The Internet of Things, or IoT, Connected Devices, Smart devices whatever you want to call them have become a fixture in most homes. It has gotten to the point where you have to look hard to find a device that is not “Smart”. Manufacturers love to push the marketing term smart onto the consumer as it becomes a value add proposal; hey this can do all of this and you can control it using your phone from anywhere. What they do not disclose is exactly how insecure these devices are and how much privacy you can end up giving up just by having them in your home.Despite the push for more and more connected devices there is still little to no security standards for them. They are made from a collection of different hardware with different security options (most of which are not even enabled) and generally talk back to some sort of cloud service like AWS for command and control. Security researchers that have studied these products have found that most have zero protection against intrusion, code modification, session hi-jacking or anything else. They can be open windows into your home network and these products gather a lot more data about you than you might think. Just look on Shodan to see how many of these devices are visible and accessible from the open internet.
Even the simplest of devices can collect data about your habits and relay them back. In more extreme cases, like voice activated devices, what is collected about you is quite alarming. With the launch of smart home assistants like Amazon echo a whole new level of personal information capture has started. Consumers are either unaware or do not care that devices like Echo listen to everything you say and sort through that for certain command phrases. These are always on devices and do maintain a record of what is said in their vicinity as shown by a recent warrant to gather Amazon Echo logs in relation to a police investigation. The same thing was shown to be happening to Microsoft’s Kinect which led to gamers not wanting that piece of hardware. It came close to hurting Xbox One sales when Microsoft said that you had to buy one and that your console had to be connected to the internet all the time. Of course that backlash was from gamers and a market that understands the technology.
With Echo and other devices the people getting them are looking for convenience and often do not care about what is being gathered about them or the risk it puts their home network to. They want the gadget and that is that. In conversation with people that own them or are looking to buy something like the Echo they gloss over both the privacy and the security concerns so casually that you would think breaches, botnets and data theft simply do not happen. Some of this comes from misplaced trust in the companies that sell these devices and a lack of understanding of just how much personal information is captured about them from using them.
The lack of security and personal data collection is not likely to change any time soon as these devices are selling quite well. If consumers are willing to put up the money for an insecure device that captures everything said around it, what motivation is there to change the product? Over the next few years the saturation of these products and devices is going to grow along with the risk. It will probably not be until there is a large scale breach with data loss that is directly tied to one of these devices (and that results in financial consequences) that anything will even being to move, or there needs to be a massive shift in consumer education and awareness (with loss of revenue).
For now, we suggest that you check into the security of any smart products you buy along with skimming through the terms and conditions to see exactly what you are giving up by buying and using a given product. You might find that the flashy new home automation gadget you were checking out is not worth it after all.