Home automation systems are becoming smarter and more connected with the launch of every new product and platform. As more of our homes come online, our day-to-day routines become more convenient and more efficient. They also, however, become more accessible to others.
Figure 1: As more of our homes come online, they become more accessible to others.
While there are clear benefits to automating the home, it's important that users become aware of what they might be giving up in return. And what is being given up is data.
People know that their data is valuable, but it can be valuable to different groups for wildly different reasons, ranging from the slightly unnerving, to the creepy, to the downright dangerous.
For example, a home automation platform that knows which household member is at home at any given time may offer convenience by adjusting temperature and lighting to that person's preferences, but for the platform supplier, the value of this data could be in knowing that now is the perfect time to display certain highly targeted and individualized advertisements on your connected smart TV.
The precedent already exists. Over 10 years ago telecom companies were reportedly selling home internet usage data (indicating when people were at home) to telemarketing companies so that they could call potential customers during the times people would be there to pick up the phone. Now think about how much simpler and more highly targeted a fully connected home could make it for companies trying to sell you things.
Samsung recently admitted that its smart TVs would record your living room chatter. Creepier still, the company's small print says that its Smart TV's voice recognition system will not only capture your private conversations, but also pass them on to third parties. In its defense, Samsung says it takes consumer privacy "very seriously" and notes that all its Smart TVs employ "industry-standard security safeguards and practices, including data encryption, to secure consumers' personal information and prevent unauthorized collection or use."
At the extreme, and illegal, side of the equation, automated systems that know when a person or family is home can also be hacked or used by burglars targeting a home or neighborhood.
"Each smart device we add to a home is equivalent to adding another door or window. Without the proper embedded security within the device, the lock is nonexistent," says Dip Patel, co-founder of Ecovent. Patel has been leading the call that smart home automation devices are lacking in security features and leave homeowners open to attacks on their home networks and devices.
"It's so easy to connect things to the internet these days, but the harsh reality is that smart devices can be dumb when it comes to security," he adds. "Anyone with a little more-than-basic understanding of computers can gain access to a home network and any devices connected to it."
Figure 2: "Smart devices can be dumb when it comes to security."
Security on most of the devices was found not only to be severely lacking, but was sometimes completely nonexistent. Case in point, Symantec found that one in five devices did not encrypt communications and many did not lock out attackers after multiple password attempts.
Zach Feldman, chief academic officer and co-founder of the New York Code and Design Academy, says he personally uses a lot of home automation products in his apartment. Feldman claims that while most of the ones he's used are secured "decently well" with OAuth2 authentication to access control points, and that "usually" all inbound and outbound traffic is encrypted with SSL, "programming novices trying to have fun with their devices and publishing their code online do risk publishing API keys and other sensitive authentication data. If the wrong key is pushed out, some funny and occasionally messed-up things might happen."
Feldman goes on to explain that if someone were to find his Nest API key, they could "pretty much bake me or freeze me out of my apartment," and the only way to stop them would be to revoke/change the key, though it would require a certain level of awareness and technical ability.
Feldman's hypothetical is not entirely hypothetical. A recent Reddit user famously boasted about how he got revenge on a cheating ex by taking control of her home thermostat, jacking up temperatures while his ex and her current lover were away and lowering it again once they returned home, to hike up their electricity bill.
While temperature hacking may be seen as annoying but mostly harmless, Feldman says the home automation device he's most worried about being hacked is his August smart lock, an Internet of Things (IoT)enabled padlock. "It's one thing to come home to your apartment being too hot or too cold but a whole different ballgame to find your home broken into by hackers with the right API key!" he says, adding that his advice to people who want to hack their home automation components is to "make sure to use environment variables to store sensitive credentials rather than hard-coding them into your in-progress software."
That's all well and good for the technically savvy, but what about those with little technical knowledge who have simply been persuaded to buy the latest and greatest connected gizmo that purportedly increases the safety of their homes and loved ones?
Lisa Hoffman of HTE (Home Technology Experts) agrees, noting that the biggest issue really occurs with DIY home automation, people installing a camera or lock and forgetting about it. "Even though the manufacturer is sending them emails warning about issues, telling them to install updates, they are busy and don't apply them. If they had a huge hole in a fence or no locks on their doors, they would fix it, but because they can't physically see the security breach, they ignore it until it's too late."
Perhaps the most terrifying tale of home automation gone wrong is that of a couple in Cincinnati whose baby-monitoring camera had been hacked and was being controlled by a virtual intruder.
Figure 3: A baby-monitoring camera was being controlled by a virtual intruder who was shouting "Wake up, baby!" from the monitor.
The Cincinnati couple reportedly felt "violated" and helpless when, in the middle of the night, they heard a male voice screaming from inside their daughter's bedroom. Rushing in, they found the camera pointed straight at them and the "intruder" screaming "wake up baby" and a host of obscenities - this, from a device primarily created to put parents at ease.
The U.S. government has started to show some concern, with the FTC declaring better oversight of the industry through the introduction of a new Bureau of Consumer Protection division - the Office of Technology Research and Investigation - which will be tasked to oversee everything smart device related, from Apple Pay to Nest.
Whether the government will be able to keep pace with the rate at which smart devices are launched and updated, however, is highly doubtful.
Ashley Schwartau, creative director and head of production at The Security Awareness Company, thinks the potential problems with home automation don't just emanate from malicious hacking.
"Let's say you have all of your devices connected and linked to apps on your smartphone - you can control your lights, music, TV, AC and the internet from one device. Sounds awesome, right? Puts you in control, right? What happens when that phone freezes and stops responding to your commands? This brings us to the problem of having a single point of failure. It's like putting all of your eggs in one basket," she notes.
Something all the experts agree on is that there is very little point to the added convenience and connectivity of smart embedded home automation devices if part of the price is an open door for hackers.
Many believe that the smart home security problem needs to be solved at the device and system levels and that companies need to design devices and cloud architectures with security in mind from the get-go, rather than as an afterthought.
"It isn't enough to have a security consultant offer insight at the end of the design process," says Patel. "Security experts need to have the same credibility and respect that the industry gives UX gurus and software developers. Security teams need to be given a full seat at the table throughout the entire design and build process. Security should not be seen as a cost center - it should be seen as a core function of the business!"
The best way to avoid being hacked, says Hoffman, is to have a secure network and hire a custom integrator that is both knowledgeable and ethical. "IT networks are the base of home automation. If the network is compromised, the automation is compromised."
Original text: http://br.mouser.com/publicrelations_techarticle_smartlightsdarkside_2015final/
