Your refrigerator is sending spam. Your front door is running buggy firmware that tells you the deadbolt is locked (when it's not). And the kid next door is pirating music over your wifi network, thanks to a backdoor in your thermostat app. All the internet-enabled things that make your home "smart" are also turning it into a security nightmare.
Smart homes are just one part of a larger movement in the tech industry to build an "internet of things" — an interconnected web of stuff that includes everything from phones and tablets, to washing machines and desk lamps. Megacorps like Google are trying to cash in on this new internet age with products like Nest, a system to control your smart home from the cloud. Other companies, like Samsung, have pledged that 90 percent of their products will be part of the internet of things by 2017.
The problem is that this new internet has all the security problems of the old one. Except they are worse, because software vulnerabilities won't just allow people to break into your network — they'll be breaking into your house. We spoke with chipmakers, product designers, white hat hackers, and security specialists, and they all made one thing is abundantly clear: the smart home is not acceptably secure, not even close.
A Bigger Attack Surface
We already know that smart homes are just unforgivably glitchy to the point where switching off the lights becomes a painful debugging process.
But these bugs aren't just annoyances. Many smart devices are rushed out the door, usually with manufacturers intending to secure them once they're in the wild (and successful) — or maybe just with no intent to do it at all. Because so little attention is given to security in the first place, every smart device you bring into your home network only increases the target on your back. In computer security, this is called your "attack surface."
Experts say that a smart refrigerator has the potential to be far more vulnerable than other internet-enabled devices. "Your computer that has a firewall [when it's awake] has a much smaller attack surface than your cell phone that's constantly on the internet," says Mike Ryan, a Bluetooth expert and embedded security researcher. "The internet of things represents a general broadening of the attack surface. Every single device is connected now, and every single device could be a potential point of weakness. Whereas before your refrigerator plugged into the wall, and that's it."
A nefarious smart refrigerator may seem like a stupid example, and it would be—if it hadn't already been hacked before. Smart refrigerators were among a network devices sending malicious emails in January last year. Here's how the hack went down, according to an NPR report:
Sometime between Dec. 23 and Jan. 6, hackers commandeered home routers and the like and used them to send out malicious emails to grow their botnet, or, army of infected devices. Botnets — and now, "ThingBots" — can be used by hackers to perform large-scale cyberattacks against websites by drowning them with traffic.
But "commandeering" routers, and smart washers, and thermostats, and door locks, and face-recognizing cameras is pretty hard to do, right? Yeah...no. Last April, a family from Cincinnati, Ohio, says they woke up during the night to a man screaming at their 10-month old daughter through a Foscam baby monitor. He had discovered their camera on the internet, took it over, and used it to scare their child. The three-year-old baby monitor didn't have the latest security updates, so the family was an easy target.
Even more terrifying is the prospect that a baby cam could just be the first step in a more general takeover. A smart home invader might begin by discovering a vulnerable device, but then use that to jump onto your wifi network — before long, the attacker could be reading your email and grabbing private information from your phones.
"It's remarkably easy to find out what kind of devices people have in their homes," Ryan tells us. "If [a device] has a vulnerability and you gain control it, then you have a foothold directly on someone's home wifi network, and you can do direct attacks against their laptops or their router. You can change the settings so all their web traffic goes through you."
And its not only the devices that are vulnerable, but the wireless Bluetooth tech we used to tie everything together. Ryan says every Bluetooth implementation he's ever tested has turned up at least one vulnerability. When he reported these security problems to vendors, only one ever responded.
Of course, some devices have better security than others. Companies like Microsoft and Google offer bug bounties, inviting hackers to attack their systems to find weak points, and rewarding successful hacks with cash. There is a similar program at Qualcomm, a chip manufacturer responsible for a lot of the computing brains in your smart wearables, cars, and even lightbulbs. But Asaf Ashkenazi, director of product management for Qualcomm, says bug bounties are not nearly enough.
Which is putting it lightly. A study last fall, conducted by HP, found that 70 percent of commonly used devices in our homes were security risks with almost 25 vulnerabilities per device.
