Whenever I hear smart home proponents talk up the promise of smart locks and connected coffee machines, I get a little uneasy.
Why, for example, should a coffee machine be connected, unless you are constantly testing recipes that are downloaded directly onto the gadget itself? Do you need an always-on Wi-Fi link to make sure it’s updated?
Smart locks, too, are a question mark. Biometrics are great and generally secure because you have to be physically there, but why should a smart lock be Wi-Fi-connected? Do you really want to track the ins and outs of your homes to see who’s come home at what time?
Sure, there may be some narrow use cases, but by and large, the benefits offered by many of today’s connected home devices are far fewer than the risks they bring when they are exposed to the cybersecurity threats on the Net.
The latest leak to hit the headlines, this time from iRobot Roomba vacuums, is yet another reminder to home owners to jealously guard which devices should have access.
Testers for some of the robot vacuum cleaners in 2019 apparently had photos of their homes exposed because the machines shot the images while surveilling their routes and these were later exposed online.
As MIT Technology Review revealed on January 10, there was even an image of a child sitting in the toilet, which was leaked online.
Third-party vendors and contractors, worryingly, had access to the images in their work of collecting and labelling the data to train the robots.
Now, iRobot may say that the victims here were part of a test and no customer data was exposed, but clearly the protection around the data was inadequate. How can it be acceptable for testers – even if they’re paid – to have their private images exposed online?
The key word here is trust and it is important to bring in a concept in cybersecurity called zero trust.
In today’s porous computing environments, where users are connecting from everywhere, businesses use the principle of zero trust to control who has access to privileged information. Nobody is trusted unless authenticated with the right credentials.
The same principle should be adopted by consumers. When setting up their home Wi-Fi, they should assume that every device has a potential to expose their network and data.
Yes, everything comes with risk. Worth considering, first, is how trustworthy a device maker is. In Singapore, a government labelling scheme certifies devices such as routers, cameras and smart switches, so consumers can easily find out which ones are trusted.
Don’t just rely on that, of course. Even securely made and regularly updated devices can be misconfigured by users, ending up with loopholes that cyber attackers can exploit.
So, keep abreast of the latest developments in the gadgets that you have hooked up at home. By default, you should not enable features you do not use, to reduce the chances of them being used as entry points should a vulnerability occur.
For network attached storage (NAS) drives, for example, do you need to open up a port to connect from outside your home network? If not, don’t enable remote connections, or at least limit it to the period when you’re travelling.
Similarly, do you want to connect your robot vacuum to the Wi-Fi network? Can it work without hooking up to a mobile app that lets you, say, control it when you’re out of the house?
It’s not always possible to unhook everything, of course. Increasingly, device makers are seeking to collect data to improve products and also target you better, so many require you to not only connect via Wi-Fi but also to register an account with them (looking at you, Sonos).
At the end of the day, it’s a matter of benefits versus risks. If you like that Sonos soundbar so much and if you trust the company not to lose your data (or if the data isn’t a big deal, unlike say, images of your home), then the risk may be worth taking.
However, there are many instances where it is clear you shouldn’t hook up a connected device. What does that smart fridge do with the Internet connection, for example? Or gosh, a juice machine?
When I moved into a new home three years ago, I decided to buy a smart lock that didn’t have Wi-Fi. I blocked remote access to the few smart lights I had. I avoided any washing machine that needed a firmware update.
Now, one day, I might need to patch my washing machine. Already, that’s happening to some unfortunate Samsung owners, but not today for me.
One way forward is to only allow access for such devices, say, when they are up for maintenance. Or if you’re savvy enough, place some of these more vulnerable connected devices into a separate segment of your home network (using a virtual LAN) so they are blocked off from your PCs and network drives.
There’s no stopping all cyberattacks, that’s for sure, but it’s possible to reduce the risk of being a victim. More smart gadgets will turn up in the years ahead but you don’t have to hook them all up.
