Posted by: New York Times | January 23, 2019
IoT promises Utopia but delivers a security train wreck. Consumers have virtually no chance of securely setting up a Smart Home because Technocrats have totally underestimated complexity and anti-hacking security. ⁃ TN Editor
New York Times
When a major electronics firm started seeing strange documents being printed out remotely on more than 100 of its smart printers late last year, it frantically contacted the manufacturer to investigate.
The firm nervously wondered how — and why — an unauthorized third party was sending documents to its printers remotely. And worse, it feared its entire corporate network had been breached. The manufacturer immediately called in the big guns, Charles Henderson, global head of X-Force Red, a professional hacking team at IBM Security, for answers.
“Unless you believe in ghosts, you get kind of concerned when your printer just starts printing stuff out that you can’t account for,” said Henderson, who declined to name the firm for privacy reasons.
His team quickly identified the problem as a flaw in the printer’s remote access function, and a patch fixed the vulnerability.
Finding and testing for flaws and breaches in smart devices is Henderson’s specialty. “I run a team of hackers,” is how Henderson describes his role, then clarifying they are paid professional hackers who look for bugs, glitches, and malfunctions.
And with demand for smart devices, ranging from smart lights to outdoor sprinklers, surging in mainstream America, his job has gotten a lot busier.
“We’ve received roughly five times the number of requests for security testing of IoT [internet of things] devices in the last year,” Henderson said. “Growth has been immense over the last year to 18 months.”
Indeed, the soaring popularity of smart speakers, like Amazon Echo and Google Home, is starting to move the “Smart Home” into mainstream America. It’s no longer just tech geeks and phone-obsessed millennials who are scouring the tech universe for information on the next best gadget that lets them control lights, TVs, appliances, door locks, and even lawn sprinklers with a voice command or tap on a smartphone.
But all of this buzz and hype are putting pressure on smart device makers to rush their gadgets into the market while demand is hot — and sometimes, this means security features take a back seat, Henderson said. And cyber criminals are watching.
“Criminals rob banks because that’s where the money is,” said Charles Golvin, senior research director at Gartner, a research and advisory firm. “They’ll commit cyber crimes because that’s where the opportunity is.”
Some get crafty, making mock interfaces on a person’s phone that look like an IoT’s interface login to steal passwords — similar to the way thieves send fake emails to people pretending to be from credit card companies and banks.
Experts caution consumers to research carefully and move diligently when adding smart devices to their home network. “If one device gets compromised, it could be the same as allowing an attacker to plug into the entire network,” giving the criminalcontrol over all devices, Henderson warned.
Concerns about privacy and the complexity of smart home devices are two reasons fully outfitted smart homes are not likely to happen overnight, experts say.
Wanting — and actually installing — smart devices are very different scenarios with the latter requiring patience and diligent research in navigating through a costly, cumbersome and often time-consuming process.
The setup also takes time, as it involves choosing brands and understanding routers, hubs and wireless communications protocols, like ZigBee, Z-Wave, and Bluetooth, so that all of the smart devices can talk to one another.
“If you actually want to make your house do half a dozen of these things, it’s a lot of work,” said Frank Gillett, vice president and principal analyst at Forrester Research. “You need people to be patient and comfortable with working through multiple steps of instruction, and in my observation, a significant amount of the population is not comfortable or patient.”
If you own a lot of different smart devices, it will mean many different apps on your phone. The process of opening and launching an app every time you want to control a device — or remember the exact phrases to get a voice assistant to do it — can be cumbersome and annoying.
One company, Sevenhugs, simplifies this problem.
The firm’s single remote allows a person to control a home’s smart TV, lights, entertainment system, and other connected devices simply by pointing the remote at them. It means family members and guests can access all the smart devices without having to use a personal phone or launch multiple apps, said Simon Tchedikian, founder of Sevenhugs.
Ultimately Tchedikian wants to streamline content as well so that someone could ask for the latest season of the “Game of Thrones” and it would pop up without having to know and specify which streaming service, platform or on-demand service was offering it.
Beside ease of use, privacy and security are critical.
