by vigilantes who want to expose the security vulnerabilities within the smart webcams. For example, recently a mother whose three-year-old was always afraid to sleep at night walked by the toddler’s room and heard a man’s voice saying, “Wake up little boy, daddy’s looking for you.” When she walked into the room the monitor lens turned towards her and the voice said, “look someone’s coming into view.” The lack of good security had let strangers enter the room through the baby monitor. Another couple recently found photos of their baby online, which they learned were taken by someone who got access to their baby monitor and took them.
Lesson: Truly Smart Gadgets Have Security & Privacy Built In
So, are smart homes privacy dumb? You need to determine this. Before you use smart gadgets, make sure they have necessary security and privacy controls build it. If you are building smart gadgets, make sure you are building in such controls. At a minimum these controls need to:
- Require authentication to access the device
- Not allow authentication bypass to get into the device
- Require strong passwords
- Not have hardcoded passwords
- Encrypt the data
- Log device changes and other key activities
- Not have backdoors built in
- Give the users the ability to set and change security and privacy controls
- Not store videos, audio or other data to the cloud without first getting consent from the users
This post was written as part of the Dell Insight Partners program, which provides news and analysis about the evolving world of tech. Dell sponsored this article, but the opinions are my own and don’t necessarily represent Dell’s positions or strategies.
Tags: data security, Internet of Things, IoT, privacy, smart homes