Are Smart Homes Open Houses for Hackers?

The truth about smart-home devices is that many of them are less secure than you’d like. But your individual security camera, smart light bulb, or Wi-Fi thermostat—as well as your personal possessions and information—isn’t a likely target for a hacker capable of cracking such things. After all, it’s still easier for a criminal to break a window than to crack a smart lock. We spent hours researching the issue and talking to security experts who specialize in the evolving Internet of Things, and we found that the real cause for concern when it comes to smart-home security has little to do with your own home but everything to do with the power of networks. Remember last week, when it felt like large parts of the Internet went out of commission? That attack began by way of a giant network of compromised smart-home devices.

“It's all about the bots,” said Jim Hunter of Greenwave Systems. (He’s also a member of the Internet of Things Consortium.) According to Hunter, bots make up 29 percent of all Web traffic. Bots or botnets aren't people—they're programs, or a network of them, that can scan and exploit millions of Internet connections faster than you can close your laptop case. Bots can steal data, or they can shut down websites or even significant portions of the Internet itself. Most recently and prominently, a bot network called Mirai leveraged a network of compromised Wi-Fi cameras to take down Dyn's DNS servers in the eastern United States, and with them access to Twitter, CNN, and Spotify among other popular sites and services across the US for the better part of a workday. A couple of weeks before that big October 21 bot attack, a targeted botnet had used the same Mirai malware to launch a DDoS attack on Internet-security site KrebsOnSecurity.

Although no one has claimed responsibility for either event yet, a Chinese company has been mentioned as the maker of most of the network cameras and DVRs involved in such attacks. Krebs has a list (in a PNG image file) of the likely devices here. Most of the devices on the list are off-brands and not items recommended by Wirecutter, and the attacks appear to have come from outside the United States—so this time your Wi-Fi camera or smart-home hub was likely not involved.

How to tell what's safe

Over the past year, several popular smart-home and Internet-connected devices have been shown to have security flaws. SimpliSafe, Ring, SmartThings and Nest have all been the victims of highly visible exploits, potentially exposing their users to all sorts of problems. Hackers at this summer’s Black Hat security conference demonstrated how a popular smart LED light bulb could be compromised. And a team of researchers presented findings at another security conference explaining how they added malware to an app to gain control over smart light bulbs and Wi-Fi switches. Fortunately, all of those high-profile hacks were performed by IT professionals or experts, not average criminals, and manufacturers promptly plugged those holes as soon as they were discovered. Nevertheless, experts caution that exploits of smart-home and connected devices still have the potential for real-world harm—even if your individual home is probably safe.

The good news is that the average person can continue to use smart-home devices without much fear of being hacked on the individual level. But there are a few red flags you should look for and avoid. At Wirecutter, we generally recommend sticking to smart-home devices developed by established brands that have been well vetted, and this advice applies doubly for anything that connects to the Internet. Established brands have reputations to uphold and a built-in incentive to keep their devices as secure as they can make them. They will keep sending updates, and they will be quick with the fixes if something turns up. (At least, that's been the history so far.)

On the other hand, popular devices may be more likely hacking targets simply because more of them are around, and thus they have a greater potential payoff for would-be attackers. It’s one thing to hack a no-name smart bulb with a single-serving app and get access to a few hundred users—it’s another to crack a popular smart-home hub and gain access to several hundred thousand users.

A company's password strategy can be a sign of its overall approach to security. If you're able to set up a device with a built-in default password (or no password), and the system doesn't insist that you change or establish the password before proceeding, the company probably doesn't take security seriously, and that's a red flag. It's like selling padlocks where every lock takes the same key—such locks are next to useless.

Also beware of devices that seem to be asking for too much. I once reviewed a security camera that wanted my firewall to come down before it could connect to my network. That isn’t a very secure camera.

Jim Hunter of Greenwave Systems pointed out to us that some smart-home technologies are inherently more secure than others. Specifically, HomeKit, Thread, and Z-Wave with its new S2 framework all have security as part of their respective system designs.

Defense is the best offense

Although it’s important for companies to design their devices to be reasonably secure, most of the responsibility for keeping intruders out of your smart home rests with you.

• As we note above, passwords are critical. The most important thing you can do for your smart-home devices and your network in general is to change the default passwords immediately and use unique, non-obvious passwords for your devices. Don't use your pet's name or your children’s names. You've probably posted those names on social media a hundred times. Don't use your birthday, anniversary, or address. Those numbers are easy to find. Also, don’t use the same password on all your devices; make each one unique. You can find more about password security and password managers in our review.
• Set your devices to update automatically. That way you get security patches the moment companies release them, not three days later when you've read about the update online.
• Make sure to enable the firewall on your router.
• If your router supports it, use WPA2 security encryption rather than the weaker WEP. If your router doesn't support WPA2, get a new router.
• Another good strategy is to set up a separate network just for your smart devices, and keep your computer (where you do your banking and other sensitive activities) off it.
• For additional advice, see these tips from the Online Trust Alliance.

Even if you do all of the above, your device won’t be hack-proof. You have no control over the manufacturer's servers, no control over bugs in updates, no control over weak code in the device, no control over apps that don’t protect your data, no control over a company that goes out of business or decides to pull the plug on product updates, and no control over rogue employees at the manufacturer. Always be at least a little cautious—even Mark Zuckerberg covers his laptop camera with tape. On the other hand, you also have no control over meteorites, earthquakes, and lightning, but you still manage to sleep at night.

What's the future of smart-home security?

Hopefully, more security is coming in the future. Considering the speed at which the smart-home segment is advancing, especially with mass-appeal products such as Amazon's Echo and Google Home, the industry has to take security seriously, or it will lose customers’ confidence.

A secure seal of approval from a certifying organization similar to UL would be a good step. Jim Hunter of Greenwave Systems told us that the industry needs something like Verisign for smart-home products. Certificate services like Verisign (owned by Symantec) or Truste tell you whether a website is trustworthy. The IoT Consortium, said Hunter, is working on guidelines for an equivalent seal of security for smart devices. Meanwhile, the European Commission has already taken the first steps in the form of a sticker that will tell shoppers what security measures are baked into the devices they purchase. In October the National Telecommunications and Information Administration, part of the US Department of Commerce, held a meeting to begin talking about security standards for smart devices. According to an article by The Register, the administration discussed ways to inform shoppers about devices’ security measures, incentives for stronger security standards, and the length of time a company should commit to keeping devices updated with security patches.

At this point, I've probably made smart-home gadgets seem riskier than lawn darts. Yet I still have them all over my home, as does Jim Hunter, who calls himself a huge smart-home device enthusiast. We’ve reached out to the manufacturers of all of Wirecutter’s recommended smart-home devices to ask for details about their products’ security, and going forward we will include security as part of our review process.

When you make a decision regarding smart-home gear, it comes down to balancing how paranoid (or cautious) you are with how much you value the experience of using a device, as well as how much you trust the company that made it (or operates the service). After all, a glass window is significantly less secure than a brick wall, yet people fill their homes with windows. With reasonable precautions such as the ones described above, I'm not overly worried about my Echo spying on me or someone Rickrolling my Sonos speakers.