THE INTERNET OF THINGS
The week of January 4, 2015
hack_homes

Hackers will soon be targeting your refrigerator

By Dylan Love

It’s a familiar scene from any movie that features a malicious computer whiz: From a darkened room somewhere in the world, fingers move over a keyboard in such a way that a hacker gains access to a computer belonging to a bank or foreign government, then manipulates it for his or her own nefarious purposes. Today, in the real world, our light bulbs, thermostats, and locks can talk to the Internet just as these computers do. How do we stop similar would-be hackers from gaining access to our homes?

Security has become paramount with the rise of the Internet of Things (IoT). To offer a personal anecdote, a friend’s roommate situation ended on ugly terms a couple years ago. The jilted roommate moved out and maintained Internet control of the apartment’s thermostat. While my friend was at work, this unhappy prankster would crank up the apartment’s heat at lunchtime, welcoming my friend home in the evenings with an unpleasant heatwave.

It’s a low-level example, to be sure, but it raises a valid point: What steps are IoT companies taking to keep us safe from others online, and what constitutes a truly “safe” smart appliance?

The imperative is clear: Do your homework on the specific security features of any IoT device you might consider bringing into the home

Leor Greblor is CEO of Unified Computer Intelligence, whose IoT product Ubi functions as something of an immobile “Jarvis” from the Iron Man movies. You speak to it just as you would a person, and it automates various aspects of your home for you. Think of it as Siri for your house. Greblor offers a blunt worst-case scenario when it comes to IoT security. “People have to think, ‘What if I were to allow a stranger to be able to control my lock or thermostat? I think people need to go in with their eyes open and weigh security concerns against potential benefits of automation. A breach could come from anywhere, just as if someone steals your email password.”

That said, any IoT company of consequence takes exacting care with how it addresses security. Alex Hawkinson is all about the open system as a means of ensuring security. As CEO of SmartThings, he’s hired penetration testers (like the aforementioned hackers in movies, but for good) to do their worst against his company’s products, something he calls a “super-ongoing process.” The company releases white papers to keep the public informed of how it performs, and the feedback in pretty unanimously positive.

Loxone, the European IoT giant still finding its footing in the United States, goes the other direction and opts for a proprietary walled garden akin to Apple’s iOS mobile operating system. It doesn’t rely on a Windows or Linux operating system to facilitate its home control—Loxone engineers instead built their own operating system from the ground up, which leaves it unsusceptible to viruses or known vulnerabilities in other systems. If and when you should need to reboot your system, Loxone CEO Chris Raab says it takes just four seconds to come back online from a hard restart.

“The problem with complexity is that you create more attack points and make it easier for hackers to find flaws. Aside from that, who wants to reboot their refrigerator or garage door opener?” —Bob Dahlberg

Arrayent, the company that helps device manufacturers get their existing products online, takes a different tack and subscribes to simplicity as religion. Not only does simplicity make a device more secure, but it makes that device more appealing to the consumer. “We don’t believe in is turning everything into a 64-bit computer,” said Bob Dahlberg, Arrayent’s vice president of business development. “The problem with complexity is that you create more attack points and make it easier for hackers to find flaws. Aside from that, who wants to reboot their refrigerator or garage door opener?”

Greblor’s Ubi presents a unique security concern. As the device is entirely voice-controlled, it’s specifically designed to listen to and hear what’s going on in someone’s home. He explained how the system is designed to prevent abuse. Specifically, no audio is actually transmitted to a server, and the Ubi makes use of a keyword to activate its listening mode.

“The Ubi is only listening for a trigger word,” Greblor said. “When it hears that trigger word, there’s a loud chime to signal that it’s now listening. Additionally, we don’t get a voice recording, just a text transcription of what is said. It’s encrypted and it’s not a recording.” Again, any IoT company of consequence is on the consumer’s side to make it their business to provide home automation that is as effective as it is secure.

What steps are IoT companies taking to keep us safe from others online, and what constitutes a truly “safe” smart appliance?

The imperative is clear: Do your homework on the specific security features of any IoT device you might consider bringing into the home. Just connecting a computer to the Internet has enough risks associated with it, so consider the potential mishaps for a poorly reinforced IoT system to fall apart in your house. It’d be like having that grumpy ex-roommate mess with you from far away, but this roommate could potentially have far more control depending on the systems you opt to use.

No one I spoke to could cite a specific example of someone breaking into a home by manipulating an IoT device, but SmartThings’ Hawkinson puts a nice point on things. “Every new technology has risks that come along with it,” he said. “There were privacy concerns with social networking that took Facebook a long time to figure out, but the benefits were high and outweighed the risks. When we’re talking about securing your home, if someone wants to break in, they’ll smash a window or kick in your door, not do bank-level encryption.”

Illustration by Max Fleishman