Cyber security and Smart Homes

There are few among us who don’t want to stay well-connected to family and friends regularly, and many home IoT (Internet of Things) devices that are now available can help us do that in new and exciting ways. Many of us also want to make our lives easier and more comfortable by automating certain processes in our homes, like turning up the heat in the winter before we arrive home from work. The number of Canadians with advanced home security systems is also growing.

While Canadian numbers are scarce, Elizabeth Parks (president of Texas-based Parks Associates) reports that by the end of 2019 in the USA, there were an average of 12 ‘connected’ devices in households with broadband internet. And the number of home internet-connected devices on the market grows every month.

But as more and more of us look to ‘smart home’ technology and IoT devices to enhance our lives, if we don’t ensure this same tech is secure, we are putting ourselves at all kinds of risk. Indeed, in the view of Ed Dubrovsky, chief operating officer at CYTELLIGENCE in Toronto, “the risk is actually on the rise and quite significantly so.”

Psychologically, Dubrovsky explains, people treat their home as a safe haven and the fact that this attitude extends to their home’s digital aspects puts them at great peril for identity theft, actual break-ins and many other negative outcomes. He notes that there are currently IoT laundry machines, toasters, security cameras, child monitors, thermostats, smoke alarms, televisions, door locks and more, and “unfortunately, these devices are primarily designed for function and not security. A compromise of any one of these devices provides the would-be attacker a platform to launch a subsequent attack against higher-value targets like computers.”

And, as many of us can attest, it’s common to do some work from home. This fact, says Dubrovsky, means that security risks posed by smart home technology therefore extend beyond personal data to work-related information – making the need to secure the home all the greater. Getting access to sensitive data, Dubrovsky explains, “is always about the weakest link, and IoT devices are, without argument, the easiest devices to compromise.”

Another sobering aspect to the situation, according to Robert Beggs, is the lack of any Canadian or international standards that define what qualifies as a ‘secure’ IoT device or how security of these devices should be achieved. And even if a device is “judged to be secure today,” adds the CEO of DigitalDefence in Waterloo Ontario, “changes in technology or attacker methodologies may make it insecure tomorrow.”

The matter is further complicated by the fact that there is much risk for manufacturers to try and market a ‘secure’ device. Beggs explains that if a particular company gets its IoT device declared secure through third-party testing and then uses this to market the item, what

happens if a hack occurs afterwards? “Because it was marketed as being ‘secure,’ there is now an increased liability risk,” Beggs explains. “Perception of this risk is actually a partial or even full reason for not assessing security.” To make matters worse, there is also, in his view, a lack of knowledge and tools within the data and device community about how to effectively test IoT devices for security.

It’s more than clear that consumers with smart home technology need to protect themselves.

Best protection steps In a recent blog post, Spencer Callaghan, communications manager at the Canadian Internet Registration Authority (CIRA), recently provided some important things consumers should do to protect themselves at the same time they enjoy their smart home technology.

Most should be taken right after the purchase and set-up of new IoT devices. At that point, install any updates already available and continue to update each one regularly to ensure it stays as secure as possible. On that note, Callaghan also advises never purchasing or using any device that cannot receive updates, or where it does not appear possible to change the passwords or update settings. Also remember to check permissions upon installing a device. The default permissions of most smart home devices are too broad.

Change the default password on any devices right after purchase and then regularly afterwards (mark it on your calendar). Also purchase anti-virus and anti-malware protection for your tablets, computers and more, as update as appropriate.

Callaghan and other industry experts also highly recommend the creation of a dedicated WiFi network for your IoT devices that’s separate from your main network. “Most routers now offer the ability to do this, some are even advertising this feature,” he states. “By having a separate network for smart home devices, you can give those devices a more restricted level of access to the internet and protect your main network from potential attacks.” Parks adds that network security is paramount because most IoT devices do not have adequate processing, memory or power to support security functions. And within each network, all system ‘admin’ functions should be limited to specific adults; children and visitors should only have access to user functions.

Other tips mentioned in various internet sources include the careful use of devices which are activated by movement or voice prompts. Restrict these capabilities or turn them off at certain times, if they are not related to home security, because (among other reasons) these capabilities could be exercised by people outside the home, through the glass of a window or an apartment door.

Beyond these sorts of steps, Callaghan says effective smart home cybersecurity is “really all about having the awareness that these devices are connected to the internet, and as such, are subject to the same problems that any laptop or other internet devices would have — malware, viruses, unauthorized use, hacks and so on.” He therefore advises users to apply the same ‘security hygiene’ that they use for their laptops to their smart thermostat, doorbell or home lighting system.

For his part, Dubrovsky thinks consumers should research the devices they really need, and once they purchase these devices, further ensure only the required functions are operational. “Every device is another doorway into one’s life and personal or corporate information,” he says. “Ask yourself, do I really need another door?”

Looking forward

It’s indeed critical for consumers to take action themselves because at this point in time – and for the foreseeable future – none of us can rely on device-makers to provide cybersecurity. Although Parks believes that as smart homes become more widespread, “manufacturers, broadband service providers and data security service providers must double their efforts to mitigate potential risks to consumers…without the expectation that consumers should or will do it themselves,” Beggs believes no such effort is coming anytime soon.

He asks, “if it costs money or effort to upgrade home devices, and the vendors are not being regulated, and homeowners are not forcing changes, why would security become an important element?”

Beggs does believe, however, that the situation could be rather easily addressed by manufacturers. He reports that the costs associated with securing a home IoT device are frequently relatively low (for example, boosting the encryption level of a device is a matter of software coding) and there is therefore really nothing preventing companies from offering home device users the same security offered to large organizations. “Sadly,” he says, “homeowners are not demanding the security that they need.”

But Callaghan is of the view that awareness has grown about both the risks of IoT devices and of potential solutions, and says CIRA is “confident” things will improve. “We are leaving the wild west phase of IoT devices behind and starting to develop proper policies to protect both users and networks,” he explains. “Here at CIRA, we are in the early stages of developing Secure IoT Registry which will help make the coming generation of 5G IoT devices more secure.”