In the world of a connected home (or any other building), when you sell it or buy it, you need to consider the security and privacy implications. Does the former owner still have access to the security cameras? HVAC? Alarm system? Are the smart devices not so smart anymore? Have they EVER been patched? Are there known security holes big enough to drive a truck through?
It used to be that all you had to worry about was whether there were termites and did the heating system work (among other things). Now, at least in the case of smart homes, there are many other things to consider.
In fact, the Online Trust Alliance has even created a checklist (see here).
Here are a few thoughts to consider:
- Do you know what devices in the building are connected to the Internet and if there is a service provider involved?
- How do you know that the former owner can no longer access each and every one of these smart devices?
- Are all of these devices still supported by the manufacturers – if you even know who the manufacturers are?
- Are there known security vulnerabilities in any of the devices that would allow them to be taken over or surreptitiously monitored (for example, there are well known cases of perps hacking into baby monitors and other security cameras and watching)?
- Are all the devices patched? Do you know HOW to patch all of them?
The challenge, I think, is that this is likely overwhelming for most homeowners – except maybe for a few geeks.
Manufacturers of these smart devices don’t help either. The manufacturers could easily help a hacker break into your system since they really don’t know if you ever owned or still own the system in question. In addition, for consumer devices, manufacturers stop making them pretty quickly and want to stop supporting them soon after that.
Manufacturers also make it difficult for users to install patches. Do you, for example, have any idea how to patch your smart TV? This is the current generation’s version of the VCR with the blinking clock. (That is, for those of you old enough to know what a VCR is. If you are not old enough, it is your parent’s version of a TiVo).
Manufacturers have to step up their game – assuming they want to become anything other than a niche player. I can also see the prospect of lawsuits against manufacturers who don’t timely patch their devices.
On my satellite TV, the provider downloads software updates every week – so I don’t try to record any shows on Saturday night at around 2 AM. That’s when the satellite box takes over, shuts down satellite reception and downloads new firmware.
I am not a cable user, so I don’t know what they do and each provider is likely different anyway. Typical cable setups have a cable modem and a set top box, each of which would need to be patched separately. It is a reasonable question to your provider – who is responsible for patching security holes, how often does that happen and, if you need to do it, how do you do it.
I only mention TV boxes because they are something most people are familiar with. While they are smart, they are not likely to be handed over to a new owner.
What is likely to be handed over are things like smart locks, alarm systems, security cameras, garage door openers – all connected to the Internet. And, if the manufacturers are right, by the year 2020, billions of other devices.
As if you didn’t have enough to be concerned about when buying a new or used home (even if it is new, someone else likely has the codes).
UNLESS users start pressuring manufacturers by refusing to buy products that do not address this issue.
I PROMISE this problem will get worse before it gets better. Sorry.
Information from this post came from CIO.