In August, The Verge reported that smart ovens from home automation company June were turning on in the middle of the night, broiling empty air or abandoned potatoes at 400 degrees or higher. June insisted that user error was behind all the “accidental preheating.” One user admitted he might have turned the oven on by mistake as he closed apps on his phone before bed. June suggested another possible culprit: Alexa.
June was pointing the finger in the right general direction, but the real threat to smart home technology users may lurk behind voice assistants — in the software that allows assistants to talk to a diverse array of smart home devices and allows those devices to talk to each other.
At this year’s RSA IT/cybersecurity conference, researchers funded by an IoT security company presented on an emerging smart home threat. The software that allows a configured set of smart devices from various brands to communicate with each other can often be easily hacked.
Known as IoT automation platforms, this software is necessary if you want to create chain-reaction rules for your DIY smart home: Turn the hall light on when the garage door opens. Turn the heat down when the bedroom light goes off. It’s the technology behind IFTTT as well as virtual assistants like Alexa.
According to the researchers, many automation platforms have been exposed on the internet. Hackers could access a vulnerable platform and add their own phone as a trusted device. Or have your security cam push notifications sent to them, too. Or effectively disable an alarm system by rewriting the rule that said you want the alarm activated when you turn on the outdoor lights.
Vulnerable platforms can even provide hackers with your home’s exact location — latitude, longitude, elevation, time zone; any data you’ve entered in order to establish rules triggered by, for example, sunrise or sunset (turning outdoor lights off and on), or your proximity to your home zone (locking and unlocking the front door).
June plans on updating its ovens’ safety features, but no single smart device is safe if the communication system behind its functionality isn’t safe. The zeitgeist toward smart homes is at once exuberant and leery. The tradeoff between privacy and automation associated with our increasingly digital lives may be top of mind, but the pace of adoption isn’t flagging. Time reported that consumers will spend $123 billion on IoT devices by 2021.
The safest route may be to stay entirely within a mainstream tech brand’s ecosystem and not expose yourself to the open-source nature of third-party brands and platforms. But such a solution goes against consumer preferences. According to 2018 data from consumer tech research firm Parks Associates, 75% of consumers shopping for a smart home device prioritize interoperability. Less than 60% think it’s important that their next device be the same brand as current devices.
A healthy smart home marketplace provides diverse options and enables device cherry-picking. But smaller brands often don’t have the bandwidth to release regular security updates, which protects products from hackers. A panicked InfoWorld contributor post about the lack of security updates in smart appliances accurately calls IoT devices “insecure-by-default.”
Industry-wide solutions to smart home security issues are more likely to be found in the private sector than the public, such federal regulations and oversight. Dr. Brad Allenby, who researches engineering and ethics at Arizona State University, points out that tech innovation moves a lot faster than bureaucracy. “The cycle time of governments at all levels has fallen way behind the cycle time of consumer technology,” Allenby says.
The safest smart home is probably one that employs name-brand devices and a major voice assistant. But if you’re set on building out the DIY smart home of your technophile dreams, build in some time for research. According to the New York Times, IT security experts recommend five cautionary steps:
- Stick with recognized, quality brands
- Make sure startup companies have a strong online presence and active user base
- Check for references to security updates on the company’s website
- Create strong passwords and enable two-step authentication
- Verify that refurbished devices aren’t still connected to the previous owner’s account or devices
The vulnerability of IoT automation platforms is just another example of the catch-22 of data. Whatever provides digital convenience also often saps privacy. Whatever is open-source to you is open-source to all. Until better cybersecurity options for smart homes come down the pike, the best thing you can do is learn from the past, and keep your smart devices (and the networks they use to speak to each other) up to date.