DetailsAbout the article
Hacking Smart homes & your personal data…
- Up Next
MEET THE SPEAKER
Bruno Napoli is a Smart Home veteran & expert, serial entrepreneur, blogger, speaker, thought provoker, influencer known as “The GAFA man”. He has created and been involved in many companies since 1992, covering all aspects of the AV and Home Automation industry.
Bruno’s latest company Krika has created a product for professional use, that enables remote supervision of AV & Home Automation products. Using all possible API and protocol, we have been able to easily talk and control almost all IoT in a home… This is where I started to blog about the weakness of IoT in the Smart Home industry.
Follow me on Twitter @brunonapoli_FR on Medium @ brunonapoli and LinkdedIn
Why waste time hacking an enterprise for client’s personal data, when you can collect it directly from people’s smart home?
By chance, the enterprise world can count on a myriad of experts and consultants to help secure infrastructure and systems against a cyberattack that would for example collect client’s private data. But with this crazy wild and totally unsecured consumer run for a smart home, it might become easier to collect directly from the client itself!
Billions of Dollars are going to be spent by consumers on IoT in the next 5 years. Studies predict that by 2022, all households will probably have more than a hundred connected objects.
It’s an incredible cake to share between manufacturers and service providers. Trust me, the consumer electronic industry is going to be very creative. As a result of the aggressive marketing and industrial supremacy of the leaders of this industry, Google, Amazon, Facebook and Apple (aka the GAFA) everyone can “Smartify” a home with just a few hundreds of dollars. That budget already declines from month to month as products are massproduced by the likes of Chinese firms such as Baidu, Alibaba, Tencent and Xiaomi (referenced in China as BATX) and easier to deploy.
The trap starts with a $49 voice assistant who gives the weather and can order a pizza. Then you gradually populate your home with a Wi-Fi camera on the right, a smart door lock on the left, a connected light bulb at the top and a wireless speaker at the bottom. Without even realizing it, without spending a fortune, your home is now Smart, it knows everything about you and you can control it remotely. Once you started with success on those first easy steps, you’ll hysterically want to try all possible smart products and services the industry will churn out and suggest you buy. Within a few months, your home will have more connected products than in a SME! This untamed jungle of IoT uses all possible protocol, TCPIP ports and APIs, all possible radio signal and frequencies and is connected to the “Baker family WIFI” using the Mrs. Baker mobile phone number as the password for everything.
IoT and Smart Home is already so trendy that in the coming months, no home builder or property developer will appear to be credible if they are not able to deliver a house or apartment that display a “Wannabe Smart Something Wi-Fi Amazon compatible” logo, whatever it means, whatever people understand of it, whatever products will be installed and most important: however it will be deployed and maintained. When you sign the order form for your future home, you will check the option Google, Amazon, or Apple. Ultimately, the word “Smart” will disappear and where we live will be called Home again. We are not here to debate if smart home is good or bad. Smart Home will reach all homes like electricity did a century ago. It is inevitable, get over it.
The direct consequence of this digital transformation is the same for the consumer world as in the enterprise world. The more connected we are the more vulnerable we are. We live in houses that can literally turn against us, either through bad programming of the home automation system, compatibility issues between devices, or simply because it has been hacked. And there, once our home will be turned into a smart chimera, the gloomiest scenarios will become real. Products like Fing or competitors exist to help consumers to control and protect their network, but unfortunately, it’s not sufficiently deployed yet.
Consumers are already a much easier target than any company to collect data or harm people and they are definitely the Achilles heel of a secure cyber world. All the efforts and millions invested in securing a company’s infrastructure to protect client’s data could be ruined overnight, when the next massive cyber-attack will use a security breach found in this new incredible must have Trojan horse $5 connected hand spinner every child in the world will ask their parent to buy. The latest massive DDOS cyber-attack on an IP camera proves to us that hackers know how to exploit consumer products. That was just a warm up.
Consumers have no real security strategy, no IT guy to tell them what do to, no best practices. They just want things to work, get rid of passwords and have fun. And as manufacturers in the consumer channel just want to sell their stuff and absolutely create no stress that could stop the buying process, they will not really place emphasis on the security and will leave all the responsibilities for security either to the installer or to the end user itself. I would like to emphasize here the fact that lots of IoT are going to be used for health and keeping people at home instead of a hospital. In this case, the level of security of the network at home should be mission critical. Who will help them?
As an expert in smart home for 25 years now, I saw this industry emerge and becoming entirely dependent to a local network infrastructure and to Internet. I also saw home automation professional installers wade into managing and secure a network because it’s just not a skill you can acquire by watching a tutorial on YouTube during a lunch break.
Watch the latest podcast recorded on July 11, 2018 from AV Nation TV (https://avnation.tv/podcast/ resiweek-127-cyber-security-rmr/) , one of the leading consumer electronic professional podcast producer. Can you imagine that the first 10 minutes is spent talking about “Changing the default password”?
Today professional home automation installers are former Audio/Video and home cinema guys, low voltage CCTV/alarm installers or electricians, a long way from technical networking skills. And even if they would like to partner with a local IT company to create and maintain the network of their clients, the prices are usually too expensive for the residential market as it is tailored for company’s needs. In short, the enterprise world has built protection walls only on one half of the fortress.
More than stealing personal data, hacking a smart home can be deadly. Let’s try to list the risks introduced by a Smart Home, if someone hacks it. Just keep in mind that this list only uses the smart devices we have today. But try to imagine the exponential nature of it in a few months… a few years… who knows what other incredible smart devices the industry will produce.
