Smart home security: Convenience comes with caution

null

Smart devices, often collectively referred to as the Internet of Things (IoT), now plays a large role in everyday life and can be found in everything from refrigerators to kettles, doorbells to light bulbs, speakers and televisions, and even the kids’ teddies.

Just as sales of early iPhones resulted in a tidal wave of executives demanding to be allowed to use their nifty new gadgets at work, we expect to see a growing number of employees so enamoured with their home IoT devices that they'll clamour for ways to bring these technologies into the office. However, even more concerning than the potential of a new Bring Your Own Device influx is the concerns about what happens when your workers connect their corporate laptop or phone to a home network rife with an assortment of new and potentially vulnerable devices.

The year of connectivity

The 2018 home has changed dramatically from even 12 months ago. While most of us will have had a broadband connection for many years, we probably only connected a handful of devices, such as PCs or laptops, Smartphones and tablets, and perhaps a games console or two. This year, we’ve seen the market flooded with connected devices - practically everything has had an upgrade and is now ‘smarter’ with IDC predicting that worldwide spend on IoT is expected to reach $1.2trillion in 2022. Ericsson has forecast that cellular IoT connections will reach 3.5billion in 2023.

What hasn’t changed is what these IoT devices connect to and how they’re controlled or managed. Most homes have a single network - one router configured as a single access point -- which can pose a serious risk.

Fortunately internet providers and router manufacturers are starting to enable “guest” networks as part of the functionality within their consumer products, enabling users to define a segregated network - one for everything trusted, and another for potentially dirty devices - including any item used by a guest.

On the subject of ‘Dirty Devices’

Any smart device should be treated as ‘dirty’ and connected to a separate network - something most security savvy organisations have been doing for years. Take, for example, the convenience of a smart doorbell which can send notifications directly to a phone when someone is near it, even if they don’t actually press the doorbell with some models. This is a fantastic security measure, but it comes with its own set of risks as there’s no sure fire way to know whether or not the vendor has taken all steps to ensure the doorbell is secure and up to date.

Conveniences like smart doorbells make life easier, but they should not be housed on the same network containing invaluable personal information or ‘clean’ devices - such as the company laptop.

Operating smart devices on a separate network means if an attacker gains access to one, the worst that can happen is they’ll gain the ability to talk to other IoT systems. Similarly, the damage an infected device could cause if connected will also be ring-fenced.

Bye Bye, Alexa

Device manufacturers will make a lot of bold claims to sell their products. This is true for almost any technology or service, but it can be downright dangerous in certain situations. Take, for example, a woman in Portland, Oregon, who recently had her private conversations secretly recorded by her smart home devices. What’s worse, after the conversations were recorded by her smart speakers, they were then sent to a random contact in Seattle, according to an NBC report. Even more concerning was the disclosure of the “eavesdropping doll”, an internet connected Barbie that could be easily hacked to record children's conversations.

The takeaway? No matter what assurances are made by the manufacturers, any device with listening capabilities, such as smart speakers like Amazon’s Alexa and Google Home, should not be welcomed openly into anyone’s home without consideration. My daughters know it’s pointless asking their curmudgeonly father to enable “active listening” on their tablets to tell Alexa what to play or for the latest internet connected Barbie, nor do I want to extend my personal risk profile for the convenience of being able to ask my fridge for a recipe. The risks of having a device capable of recording everything it hears far outweigh the advantages of being able to tell a speaker to order dinner, nappies, or the latest blockbuster hit with ease.

Benefits of smart devices

The bottom line: Smart home devices and offices, when done right, can be incredibly powerful and enhance the entire experience. At my house, when somebody rings the smart doorbell or motion is detected by one of the internet connected CCTV cameras dotted around the property, lights are turned on within the house and a handy notification is sent to my phone, but before I connected anything, the security risks were considered and controls put in place to ensure I wasn’t offering unexpected guests a rather dull insight into my life. In order to keep this convenient and avoid catastrophe, owners must stay up to date on the latest news and trends surrounding their IoT devices. This includes performing regular scans to see which devices might have vulnerabilities and how to deal with them.

Smart devices, while wildly convenient, aren’t without risks. But that’s not at all to say that these devices should be viewed with fear; merely that consumers need to be aware of exactly what they’re purchasing and make conscious decisions on whether or not the benefits outweigh the risks. Some technologies are well worth the convenience, and can even increase the actual security of your home. Meanwhile, other devices, no matter how much easier they make life, are probably better off left on the shelf.

Gavin Millard, VP of intelligence, Tenable
Photo Credit: bergserg/ Shutterstock