Security: Hacking Your Home From Afar

Old-fashioned devices like analog thermostats or key locks have physical security built in. I can’t adjust your thermostat without access to your home. You can’t get physical access to a home without a physical key. As long as you have your keys, you’re safe, right? That security isn’t absolute. I can think of at least a half dozen people who might have my house keys. A few friends have them in case of an emergency, but so do my dog walker and the housekeeping company. Some of those friends moved away, so I don’t know what they did with their copy of my house keys. I should rekey the locks. If I did get locked out of my home, a locksmith could let someone in the house. I’d hope they’d verify who I am. One unprofessional locksmith could disable my physical security.

I’m not too worried about some rogue person gaining access to my house and making it too cold. If they get in, they’ll probably steal my TV and computers. Fortunately, I have my computer backed up. My neighbors might wonder why a stranger is walking out with my stuff. Hopefully, they’re the real-world version of two-factor authentication. With my devices and home always online, though, that lets any hacker anywhere in the world potentially into my home. They don’t need physical access. They can’t steal the TV, but they could change the channels. They could make my home freezing cold and cost me a ton of my utilities. Worst of all, my private moments at home could be broadcast over the internet. Just like physical access to my home, I can try to prevent problems, but I can’t eliminate all risks.

Privacy and Too Much Information

Hackers aren’t the only threat to your privacy. You are. With cameras, sensors, and recorders, your IoT never forgets. You know everything that goes on in your home, even if you want to forget. When I was a teenager, I had a curfew. If Mom and Dad were already asleep when I came home, I could fudge my arrival time. With a contact sensor on the front door, Mom and Dad could be notified about my exact arrival time. Even among married couples, the question “what time did you get home?” loses its meaning in a smart home.

True story: I was in a fight with my spouse about what I said during an argument. I was able to pull up the camera from that room and playback the conversation. I was right about what I said, but I was quite wrong about the way I proved I was right. The argument escalated rather than terminated. Even if we agree as a family not to look at the security logs, that doesn’t stop the government from looking. Right now, it is possible that I could lose control of the devices in my home if a court allowed it.  These devices offer no protection for children’s privacy and might violate the law.

More Points of Failure

When a standard light doesn’t turn on, the problem is almost always a bad bulb. The problem could be electrical, like a bad circuit or just a bad lamp. With an IoT-enabled light, you’ve now introduced a whole new set of challenges. The problem could be in the light controller, the app, the hub, and a whole long list of other things. How many programmers does it take to screw in a light bulb…an entire team with IoT. If the illumination problem is just a bad bulb, that bulb costs much more than a standard light bulb. The “smart” functions of the bulb might fail before the LED does. Unlike a regular bulb, you can’t just run down to a hardware store to replace a smart bulb. Not every store will carry bulbs compatible with your system.

Another true story: I thought for sure our air conditioner wasn’t working. The house was warm when I got home, but the Nest was set to keep it at a cool 70 degrees as soon as I got near the house. I paid for a service call to our home, and they couldn’t find anything wrong. I later realized I wrote an IFTTT script to warm the house when I got near it. I didn’t turn that off during the summer. I was heating the house instead of cooling it! Programming errors like this don’t just cause unexpected results. With these mistakes, your utility bill might go up, or you might damage your equipment. The HVAC service people said I could have damaged my AC, forcing it to cycle that much. So much for my little trick to save money on heating and cooling when I’m not home. House guests in an IoT home may need a manual to turn the lights on. That light switch doesn’t always control the lights, the motion sensor does. Guests may find it creepy later that you monitored their movements and activities. When we have an internet outage at home, it is a problem. Our smart home instantly turns dumb. Our computers can tether to our mobile devices, but now we can’t control our devices in the house. Turning on the light again becomes a big deal.

Abandoned (Or Just Flaky) Equipment And Platforms

First, you spend a ton of money decking out your home with the latest IoT gadgets. Then, you find later that the manufacturer stepped out of the industry. That happened to Revolv owners when Google abandoned them after they acquired the Nest. Even if the company is still in business, they might stop making updates for your stuff. They might tell you that you need a “2nd generation or higher” switch or plug if you want to be compatible with the current generation. You’ll be running the Windows XP version of devices in a Windows 7 world. Another true story: A botched security update to one of my smart plugs completely messed up the programming. I had to reset it to remove the bad firmware and do the setup process repeatedly. A quick “would you like to update?” promptly turned into an hour ordeal.

