We’re at a tipping point in inviting the next wave of technology into our homes, with capabilities and potential risks an order of magnitude greater than the PC, smart TV (more on that in a moment), or even an iRoomba. Spreading from the early adopters, everything can be fair game, including smart lights, thermostats, doorbells, and practically any device within the home that can be connected to the Internet and automated.
This, combined with the quicker than expected adoption of intelligent assistants– Amazon’s Alexa, Google’s Assistant/Home, Apple’s Siri/HomeKit, and Microsoft’s Cortina – makes the smart home a mass-market reality for the first time. And, another barrier to adoption, interoperability, is now being addressed. Consider the Nest Protect, interoperable with Google, Alexa, IFTTT for the more technical amongst us, and a variety of mainline security products. But as the adage goes, with great power comes great responsibility, both as it relates to security, and to privacy.
Mutts with Fleas
In the rush to automate, the smart home market has been a bit of a land grab, with the better-known vendors competing against a plethora of no-name imports. The scary thing here is that the more technically literate are more likely to purchase premium devices, at premium prices, while others make their decision on price-only, bringing into their living room or kid’s bedroom a product with an unknown security pedigree. A mutt, with fleas.
But at least mutts from the animal shelter have their shots! There have already been multiple examples of cameras and other devices hacked to either display their feeds on the Internet, or repurposed for botnets. As more devices are cloud-connected, the potential for compromise only increases, and we’ll see more examples of risks such as those identified with Dongguan Diqee 360 vacuum cleaners, a low-cost knockoff of the Roomba. No one is immune, and even well-known brands have their issues. Consider Smart TVs from the likes of Samsung and Vizio, a subset of the vendors under investigation for relaying user viewing data to 3rdparties for gain. I can easily draw the analogy to a certain social network or free email service recently accused of the same.
The Family (Cloud) Sysadmin
In parallel, the role of the family sysadmin is evolving from OS and internet management to understanding and managing cloud services. Intelligent thermostats, security cameras (how many brands to you have installed?), door locks, and even UPSs all require knowledge of connectivity, how the data is stored and secured, whether a path is configured through the home firewall for remote access, and the vendor’s privacy policies. Imagine tracking this across 5-10 separate cloud services!
Back to the intelligent assistants. At least Amazon, Google, and Apple, are doing their part to lock down their software and applications, with Amazon in particular having learned its lesson from Alexa. However, as with any software platform, the chances are great that another vulnerability will be found at some point in the future. One option is be for the major vendors and their ecosystems to create more stringent certifications for interoperability, much like the that which exists on the IOS app store, with consumers using this as an indicator of a secured device. And, the same vendors will need to establish a protocol whereby older devices are patched (not requiring a degree in IT), or recalled if an un-patchable flaw is found. Once again, this is a much more likely scenario for the major ecosystems vs the no-names.
Potential for Abuse
What happens when devices within the smart home become tools for abuse, not due to hackers or neglect, but out of malicious intent. The NY Times recently addressed the potential for domestic abuse, and many times the most vulnerable don’t have the required control over devices that may have been configured by their abusers. This leads to a difficult situation as the NY Times pointed out, where on one hand, a simpler reset is desirable, while it also leads to easier access by hackers. The same ecosystem approach I mention earlier could be a path forward, with cloud-based control, but this infers interoperability or vendor lock-in.
A New Privacy Charter
In parallel with the vendors, privacy laws need more teeth, and Californa’s new consumer privacy act, a less stringent version of the EU’s GDPR, is a step in the right direction. But it only addresses the data, and only that collected from California residents. A parallel act relating to the physical devices is a requirement, where vendors and their hardware with known security faults can be barred. This isn’t that wild a suggestion. Remember the hoverboards and their batteries from a few years back, and how they were banned? A malfunctioning or malicious home automation device has just as much a chance of producing physical harm.
Sure, the recommendations above won’t occur overnight, and in some cases could take a decade or more to reach total clarity, but it is never too soon to begin. And, never too soon to begin the education process, much like kids are warned about the dangers of social networks.
About the Author: David Ginsburg brings to Cavirin over 25 years of experience spanning corporate and product marketing, product management, digital marketing, and marketing automation. Previous roles included CMO at Teridion, Pluribus, Extreme, and Riverstone Networks as well as senior marketing leadership positions at Nortel and Cisco. His expertise spans networking, cloud deployments, and SaaS.
Edited by Ken Briodagh