Lock your doors: Protecting your Internet-connected home
The Internet-connected home is arriving faster than you think -- offering conveniences but also new security perils with every smart device you bring inside. Here's how to protect yourself.
There's a good chance you'll soon have to worry about your house getting hacked.
Everything from door locks and ovens to thermostats and refrigerators are being connected to the Internet to make them "smart," giving you the ability to control or reset these household stalwarts through an app on your smartphone or tablet. You can turn on the heater so you don't have to enter a cold house, unlock the front door for kids or guests who have arrived early, or peruse video from cameras in your living room to see what the cat is doing.
Companies big and small are investing heavily in what's loosely referred to as the Internet of Things, a catch-all term for the technology that makes all the parts of this connected new world work. In fact, researcher IDC expects the market for Internet-connected devices to top $7 trillion within the next six years.
But for every technology step forward, there's nearly always a step back. With the Internet of Things, the very act of giving previously "dumb" appliances intelligence opens the door to new security risks.
Why should you be on guard? Consider that, as a whole, Fortune 500 companies spend about $80 billion a year on Internet security. Yet hackers breach many of these companies' networks.
Devices and networks for the home must be secured against intruders just like those used by a business.
But for many Internet of Things makers, these considerations are often afterthoughts. A case in point: Security researcher Paul Vixie found the quality assurance budget at General Motors was about $50 per car, but a paltry $5 per unit for a cable modem that enables Internet connectivity.
Harmless or harmful?
Security snafus wrought by smart-home devices made headlines earlier this year. One firm claimed it found an Internet-connected refrigerator transformed into a spambot, surreptitiously sending out junk email without the owner's knowledge. More ominous and unnerving: Someone tapped into a baby monitor's security camera to verbally harass an infant.
You may not have sensitive or personally identifiable information on the egg tray in your refrigerator, but your laptop probably does. Depending on how walled-off these devices are from each other on your network, that fridge tray could let in a really bad egg.
Making dumb devices smart requires that people get smarter too, says security researcher Joshua Corman, who founded I Am the Cavalry, an advocacy group focused on the security of Internet-connected devices. The potential for mischief when smart data "meets flesh and blood," as Corman puts it, raises the need for vigilance.
"We have to be really intelligent about the standards we put into security," Corman said. "I want intelligent decisions on technology connectivity. In some cases, the risk is acceptable and in others the risk is foolish."
Securing the home could be more complicated most people realize. Companies building smarter appliances have to explore a range of interconnected issues, vulnerabilities and consequences. The first issue: Figuring out who potential attackers could be, and why they'd want to compromise your Nest thermostat in the first place.
After that is understanding the real-world consequences. A hacked car could be more lethal than a hacked oven -- or maybe not. Rapidly toggling a relay switch on and off could cause an electrical short, which in turn could start a fire.
Then there are the vulnerabilities inherent in open source software, which many Internet-connected devices use to some degree. The problem? Those open-source components are difficult -- and in some cases outright impossible -- to update. Even some known security bugs never get fixed.
On top of that, ensuring rock-solid security doesn't come cheaply. In his research, Vixie found many device manufacturers just don't spend as much as they could to safeguard their products. For his part, Corman said he's concerned that vendors getting into the smart-home market might never invest enough to keep bad guys at bay.
Finally, there's the truism about security being only as strong as its weakest link. Imagine how many links could break as dozens of appliances and devices start talking over your home network.
"[Having] 10 or 20 devices on a network is exponential growth in terms of threats," said Mark Stanislav, a security researcher at Duo Security in Ann Arbor, Michigan, and founder of Build It Securely, a connected-device initiative helping independent companies build security into their products from the start.
The Institute of Electrical and Electronics Engineers also aims to help. The organization is working on Energy Star-style "smart home" certification programs to help consumers identify devices deemed up to snuff.
Brian Knopf, Belkin's director of application security, applauded the certification programs in development but cautioned that they're not a panacea. "Just because you have set the minimum bar of what needs to be done doesn't mean you're safe," he said.
So what can you do now if you're keen to smarten your home? Find out before you buy just what personal information that device needs to use, advised Stanislav.
"Be OK with whatever data that device has access to," he said. "If you're not OK with it, don't buy it."
Correction, 11:45 a.m. PT: This story previously listed an incorrect title for Mark Stanislav of Duo Security. He is a security researcher with the company.