There's no denying that the Internet of Things (IoT) has become a hot product category, as evidenced by the vast assortment of IoT offerings at the recent CES--from TVs, speakers, and home automation products like cameras and thermostats to refrigerators and, believe it or not, mirrors. If you already own a smart device or are even thinking of buying one (or many), be aware that each and every one of them brings with it privacy and security threats, according to security industry experts.
That concern was underscored recently when WikiLeaks released documents online claiming that the CIA hacked smart devices, including Samsung smart TVs. The hacking of these TVs confirmed the worst fears of anybody who was already nervous about the built-in microphones used to understand people's voice commands. Anybody who gains control of these TVs can apparently hear everything we're saying while nearby.
For its part, Samsung issued this statement: "Protecting consumers' privacy and the security of our devices is a top priority at Samsung. We are aware of the report in question and are urgently looking into the matter." The company said that the "malicious" software described by WikiLeaks was installed via a physically connected USB drive that applied to firmware on TVs it sold in 2012 and 2013, "most of which have already been patched through a firmware update." It added that, at Samsung, "we continually monitor for any security risks" across its smart TV platform and, "if we find one, we promptly address it." Anybody with concerns about using Samsung smart TVs can take steps to be more secure, it said, explaining: "The best action that consumers can take to ensure the security of any device is to always keep their software and applications updated at all times."
An increasing number of consumers are experimenting with the concept of controlling AV and home automation devices through a smart hub of some sort--be it Samsung's SmartThings or the Amazon Echo, one of this past holiday season's best-selling products. After all, it's convenient and pretty neat to control everything from your couch while watching a movie or a football game. After all, why should we have to actually stand up and walk across the room to turn the thermostat up or down when we don't need another beer or have to take a bathroom break?
Whether you're using such devices in your home theater system or elsewhere in the house, there are several ways that you can help protect yourself from privacy and security threats.
Danger, Will Robinson (or whatever your name is)! Danger!
According to Bryce Boland, Chief Technology Officer for Asia Pacific at cyber-security company FireEye, "Consumers need to put a much higher value on their cyber security than they do today" because "the devices you put onto a home network can potentially expose all the devices and data on the network to criminals."
"These criminals can exploit this access to get to your bank account, attempt to extort you, leverage your devices to conduct attacks on other targets, or inflict harm in other ways," he said, adding: "Consumers need to be aware of these evolving risks because if they're not, they'll be taken advantage of."
Personal cyber-security is a "major issue" today, and it "will only become more important in the years ahead," he predicted. Most of us tend to think much more about the security of our homes than the security of our devices and information. But "breaking into homes isn't very common in most places because it's a relatively high-risk activity--thieves who are caught are frequently prosecuted," Boland said.
Cyber attacks, on the other hand, are "quite low risk and are often not prosecuted due to the nature of the crime and its international nature." There just aren't "great solutions in the market today," he went on to explain. In the corporate arena, companies tend to prefer to subscribe to security offerings that "help close the security gap and address risks," but, "We're a long way from seeing widespread adoption of effective personal security products in the market today."
The smart devices that manufacturers ship "should be secured by default, out of the box" because "if the consumer doesn't have to do anything to make the device work, they shouldn't have to do anything to make the device work securely," he said, adding: "This means device manufacturers shouldn't use hardcoded or default passwords."
Boland went on to say device manufacturers should also "ensure the devices they ship can be easily maintained and updated." Manufacturers must use this capability to "remedy newly discovered vulnerabilities and new threats." Unfortunately, most of them use outside code libraries today. What that means is that, "even if their own code is perfectly safe, their customers may be exposed to vulnerabilities which are discovered in these external libraries," he explained.
Although device manufacturers "can't provide perfect security," what they can do is "invest in a team which ensures their devices are as secure as possible by default, and they can monitor and respond to the ongoing security" of their product. Each manufacturer must have a team of people managing the security of their past, current, and upcoming products over the lifecycle of their products. "If manufacturers aren't doing that, they should assume their products will be compromised by attackers sooner rather than later," Boland said.
Most manufacturers today don't even have "effective, dedicated security teams" because "the economics aren't favorable for security," so it's often just a "market externality until regulators get involved," he said. He predicted that "governments will need to step up their regulation of device manufacturers before we see widespread improvement."
In the meantime, he said, there are a few things consumers can do to guard against breaches:
1. Ensure your devices are running the latest firmware.
2. Use strong, unique passwords on all your devices and accounts, including your Wi-Fi.
3. Disable network access on devices where it's not needed. For example, if your stereo doesn't need to be online, don't connect it.
