Smart Homes Can Be Safe Homes
Examining the security behind smart home appliances
By Will Uhl | Images courtesy of Shutterstock.com
In the 1930s, innovators fantasized about the “Homes of Tomorrow”: futuristic houses integrating imaginative, far-flung technology. Nearly a century later, more and more homes are integrating technology that aims to simplify and streamline. Lights shift their intensity and hue with the time of day, doors lock when they see unrecognized faces, and cameras watch for intruders. However, as computers have evolved from calculators to ubiquitous networked communications devices, security and privacy concerns have grown more serious and frequent — and smart home devices are no exception.
Whether it’s as small as Amazon’s Alexa or as extensive as a home alarm system, smart home devices are almost everywhere; according to studies from Statista.com, 23 billion internet-connected devices are already online. That number is only going to rise — research says the worldwide market size for smart homes will reach $53.5 billion in 2023. As more and more types of appliances are getting internet-enabled equivalents, appliance companies are scrambling to keep up with tech giants. However, despite all of the money going into the industry, it’s not clear if the devices are getting safer.
Richard Stallman, a pioneer in programming and an activist for free software, has warned followers about the Internet of Things (IoT) — the networking of physical devices, appliances, vehicles, and other objects. More than five years ago, in the article “Free Software Is Even More Important Now,” he wrote: “the use of nonfree software in the ‘internet of things’ would turn it into the ‘internet of telemarketers’ as well as the ‘internet of snoopers.’” Then, the question was how much the National Security Agency is listening to American citizens. Now, articles regularly crop up about exactly how much Amazon’s Alexa knows about us, and to whom that information is being sold.
To answer questions like those, a group of researchers from Princeton University and the University of California, Berkeley work at the Internet of Things (IoT) Smart House, their home base for studying smart devices for security and privacy flaws. They use the house as a testing environment, and it is filled with all manner of smart products ranging from Amazon Echos to internet-active children’s toys. A short walk from Princeton University, it blends in easily with the surrounding neighborhood.
Inside, LCD screens glow, their networked devices awaiting input. Some seem excessive — a Samsung smart refrigerator features an integrated smart monitor that functions just like a normal tablet — while others, like the oven that allows remote activation and deactivation, offer obvious benefits. Some are surprisingly innocuous, such as a rubber duck bath toy that monitors the water temperature, plays music, and even doubles as a nightlight. However, while these systems seem sophisticated, they may not be as secure as you would expect.
“What we’ve mostly been surprised about is the lack of basic, well-understood security measures in a lot of these devices,” said Noah Apthorpe, a Ph.D. student at Princeton and a graduate student fellow. Apthorpe has been part of the smart devices research team for the past three years. They expected picking apart smart devices’ security to be like cracking a safe; instead, he said, they found wide-open doors.
“We never really expected to run into a case like [an examination of medical devices], where the fact that someone was using a blood pressure monitor was just being sent in plain text out to the cloud,” said Apthorpe. “Things like that came up frequently enough that it really surprised us. So many devices are lacking the basics [of security] that we expected were already taken care of.”
Encryption is the go-to safety method in communications security — it has become standard enough that, in July 2018, Google Chrome began marking any site not using encryption as insecure. The fact that smart devices, especially ones communicating data like medical information, would lack these basic protections shocked the researchers. “It’s a pretty egregious problem,” said Apthorpe. “You’d expect that to be the baseline for protection, and it turns out that in many cases, that’s not even provided.”
The worst vulnerabilities often involve children. News articles about hacked nanny cams and baby monitors crop up constantly on news sites like ABC, Fox, and NPR. The researchers also found children’s toys that would send reports back to the manufacturer when they ran into software problems — a normal practice in and of itself. However, these reports included personally identifying information, including the child’s age, gender, and geographic location.
There are still plenty of reliable brands and devices consumers can turn to for home automation. “The more well-known technology companies, maybe as you’d expect, tend to do a better job with all these issues, especially on the security side,” said Apthorpe. “Where the problem comes in is that consumers also assume that the well-known non-tech companies will also do the same thing.”
More and more companies have ventured into the smart appliance realm, ranging from tech giants to kitchenware manufacturers. Knowing which to choose can be difficult, but Apthorpe stressed the importance of consumer awareness. “Do some research on the devices before you buy, and see if there have been any published breaches or security issues, looking at both the company and the device,” he said.
For the majority of devices, the privacy concerns differ from user to user. “There are some devices which provide really useful features, and unless you have specific privacy reasons why you don’t want to use those devices, those features likely outweigh the more nebulous concerns we’ve been raising,” said Apthorpe.
With security concerns in mind, smart home devices can help monitor your home, keep organization simple, and reclaim time from your busy day — and you can minimize the risks. Smart homes can be safe homes, but not without smart consumers.