Home security used to be as simple as locking your doors and windows, but the proliferation of smart home devices and home automation has given each house many more digital doors to check. The use of these devices in botnets has stirred anxiety about smart home device security. Users are trying to determine how best to ensure the privacy of their data and the sanctity of their homes in this challenging environment.
End users want to map the functionalities of their homes onto phone taps and voice commands. Even if they’re miles away, they still want to monitor their heat, lock their doors, and check for intruders, all while balancing security and convenience.
Users Want Smart Homes, but Smart Home Device Security Isn’t Inviting
As a consumer, it’s a challenge to know if a smart home device will be a good investment. With so many hyped products, it’s hard to know where to begin. We at Auth0 firmly believe security should be the key differentiator.
According to a recent Consumer Reports study, 87% of Americans worry about smart home device security issues. Meanwhile, Gartner believes security is the biggest impediment to IoT success. Vendors with tight security are the ones you should stick with, particularly at a time of escalating risk.
To help get started, we’ve outlined the major categories and brands of smart home devices below, including their security successes and flaws.
A New Leader in Top-Selling Smart Home Systems
A smart home system, as opposed to a smart home device, is a product that offers end users an interface to control and orchestrate the rest of their devices. The three leaders in this space are Google’s Assistant, Amazon’s Alexa, and Apple’s Siri — all of which offer voice-controlled integration with a variety of smart home devices.
Each of these companies offers a hub that centralizes end-user interactions, primarily through voice. Google offers Google Home and Google Home Mini; Amazon offers Echo, Echo Show, Echo Spot, and Echo Dot; and Apple offers HomePod.
Smart home systems and hubs are important from a security perspective because if any of them are compromised, the rest of the interfaced devices may face similar compromise.
In 2018, Google beat Amazon in smart speaker adoption, shipping 3.2 million Google Home and Home Mini devices versus Amazon’s 2.5 million Echo devices. One study found that Google Assistant is five times more accurate than Alexa, which may have contributed to Google’s present and, potentially, future success.
[Echo Image Source: Amazon]
Amazon’s devices have also suffered more prominent security failures than other devices. This year, researchers created an applet, or “skill,” that appeared to be a calculator but in fact forced the mic to continue listening after an initial command and then transmit the transcribed audio.
Outside of research, Amazon also endured a viral eavesdropping story this year when the Amazon Echo misunderstood a family’s unrelated conversation as a series of commands, started listening and recording, and then sent the audio to someone in the owner’s contact list. Amazon confirmed the narrative but deemed it unlikely. This is cold comfort to the user, who said she’d never plug it in again —as might many others who heard about the story.
The Apple HomePod, a relative latecomer to the smart speaker market, offers similar features differentiated by a higher-fidelity speaker. Apple, the rare company with a reputation for privacy protection, promises the HomePod will share only as much personal information — all of which is encrypted-as necessary to fulfill a user’s request.
Smart Security Cameras
One of the top-selling smart home devices in the security camera category is Amazon’s Cloud Cam. The Cloud Cam promises users the ability to monitor the inside of their homes 24/7 and two-way audio. Amazon stores the footage from the Cloud Cam in its corporate servers, and videos travel through secure, encrypted connections. End users can watch videos on an app or access them through a password-protected web page.
Another popular line of smart secure cameras comes from Netgear. The Arlo Q Plus, which focuses on business contexts, features night vision, local backups, and integrations with Google Assistant and Amazon Alexa and offers enough cloud storage to keep seven days of recordings.
Netgear acknowledged that, in specific circumstances, users can expose their devices with weak passwords generated by factory resets, but it fixed this gap with a firmware update.
Log-in issues afflicted other Arlo users this year, some of which kept users locked out of their accounts while the app displayed a variety of connectivity and authentication errors. For some devices, this might be a minor blip, but it’s debilitating for a device that promises continuous security. Companies have much to risk if they convince users their devices offer security and then pull that security away without notice.
Philips Hue is a leading device in smart bulbs and smart lighting systems. Hue offers a variety of kits that enable users to control and automate lights remotely. In 2018, Hue added further Siri integration to make this even more efficient for iPhone users.
Source: Ry Crist
In terms of smart home device security, it’s easy to assume Philips Hue might be the safest purely because access doesn’t appear as valuable to intruders as other devices. Smart home device security, however, is as much about comfort as protection.
Security researchers have demonstrated the ability to remotely hack Hue smart bulbs from hundreds of feet away by forcing a malicious firmware update. The researchers warned that beyond the single home context, such technology could damage a city’s power grid if the hack operated at larger scales. Philips Hue quietly and efficiently patched this flaw once they became aware of it.
In 2017, other testers encountered communication and authentication issues that left local communication between the app and the Hue bridge unsecured and unencrypted. Smart home device security is often based on the assumption that local networks are secure, but that’s not always true.
These issues worsen when users don’t have the ability to verify and boot users, which one blogger learned in 2018. He found that without the technical API knowledge he had, the average user would be unable to figure out who had the authority to control the Hue system.
Smart Locks and Doorbells
Smart home device and home automation security can’t be a more obvious issue when it comes to smart locks.
The August Smart Lock offers a continuous activity feed as well as the ability to lock and unlock doors remotely.
August also offers users the convenience of automatic guest access that users can distribute through temporary, digital keys. One hacker showed how an intruder could leverage guest access to create new keys and control the August Smart Lock even after a user removed guest access. August eventually patched the issue, but some users were left concerned about August’s lack of transparency.
Ring, the smart doorbell company Amazon acquired this year, features instant alerts when guests press the doorbell and streams video that enables users to see visitors as well as communicate via two-way audio.
In May, Ring disclosed a security flaw that allowed people who had once had access to Ring maintain that access after the password was changed. In a nightmare scenario many smart home device manufacturers likely fear, a user discovered this after an ex-boyfriend used the Ring app to spy on him. Ring claimed it had fixed the flaw months previously but eventually admitted it hadn’t. As of this writing, the flaw remains unfixed.
The Future of Smart Home Device Security Requires Trust
It's likely that smart home device vulnerabilities will always exist, and enterprising hackers will always discover new ways to find them. Smart home device vendors will need to prove their willingness to be transparent and responsive when threats and breaches arise.
Consumers should also do their research on a vendor’s security commitment before deciding to buy. In particular, they should focus on devices that have strong authentication procedures. Authentication is the primary protective measure in the UK’s literature review for IoT principles and best practices. Ensuring that a vendor doesn't lean on unencrypted credentials will go a long way towards keeping its users safe from a botnet like Mirai. In addition, companies that support multifactor authentication (MFA) will add an extra layer of protection against weak passwords.
Smart home devices are as much interfaces as they are tools. As such, some of the worst vulnerabilities lie in the connections between them and the networks they integrate with. Organizations that hope to create lasting success in the smart home market must, as a baseline, be able to establish security through capable authentication procedures.
Auth0, a global leader in Identity-as-a-Service (IDaaS), provides thousands of customers in every market sector with the only identity solution they need for their web, mobile, IoT, and internal applications. Its extensible platform seamlessly authenticates and secures more than 2.5 billion logins per month, making it loved by developers and trusted by global enterprises. The company's U.S. headquarters in Bellevue, WA, and additional offices in Buenos Aires, London, Tokyo, and Sydney, support its global customers that are located in 70+ countries.