15. Evaluating Privacy and Security Concerns

Turning your home into a smart home is certainly appealing. There’s a lot to gain from automating much of the humdrum daily operations, and even more benefit when you connect multiple devices together to do things you never thought of before.

Alas, all good things come with some risk, and it is such with the technology behind the smart home. When you delve down beneath the surface, you’ll find that there are multiple privacy and security concerns with today’s smart devices—concerns enough that might cause you to abandon this new technology completely.

How safe is today’s smart home? That’s a great question, and you’ll have to read on to answer that question for yourself.

It’s a lot of data, when you think about it. And it’s all personal.

That’s a good use of collected data.

On the other hand, what if all this data gets into the wrong hands? If a given smart device (like a smart hub or thermostat) collects useful data over time, what’s to stop that device from transmitting that data back to the manufacturer?

After all, just about any data about you can be useful to many different types of companies. The company that manufactures a smart device might find your data useful for fine-tuning their existing services or designing new devices. They might also benefit (financially) from selling that data to other parties who can then use your data to target you for advertising, promotions, and other schemes.

Now, many of the companies offering smart devices say they’ll sell only aggregated anonymized data—that is, the numbers from many customers all added up—not the specific details about you or other individuals. Even if that is true (and not all companies are saying they’ll do this), there’s still the possibility, if not the likelihood, that individual details can and will be extracted from the whole.

It gets even scarier when you realize that data from multiple devices can be combined and analyzed to reveal a variety of intimate details about what you do during the day, where you go, your interaction with others, your medical needs, your personal habits. You might be comfortable with all this information being available to strangers; many others may not.

How bad can it be? Let’s look at a few examples.

Consider a smart thermostat like the Nest Learning Thermostat. This little hockey puck collects a huge amount of data that could be of interest to various parties. Yes, it learns your heating and cooling preferences, but that information isn’t terribly interesting. What’s more interesting is the data that other devices share with the Nest. When the thermostat is connected to your garage door opener or car, for example, it knows when you’ve left the house, so it can enter Away mode. Who might want to know when you’ve just locked the door and driven out of the driveway? Burglars, of course. Or maybe bill collectors who want to grab that expensive lawn mower on which you’re three months behind on payments. Or even an ex- or soon-to-be ex-spouse who wants to build a case about your supposedly philandering ways.

Some uses of this collected data aren’t quite as nefarious but could prove equally annoying. Your smart TV knows every program you watch; there are lots of companies that would like to have that information—the better to feed you advertisements based on your viewing habits. Shopping data is equally interesting to these parties, as is data that can infer other leisure activities. Or maybe a home goods company buys your personal data from your smart hub company and uses it to pitch you heavier blankets in the wintertime. It’s not criminal, but it is insidious.

And that’s the good use of this type of collected data. There’s always the possibility of data theft—not from you, but from the companies collecting and storing your data. Even if a company that collects your data doesn’t do anything untoward with it, a hacker breaking into the company’s database will find data that he can personally use or sell to another criminal party. Just having the data out there is a big risk.

On the surface, not all of this is bad—in fact, the slight loss of privacy provides a more customized experience online, and even in the real world. One can argue that that’s an acceptable tradeoff. In today’s electronic age—and tomorrow’s world of the smart home—privacy simply isn’t part of the equation. In order to benefit from the interconnectivity of smart devices, privacy is willingly abandoned.

Others, privacy advocates especially, believe that smart technology companies should not collect this data, even anonymously. Privacy advocates want transparency, too—they want manufacturers of smart devices to be perfectly clear about what data they collect and for what purposes. Consumers should have the option of turning off the data flow or deciding who gets access to that data.

The problem with turning off the data flow from smart devices is that it turns smart devices back into dumb ones. It’s exactly that interconnected flow of data that makes the smart home so smart; if the data isn’t flowing, all you have is a collection of isolated sensors, switches, and light bulbs.

There are no easy answers to this one, other than to recognize that there are tradeoffs involved. If you want total privacy, you might want to shy away from smart home devices and technology. And if you want all the benefits that come from smart devices, you might have to sacrifice some of your privacy.

The dangers of someone hacking into your smart home in some ways resemble those of third-parties hacking into your home computer system. Computer hackers have been around for decades, and we know exactly what they like to do.

One of the most popular things hackers do is place spyware on your system. This is malicious software—dubbed malware—that tracks what you’re doing on a given device and feeds that information back to the hacker. On a computer, spyware most often feeds information about the websites you visit to a central source that then uses that info to feed intrusive advertising back to your PC. When you’re looking at smart devices, spyware might be employed to feed usage information back to a central source. I don’t know what a third party might do with information gleaned from your smart thermostat or hub, but it likely wouldn’t be good.

The other thing that hackers like to do is to take control of hacked devices and use them to perform other types of activities. In the computer world, hijacking a computer in this way turns it into what is called a zombie computer, and when you put together a network of thousands or millions of these hijacked devices, you create a botnet that can be used to attack other computers and websites.