Using smart cameras can be great for remotely monitoring an aging parent or checking whether a child got home from school, but they could be intrusive and even risky if the system is hacked.
To lower risk and security concerns, experts suggest steps people should take when building a smart home.
First, buy quality brands. While some big brands, like Samsung, are leaders in smart appliances, the rest of the smart device world is fragmented, with much of the innovation coming from focused startups and midsize companies.
Some of the current leaders are Philips Hue for lights, Nest and Ecobee for thermostats, Ring for doorbells, and WeMo for light switches and plugs.
If it’s a startup, research the firm and make sure it has a strong online presence, preferably with active user groups discussing the product.
“If they don’t have a budget for an online presence, then they probably don’t have a budget for security,” Henderson said.
Second, security updates are critical. “Most technology companies are going to have vulnerabilities — it’s hard to get everything right” at the start, Henderson said. He recommends checking for patches or firmware updates on the company’s website to make sure it’s on top of security issues.
Third, create strong Wi-Fi passwords and engage two-factor authentication where possible.
Fourth, if you move into a new home, buy a secondhand car, or purchase a used smart device, always make sure previous owners’ accounts aren’t still connected to the hubs, routers and devices.
Henderson recalls selling his smart car and buying a new one from the same manufacturer. When he went to enroll his new car in the auto manufacturer’s app, he discovered his old account had not been deleted from his old convertible.
“They hadn’t revoked my access,” Henderson said. “I could have tracked down my old car using the GPS functionality, I could have unlocked it, honked the horn — I could have made the new owner of my old car think the car was possessed.”
Also, always look at all devices that are connected to your network.
“If you’ve got rogue devices connected to your network, it’s not your network anymore. It’s a shared network,” Henderson said. “If you had access to somebody’s home hub — and that hub had a sprinkler system, light switches and garage door opener connected to it, you could open their garage door, turn on the sprinkler systems, and start flashing the lights.”
Fifth, consumers need to prepare for a smart device’s failure — whether it’s because of a product malfunction or a power or internet outage.
“Turn off power to the devices and unplug the internet and see what happens,” Henderson said. “But you definitely don’t want to wait and find out that they don’t work when you’re standing outside your home trying to get in.”
Being technology, it will malfunction sometimes, whether it’s smart or not.
“Things do break,” Golvin said.
Finding someone to repair that new technology can be challenging — even if it’s made by a big brand.
When Jordan and Ben Feria of Orange Park, Florida, purchased a $4,400 Samsung Family Hub smart refrigerator in late 2017, the refrigerator portion broke down last November, even though the smart features on the outside touch-screen continued to work. The couple took to social media and a local TV station after dozens of technicians were unable to repair it. When the couple contacted Samsung, they were told there was only one authorized technician in Northeast Florida who could handle the repair — and even then, the person was unable to repair it. The couple wound up getting a refund.
A Samsung spokeswoman, Alicia Clarke, described the Ferias’ problem as a “rare experience” and said “the matter was resolved with the consumer,” and noted that the problem was related to the refrigerator’s compressor — not with the smart technology.
“While it is unfortunate that the Ferias had an issue with their refrigerator, the problem was limited to the unit’s compressor, not any of the smart technology incorporated into the Family Hub,” she said.
And finally, in this fiercely competitive and fast-changing space, many smart device makers will implode — and consumers need a fallback plan in place if they do. Even the most promising company can go belly-up without warning.
LightHouse was widely hailed as a trailblazer with its home cameras that offered 3D sensors and artificial intelligence capabilities. Its cameras could monitor with such precision that a voice command asking the app how a vase got broken earlier in the day could pull up the section of video that showed the child or pet who did the deed, said Gillett of Forrester.
LightHouse was viewed as the future. However, the company abruptly closed shop in late 2018, with a note on its webpage, titled “Lights Out” that read: “Unfortunately, we did not achieve the commercial success we were looking for and will be shutting down operations in the near future.”
“This is what happens sometimes with these cool vendors who are ahead of the curve,” Golvin said. “Bleeding edge versus leading edge.”