Solutions

Device Level Security

Buy Quality Hardware From Reputable Vendors

Security begins at the device level. This tip is true for IoT and other technology. Cheap hardware comes at a price. Some tablets come with built-in security flaws. Even quality products from Dell and Lenovo have security issues. If a product seems too cheap, be wary. If a product is new to the market, wait until users find the security flaws. I always wait until at least one update occurs before I buy it.

Reset the Device

That camera or light switch comes with some default settings. Those should be okay for most people, but I like to be extra cautious. If you’re buying from a brick-and-mortar store, your product could be a returned. Resetting it eliminates all doubt.

Check For Updates, Everywhere

The obvious stuff you should update is the IoT device. All aspects of your network need an audit for security flaws to be safe. Our computers and mobile devices check for updates, but routers, modems, and gateways don’t keep watch as closely. If you get your modem or router from your ISP, you’re at their mercy for an update. If you reboot the modem or router, it might check for its update on restart.

Change the Dumb Defaults

Some of these devices have a great user experience. Turn on the device, download the app, and you’re done. That’s a problem. That keeps all the security flaws and default passwords. Try to customize your settings as much as you can. Instead of leaving the configuration as DEVICE1 or CAMERA2, name them something unique. This change makes it not just easy to find, but hackers won’t be able to assume the names of your stuff. Security company Bulldog has a site that helps you find any holes in the security of your IoT.

Use Proper Password Hygiene

If you aren’t using a password manager, then don’t install IoT devices. Unique and complex passwords are your first line of defense against hackers. Every device should have its own password that isn’t used anywhere else. That list includes IoT devices, email addresses, routers, and online accounts. In particular, email accounts need extra security. You might have an excellent password for your Nest thermostat, but don’t forget passwords can be reset. If someone can use the “forgot password” option and then access your associated email, your Nest password is irrelevant.

Along those same lines, you need to beef up your security on any platform that can access your IoT devices. If you’re using a mobile phone or tablet, set a secure password on them. For desktops, especially laptops, set up encryption on the drive if you use them to access your IoT. Passwords on computers are easy to crack. If your home device passwords are saved in the browser or app, you just let in a hacker. Sure, IoT makes things a lot easier around the home. However, you need to keep it secure, which might sound like a pain, but always remember — convenience is the enemy of security.

Privacy: Setting Some Ground Rules

A camera in every room and a sensor on every door leads to an overflow of information. That’s why you need to plan out where you’re going to put stuff and leave certain places private.

After I had the unfortunate proof I was right in my argument with my spouse, we vowed never to look at these logs to settle an argument. We won’t use the sensors to determine when the other came home. More information can lead to mistrust. Even if the door sensor shows the door opening at 3 am, it could be because someone got home late. The alert could also be that the dog needed to go out. In an emergency, use as many sensors as necessary, but please use discretion. If you realize a bunch of sensors is going off when you expect nobody at home, it could be because someone is setting up for a surprise party. Another personal story: be careful showing off your smart home if you don’t live alone. Remotely engaging a camera to show your home can lead to some embarrassment. Most of our household rules developed from mistakes. If you set some rules beforehand, you’ll reduce these problems. Realize everyone in your home or business will make mistakes and overstep someone else’s privacy. Forgiving someone in advance goes a long way in mending these wounds.

Equipment Problems and Abandonment: Annoying but Rare

The more a device does, the more that can go wrong. That’s true for IoT or any other computing device. My old flip mobile phone never crashed or needed updates. It just worked until the government got rid of the analog spectrum. The government also rendered my old analog TV useless. I’m not complaining they did that, but obsolescence is part of modern life.

Don’t get me wrong. I worry about the costs and problems of my IoT stuff. I focus on the benefits, though. My smart plug worked for years, saving me time and money. That hour of resetting was about as annoying as Windows wanting to update when I shut down the computer. If a company stops supporting the product, I’m annoyed. My drawer of devices with 30-pin Apple connectors is a walk down memory lane. I try to focus on the benefits I have already received.

Your Moment of Zen

Like most technology, IoT is a blessing and a curse. Along with the impressive benefits come terrifying risks. You might be safer from digital trespass with a physical lock, but then you’ll lose the advantages of recording a theft in action. You can’t get malware on your computer if you don’t go on the Internet or plug anything into it. You’re unlikely to get into a car accident if you keep your car parked in the driveway. Approach IoT slowly and deliberately. Make security your top priority, and realize you’ll run into some snags. If there is one thing to remember, remember this. Do not pull up a video of an argument and say, “I was right.” You’ll be wrong because you pulled up the video! Comment

Δ