- Hack the setup of my HVAC so it can possibly destroy itself.
- Hack the setup of the garden watering system and have water disaster consequences. Disable or change the sensibility of all smart detectors (alarm, smoke, leak…).
- Open all doors, disable the alarm and turn off my CCTV.
- Ask the bathtub to overflow while I’m on vacation.
- Disable the security of my gas water heater and ask it to boil the water until it explodes.
- Turn on all appliances that produce heat in the house during a hot summer, including the ethanol fireplace, close all ventilation grids and turn off the air extraction.
- Once inside a local network, it’s even possible to flash the firmware of almost any device with a custom one, which can give over total control of a device and disable all internal protections.
There is a big challenge for the professional cyber security industry within the enterprise world to help consumers. And where there is challenge, there are tons of business opportunities to innovate in terms of products and services. It’s a question of balance and common sense as both enterprises and consumers should have the same level of security. It can start with the creation of white papers and best practices, creation of certifications and quality marks for consumer professional installers and maybe the biggest opportunity of all would be to create dedicated to consumer IT service companies to create, secure, manage and maintain “smart” networks for consumers.
Can you imagine the everyday Joe who chooses to DIY its Smart Home will have to maintain it, as IT managers take care of a small business, meaning:
- Constantly check and update the firmware/OS of the home automation system, all mobile app and connected objects;
- try all new features as well as make certain that all these beautiful devices continue to work well together after been upgraded.
- audit and protect his local network and regularly change passwords of the Wi-Fi and all apps and services;
- And finally, since the life span of a house is supposed to be several decades, in any case much longer than the programmed obsolescence of technological products, it will also be necessary to ensure that the components installed are always up to date and supported by manufacturers. And by the way, what is he supposed to do when he finds out that an IoT product is not supported by the manufacturer anymore, meaning that even if one day a security breach is found on this device, there will never be any update. Will we have to change our IoT components every 4 or 5 years to benefit from new features and protections in cyber security? As you can see, a lot of challenges for an end user that just would like to stream Game of Throne!
I’m not an expert in Cyber Security, and I’m sure readers have an idea of what to do to secure a Smart Home and propose a service for the residential world. Just keep in mind that it’s residential, so the product/service should be 24/7 and very user friendly.
The challenge for home automation professional installers will be more or less the same as an end user with more responsibilities.
- First, as professionals, they have a legal duty to clearly inform end users of the issues described above in terms of the monitoring, updating, upgrading and maintenance a connected home requires.
- At the same time, professional installers must create contracts to offer all these services. Today, 99,99% of AV and Home Automation professional in the world do not propose any service or maintenance contract to end users. They do the job, install a local network and leave (as long as it works…).
- And since we are talking about people’s safety, it is also highly likely that they will have to obtain new professional certifications and insurance.
- The final challenge is that they will need the human resources to carry out these service and maintenance contracts. There is no doubt that these contracts will create millions of hours of work that will open the eyes of nifty entrepreneurs who will seize the opportunity to create dedicated service companies.
For real estate developers, the creation of a “Smart Home” department will need to be staffed with competent people to choose products that can be integrated on a very large scale, as well as to negotiate good partnerships and agreements with service companies to maintain all of this working smoothly, the GAFA, industrial partners and local governments. A lot to think about for a builder who doesn’t usually set foot back on a construction site after delivery.
The last challenge will be for home insurers who will certainly not let us turn our houses into smart chimeras without reacting. We are now able to remotely control the opening of all doors and windows but also remotely control devices capable of inflicting serious damage, such as gas boilers, bioethanol fireplaces, automatic water tap… And as smart fire, water leak detectors and alarm systems are connected on our local network, they all can be hacked and turned into bots. Below are some of the challenges for Insurance Companies to answer with respect to a Smart Home in the context of questions a policyholder might ask:
- I want to know your recommendations and best practices, so you can’t tell me in the future that you won’t reimburse me because my Smart Home was not secured enough because I didn’t follow the best practices in use in the industry or because it was not installed and/or not maintained by a qualified specialist.
- And by the way, what industry, specialist, qualifications and best practices are we talking about? Is that an IT guy? An electrician?
- Will you sign a document to acknowledge that my actual insurance policy will cover me as usual no matter what I am turning my home into?
- Will you one day set some limits as to what we can do in a Smart Home?
- How strong should my password be for my Wi-Fi system, on all my smart devices, and how many times should I change it per year?
- Can I still use connected devices that are not supported by the manufacturer, meaning that even if they found a major security breach, there will never be any firmware update?
- Will you give me a list of forbidden connected devices I can’t use in my home because they are too vulnerable?
- If there is a new firmware update that patches an important security issue on my bathtub or my gas water heater smart thermostat, how fast am I supposed to update it? And if the problem occurs before I patch the device, will you still be covering me?
- What if my professional installer has been hacked? He probably has all my information, login and passwords. Does his insurance cover him for this?
For the moment, no insurance companies are ready to answer these questions.
In fact, as autonomous cars will need a totally new type of insurance policy designed in collaboration with the car industry, a smart home – will also need a totally new type of insurance policy. Be sure that one day, home insurers will require the AV and Smart Home industry to design specific Smart Home certifications and maintenance contracts to avoid or minimize all risks because in the end, Insurance Companies will be the ones who pay when there is damage.
As you can see, there is a lot to talk about and lots of opportunities. Let me know your thought about this article, I’ll be happy to share with you more about the Smart Home industry. You can follow me on Medium LinkedIn & Twitter.