4. Ensure your home router is from a reputable vendor and is running a current version of its software without known vulnerabilities.
5. Use a separate network for your mobile devices and computers than for your IoT devices. Some routers have a guest network feature that can be used for devices that need Internet access but don't need access to your home network.
6. Only use devices from reputable manufacturers that issue updates.
7. Consider disabling the cloud support/accounts on devices where it's not needed.
8. The home network of today is nearly as complex as the small business network of 10 years ago. If you want to make an extra effort, you can install a small business router in your home network, and use Virtual LANs (VLANs) to segment each device into its own network, then control what each device can do. This can improve both performance and security ... but it comes with a much more complicated initial setup.
Be Careful With That Appliance, Eugene (Or Whoever You Are)
Shagorika Dixit, senior manager of Norton Consumer IoT Security at Symantec, agreed that consumers should indeed be concerned about security and privacy issues when it comes to smart home devices. In fact, in tests, Symantec "found vulnerabilities in 50 different types of connected home devices, ranging from smart thermostats to smart hubs," she said.
She added: "Consumers should be equally concerned about all connected devices." That's because hackers can gain access to a smart camera, a smart lock, or a variety of other devices. "While some risks may seem more frightening than others, most connected devices pose some form of risk, whether it be a cybercriminal gaining physical access of a device or mining personal information," she said. Consumers should, therefore, take "precautions to ensure ALL connected devices are properly protected, which is why Norton suggests protecting devices at the network level," she told us.
As more and more connected devices fill our homes, the amount of entry points for cybercriminals to infiltrate our gadgets and steal sensitive personal information is also increasing. Hackers have learned to take advantage of the fact that many consumers don't change the default settings and passwords on their smart home devices, and many connected devices aren't yet manufactured with security in mind, Dixit said.
"Don't Worry. The Situation Is Under Control."
Manufacturer representatives we contacted for this story conceded that there are potential privacy and security issues with smart home devices, but they said that consumers shouldn't worry too much when using their companies' products (of course).
Technologies like LG's Smart ThinQ and Deep ThinQ, coupled with the manufacturer's Hub Robot, "will provide new levels of enjoyment, convenience and energy savings" for consumers, said John Taylor, vice president of public affairs at LG Electronics USA. "At the same time, we're sensitive to privacy/security concerns," and LG is "proud of its track record in protecting consumers' personal information in the smart TV arena--and that same commitment carries over to our connected appliances, as well," he said.
Taylor told us that "state-of-the-art data security and privacy measures are designed in from the start" with LG products. "That said, this is a hot topic that will, rightfully so, receive increasing amounts of attention industry-wide as the IoT space continues to evolve," he said.
He added: "One initial step is educating consumers about the steps they can take to secure their devices and home networks." To that end, he said, LG is working with the Consumer Technology Association on a national public service campaign to encourage consumers to use strong passwords and provide advice on other measures they can take to increase security on their networks and devices. Taylor told us he wasn't aware of any security breaches with LG's smart home devices.
"Consumers should be aware but not overly concerned of the very real dangers that are out there, and it's our responsibility as an industry to earn their trust," said Sol Hedaya, category manager at Merkury Innovations, manufacturer of the new Geeni line of smart home products that includes a range of smart bulbs, cameras, and power solutions.
"As we get used to everything around us being connected to the Internet, there are big gains to our society but also real dangers," Hedaya conceded. "The most common problems we've seen in the smart home space are for intruders attacking devices (particularly cameras) that have an easy-to-guess default password or even no password at all." He added: "Any unprotected device on the Internet can quickly get sniffed out and exploited, and often times becomes an unwitting vehicle for further attacks on others. As such, we take security very seriously, including military-grade AES data encryption, encryption algorithms during authentication, HTTPS encrypted channels, and more."
The company has had only limited distribution of the new Geeni line so far, but "no breaches have been reported in the devices we do have out there," he said.
Other manufacturers haven't been so lucky. Symantec's Dixit pointed to the widely reported Distributed Denial of Service (DDoS) attack that occurred in October, in which hackers were able to infect a network of IoT devices to take down several websites. Outages were initially reported mainly on the East Coast of the U.S., but European sites were also affected. Websites that were infected included those of Netflix and Twitter.
Therefore, just like in the movies, if a device maker tells you not to worry because they have the situation under control, take it with at least a grain of salt. And make sure you have taken as many precautions as possible when setting up any smart home device.
• Emerging Technology Stars Over AV at CES at HomeTheaterReview.com.
• The Day I Finally Embraced the Internet of Things at HomeTheaterReview.com.
• The Golden Rule of Home Automation at HomeTheaterReview.com.