When I was reviewing a smart home camera earlier this week, I was quickly reminded of how connected – or porous – my home is.
Sure, the surveillance camera is handy, especially when it is accessible from a simple mobile app. It’s also easy to set up, without you knowing the ins and outs of home networking.
Yet, I couldn’t help feeling a little more vulnerable with the camera than without it. Perhaps we don’t have such an urgent need for cameras here in low-crime Singapore, but somehow I couldn’t help thinking of the risks outweighing the benefits.
What if someone manages to get access to the camera, say, in future when the manufacturer stops supporting an old model and leaves loopholes open to cyber attackers? He’ll see everything I see.
Too far-fetched? This was the same problem a cyber security expert told me he faced with his five-year-old surveillance camera.
Surprised that his broadband speeds were slow recently, he took a look at his router’s logs to see what was hogging the bandwidth. Sure enough, it was the malicious websites that the camera was connecting to all the time.
He threw the camera away, because there was no firmware update to fix an obvious loophole. Now, if a security expert can find himself in such a bind, what more regular Joes who blissfully forget what they install at home?
With the Internet of Things (IoT) expanding in smart homes everywhere, users are connecting a lot more devices to the Net.
Now, TVs, fridges, cameras, lights, speakers and door locks get connected alongside the PCs at home. Yet, the security for these smart devices often isn’t up to scratch.
A friend of mine who works in an Internet company goes pretty far to secure his home network. He maintains a list of malware sites on his router that he blocks, so that connected devices at home can’t “phone home” to hackers’ command and control servers even if they are compromised.
Ironically, he uses a Google Assistant-based smart speaker that listens in all the time, at his beck and call, for the magic phrase “Okay Google”. The convenience, he says, is worth the risk, which he continually monitors through his router’s logs.
The question for me during such conversations is always the same – is all this worth the risk? Should we broaden the attack surface or increase our points of vulnerability for the sake of convenience?
If you ask me if I can live without Google Maps, I’d say no, so I’ll go with the risk. However, I still feel uneasy about a device listening in the whole while, just so that I can avoid walking a short distance to turn on the lights or the hi-fi system. The benefits here can’t outweigh the risks.
For sure, everyone has a different risk appetite. Some live their lives like there’s no tomorrow, downloading pirated software from dubious sites without worry. Others may lock down everything and avoid new, connected devices altogether.
As long as you’re asking yourself the risk-versus-benefit question, that is fine. The bad news is that many of us have gone past that stage now. Homes are now filled with an endless chain of connected “things”.
From connected doorbells to fridges, these devices have become mainstream. Unfortunately, unlike PCs, it is difficult to keep track of them and update them all the time.
Since there has not been a lot of research done in securing these household items, it’s also difficult to find out if there’s been a breach.
Think of a man-in-the-middle attack where a hacker manages to disguise himself as the manufacturer of, say, a smart fridge, and issues fake updates that actually allow him to get into your home network.
How do you protect yourself against that? Even the security expert and my friend who works in networking would have a tough time blocking a hacker who would look legit in most circumstances.
Let’s also not forget about the way users are being forced to place their data on the cloud, where they often have even less control. It’s fine if you have an option to stay offline, but often you can’t even use the hardware without registering for an online account first.
Yes, I’m looking at you, Sonos. I can’t use a new soundbar without connecting to the manufacturer first. And this is to listen to music on my own server. Why have I increased my risk?
Some manufacturers may say they are offering convenience, but there’s a joke in the industry now about collecting data from people – best get as much as you can before the regulators and consumers wise up.
For end users, the only way forward is to be more careful, not less. Be more vigilant, by reducing the attack surface, not increasing it by installing all manner of connected “things” at home.
Is there a need to unlock your front door with a mobile app, when you can already do so with your fingerprint? Do you really need that Google Home or Amazon Echo-enabled speaker?