"Although we're providing all the foundations, we cannot solve the problem alone. It's vendors. It's software providers," Ashkenazi tells us. "It needs to be an across industry effort."
A Vulnerable Network
Nothing is 100 percent secure. It would take a massive restructuring of the internet, built from the ground up, and applying all the security lessons we've learned over through the decades, to even come close. Although DARPA is investigating that idea, we're stuck with what we've got—a patched and bandaged framework vulnerable to criminals and trolls of all types.
The internet of things is just the next evolution in how we'll interact with the internet, and it will experience similar security growing pains. The sheer number of devices, whether smart TVs, coffee pots, bluetooth speakers, or baby cams, is what makes a smart home such a challenge to secure. These aren't smartphones or laptops that you replace every two to five years or so. If you're buying a smart washing machine, you may not buy another one for 10 or 15 years. That means the hardware needs to have security designed into it from the beginning and with room to grow, so it can be patched through its entire lifecycle.
"It's this massive lack of understanding of the technologies everyone is going to use and then selling them," product designer and white hat hacker Joe Grand tells us, currently in London teaching a hardware hacking course. "A lot of engineers aren't trained in security. You don't see a lot of cross-pollination in people making products and breaking products...there needs to be more mix. It's really, really frustrating."
In other words, the people who make things don't know how to break things and vice versa so it's like two groups just shouting at each other. Hardware makers need a bigger presence at the big hacker conferences like Black Hat and Def Con, and more hackers need to be involved in the gadget-making process.
And for the meantime, Grand's frustrations will most likely continue because the Federal Trade Commission, tasked with overseeing the internet of things, won't be stepping in to sort out the mess—at least not yet.
In late January, the commission published non-binding guidelines for companies to follow. Here are a few highlights:
-Build security into devices at the outset, rather than as an afterthought in the design process
-Train employees on the importance of security
-Monitor connected devices throughout their expected lifecycle
These are all great ideas, filled with some lets-all-work-together optimism, but they don't go far enough, according to Shankar Somasundaram, director of IoT security for Symantec. "It's good but it's not going to tip it over. You need a little bit more than that." Somasundaram says. "Put in a clause that says if you don't follow basic guidelines in this country, you'll be fined. That extra level creates an actual incentive."
Grand agrees that the most lasting changes won't come from companies, but from some form of government regulation. He says big, scary hacks won't make things safer, just more illegal—which can be a benefit to our smart home security but also a detriment to internet freedom, by trying to push terrible CISPA legislation in a time of "crisis."
Preparing for Smart Home Darwinism
The shame of all of this is there are some great smart products out there that pay attention to security and do make sense in your home. Nest's Smart Thermostat is a smart home champion, offering tangible and money-saving convenience. Belkin WeMo is working on Echo Technology devices that can monitor your entire home's water and energy intake, so you can get bill estimates and even detect leaks down the exact pipe or outlet. These are fantastic ideas.
But right now, the smart home is just that: a fantastic idea without much reality. The internet of things is a bunch of random gadgets, often trying to fix some invented problem that you don't have by connecting it to the cloud and controlling it from your smartphone. Why do we need smart refrigerators and creepy smart beds, anyway?
The answer is that we don't.
"Dependence is the wellspring of risk, the more you take on technology, the more risk you take on that technology will negatively impact your life," Ryan says. "You've got to evaluate everything as a risk/benefit tradeoff. It's easy to say I want the hottest, newest everything...that attitude is going to lead to a lot of the security issues."
A smart thermostat that can analyze energy trends can be a huge benefit. A bed that can tell you if your kids are sleeping, or a smart fridge that can tell you when your milk goes bad? Maybe not so much.
The internet of things is inevitable. The problem is that its architects aren't thinking ahead to the ways that people will use it in their homes and personal lives. Smart homes need to be less about the dream, and more grounded in reality. There are a lot of security risks we're willing to take on the internet because it seems disconnected from our real lives. But when the internet starts living inside every object in our homes, those risks become as real as a person breaking in through your windows.
Illustration by Tara Jacoby