As homes grow in intelligence and ubiquity, savvy smart home owners need to be asking themselves the right questions – and demanding secure products from vendors, argues DW’s Janelle Dumalaon.
Mark Rittmann officially achieved internet fame on 11 October 2016. It was the day he documented an epic 11-hour struggle to get his Smarter iKettle to boil water for much needed tea, amid the opposing powers of forced debugging, a base station reset and what looked like general connectivity issues.
His eventually victorious quest to wrestle a cup of tea from a rogue smart kettle became the go-to example for those debating whether having devices be smarter – and therefore more cost- and energy-saving – necessarily translates into having an easier life.
But that might be the most harmless of the questions that loom large as the Internet of Things looks set to expand. Estimates run up to 50 billion connected devices by 2020. It’s a hotly contested number, but few would doubt the almost unimaginable scale of IoT, with zettabytes of data flying in all directions.
Unleashed data trauma
In a smart home, the mountain of data collected from smart meters and smart appliances help paint a picture of the smart home inhabitants’ characteristics – their level of wealth, their usage habits, when they’re home, how many people live in the house and so on.
That it’s unclear what’s being done with the data is uncomfortable enough. But badly protected smart devices could provide the way in for hackers to the entire home network – and beyond.
“There is an alarmingly high number of open smart home components directly accessible via the internet and vulnerable to attackers,” said Michael Veit, a security specialist at Sophos. “Most of the components are designed for easy management, they’re not designed with a focus on security.”
A little over a week after Rittmann’s comical showdown with his tea kettle took social media by storm, the largest distributed-denial-of-service attack (DDoS) brought widely-used sites like Amazon, Etsy, Twitter, and PayPal to their knees.
Anonymous and New World Hackers claimed to be responsible for unleashing the Mirai malware on insecure household devices like printers, baby monitors and surveillance cameras – turning them into so-called botnets carrying out the DDoS attack.
It’s hard to communicate how not changing the default password on your smart toothbrush could lead to the collapse of e-commerce. Or at the very least be the weak link allowing hackers a way in.
“Whether customers are well-informed about the risks around smart products is only a small part of it,” said Christian Funk, the head of Kaspersky’s Global Research and Analysis Team in Germany. “Primarily it’s the manufacturer’s responsibility to make sure they’re selling secure devices.”
Often, smart device vendors fail to provide updates to their products, even as vulnerabilities emerge.
Warnings not heeded?
“The cybersecurity community does a good job staying ahead, keeping up with trends, although of course 100 percent protection is just wishful thinking,” said Funk. “But the security community can only issue warnings and notify manufacturers when we’ve discovered weaknesses. In the end the manufacturers design and distribute their products themselves.”
Smart home owners would be best advised to take the same security measures a small company would, keeping up with a regular regimen of password changes and product updates – if available – from the vendor. And most importantly, Veit says to divide and conquer.
“Do segmentation from inside your network,” said Veit. “That means that the controls for the alarm systems, or the doors, aren’t in the same network as a home office or other home entertainment networks. Keep different networks with different functions separate.”
Ikea has just unveiled a new smart lighting line-up. Google has also just announced updates integrating new products to its smart speaker, allowing the voice-activated device to control sprinklers, thermostats and smart locks. The march of smart devices into households progresses inexorably, requiring behavioral adjustments from users, manufacturers and the security community.