Botnet attacks from compromised computers have been around for decades. Only recently, however, have smart devices been remote controlled in this fashion.

On October 21, 2016, the Internet experienced a massive outage when a rogue botnet attacked the computers at Dyn, a company that directs Internet traffic along the east coast of the United States. Dyn received tens of millions of malicious requests, which overloaded its system and brought the Internet to its knees.

What was unique about this attack is that it didn’t come from zombie computers. Instead, this botnet was thought to have been comprised of smart devices—smart thermostats and smart hubs and such—all of them compromised by a specific type of malware. That’s right, the Internet was attacked by a network of rogue smart devices.

Are the smart devices in your home vulnerable to this sort of hijacking? In short, probably—and especially if you are using easily guessed or hacked usernames and passwords for each of your devices and accounts. If you think about it, every smart device in your home is another potential entry point for malicious hackers. You need to be even more diligent about protecting your smart home system than you are protecting your home computer from attack.

We’re talking cyberterrorists who break into individual smart home systems or groups of systems with the sole purpose of gaining control of important systems and operations. When the smart devices in your home are no longer under your control, mayhem can result.

Admittedly, some of these scenarios might sound comical. A cyberterrorist gaining access to your home’s smart lighting system could turn your lights on and off at random. Someone hacking into your smart TV could feed you unwanted commercials or propaganda broadcasts. A bad guy hacking into a smart toilet might make it flush repeatedly and force the lid to keep going up and down.

Okay, not too scary. But there are more ominous scenarios. How about a hacker breaking into your smart lighting and security system to douse all your lights and alarms and unlock all your smart doors in preparation for a robbery or home invasion? Or a cyber voyeur hacking into your smart security system to spy on you via your smart cameras? Or someone with even more malicious intent turning a company’s smart heating/cooling system against them by cutting off air flow or inducing dangerous gasses into the system?

It gets worse when you consider the larger city-, state-, and nationwide smart systems under development. Consider the potential chaos that would ensue if cyberterrorists decided to attack your friendly neighborhood power plant? Or tried to take control of your local water company? Or the nation’s arsenal of nuclear weapons?

The more things inside and outside the home we connect via smart technology, the more things that malicious individuals or organizations can try to damage or control. It may sound nice to have virtually every device in the world connected via smart technology, but it makes for a very scary situation security-wise.

What’s the solution? More and better security, as always. Some of this is on you, the consumer, but most is on those companies collecting, transmitting, and managing the data generated by smart devices. Every point in the network needs to be secure, which is a daunting task. The network of connected smart homes, as large as it likely will become, will only be as strong as its weakest link—that is, the least-protected smart device.

First, you need to beef up the security on your wireless network. That means going into your router’s configuration screen and changing the default network name and password. (See your router’s instruction manual for details on how to do this.) You want a network name that’s not directly identifiable; in fact, you may want to make your router private rather than publicly visible. With a private router name someone trying to hack into your wireless network would need to know the name in advance, which they probably wouldn’t.

You also want to protect your router by using a high level of wireless encryption. Most wireless routers today employ WPA and WPA2 encryption; you need to enable one of these (on your router’s configuration screen) to make sure your wireless communications are harder for hackers to intercept.

In terms of your wireless password, the longer and more complex it is, the better. Obviously, changing the password from the router’s default (which is often just “password”) is a good idea. But go longer and more convoluted, and include upper- and lowercase letters, numbers, special characters, you name it. Make sure it can’t be easily guessed, and you’re less likely to have uninvited guests.

The same goes with all the usernames and passwords you use to sign into your smart devices and associated online accounts. Come up with complex and unique names and passwords for each account and device; if you use the same password for every device, then guessing the password of one gives hackers the passwords for all. I know, it’s a pain in the posterior to come up with and remember lots of different passwords, but that’s how you keep your system more secure. You want every potential access point into your network to be as uniquely secure as possible.

Finally, if you use smart devices from a company that experiences any sort of data or security breach, consider removing those devices from your home network. You might not be able to deal with unknown and unforeseen problems, but you can certainly do what you can about problems you do know about.

For these reasons, people strongly concerned about security may be best advised to stay away from smart home technology, at least for the time being. There are no guarantees as to safety and security, and smart technology definitely is a little loose around the edges. If you want to stay completely safe, don’t connect.

(That goes for any online connection, of course. If you want to be entirely safe and secure, you won’t have an Internet connection in your home at all.)

That said, today’s smart home devices are probably safe enough for the average person. It’s unlikely that some nefarious person is going to hack into your personal home network and turn down the heat on your smart thermostat or turn off your hallway lights. There’s not much benefit to that, other than annoying you. It’s more likely that hackers will concentrate on the public grid and other city- or region-wide resources. Let’s face it, you’re just too small a target to the bad guys.

That doesn’t mean you can ignore potential privacy and security threats. Keep abreast of the latest trends and make sure you install the latest software and firmware releases for all your smart devices. Over time, the smart technology companies will get smarter about security, too, and you’ll benefit from that.