In 2015, A New Kind Of Hack To Worry About: The Smart Home

LAS VEGAS -- Remote parking assistants. Glucose monitors. Smart chairs, lights, beds, flowerpots. If there’s one technology prediction for 2015 that seems safe, it's that the smart home, bristling with connected devices categorized under the loose moniker “Internet of Things,” has arrived.

And here’s another prediction: 2015 will bring the first of many smart-home hacks, which will be more personal and disruptive than what we've seen before. That one's from Federal Trade Commission Chairwoman Edith Ramirez, who came to the International Consumer Electronics Show to give a version of her stump speech, a dystopian vision of the the not-so-brave world of the Internet of Things.

“Any device connected to the Internet is vulnerable to being hijacked,” she warned. “As we purchase more smart devices, they increase the number of entry points an intruder could exploit to launch attacks on or from.”

Once, this might have meant opening a garage door or turning lights off or on. But as the connected devices take over homes, cars and bodies, including safety systems like home security systems, medical devices and car brakes, critical systems are being networked. And that, along with the aggregation and transmission of ever-larger data sets -- perhaps beyond the knowledge of individuals -- is of keen interest to the FTC, which brought its first case against an Internet of Things company TRENDnet last year.

This year, just about every large electronics manufacturer has made the Internet of Things a theme: Samsung bought SmartThings, an Internet of Things platform company in August; LG laid out a vision for an ecosystem of smart devices that follow users from the office to the car to the home using natural language commands called HomeChat. But the availability of near-zero cost sensors have led to an explosion of startups, and 900 Internet of Things exhibitors are at the CES in Las Vegas. Many of those companies don’t have chief privacy officers or decades of experience in data security or privacy policies.

“A tiny startup could jump in and create a key element of your home network,” said Joseph Lorenzo Hall, a panelist and chief technologist at the Center for Democracy & Technology, a Washington, D.C.-based nonprofit. “Our dependence on computer tech is moving faster than our abilities to protect ourselves.”

Safety concerns

On the show floor, exhibitors are making security a key part of their pitch. Lars Felber, a spokesman for Elgato Systems, a German smart-home electronics maker, said the startup made a strategic decision to stick to home-monitoring devices, rather than locking and unlocking doors or other things that could do damage if hacked.

They also decided to build on Apple’s HomeKit standard rather than build their own cloud so Apple would be charged with protecting the data. “We thought OK, here is the world’s richest company, a company that doesn’t sell data, it sells products and is not interested in selling or trading your data,” he said. “You need 100 guys to constantly counter the attacks and update the cloud. We don’t have that.”

That threat multiplies as users add many different systems, or they simply add themselves by being brought into the house and turned on. “If you have a lightbulb that has a processor, it has its own security considerations, and that connects to a light switch and to a light hub and then add the cloud -- all those are potentially vulnerable points,” said Ryan Maley, director of strategic marketing for ZigBee Alliance, a Chicago-area nonprofit consortium that created a wireless standard for Internet of Things devices used by 400 companies, including General Electric, Comcast, Google's Nest smart thermostat and Samsung.

But he said some concerns are overblown: “In the time it takes to hack a Kwikset door lock you can bust the door down.”

Many drew distinctions between critical, safety-oriented systems and a monitor that tells you when to water your ficus. German engineering company Bosch said it uses entirely different technologies for connected infotainment systems and critical systems like brakes, steering and engine management. The control units for those systems go through a protocol to verify that the inputs they’re receiving are from the driver and not from, say, a hacker.

Despite YouTube videos of Teslas and Priuses being hacked, Bosch spokesman Stephan Kraus said cars are safe, for now. “We don’t know of any situation where someone sitting outside a car and with an Internet or Bluetooth connection were able to get access to the drive systems,” he said.

Cheaper, less safe

FTC Chairwoman Ramirez said the cheaper and more disposable sensors become, the less likely their producers are to maintain them or notify consumers of a problem. “If a vulnerability is discovered on that type of device, it may be difficult to update the software or apply a patch -- or even to get news of a fix to consumers,” she said.

She also voiced concerns that while you might give permission for your thermostat to monitor the indoor temperature, your security system to know when you're not home, or your car to know where you are, or a fitness monitor to check your sleeping patterns, the combination of these datasets could paint an extremely detailed portrait of an individual. That data could be used to adjust insurance rates, direct advertising, or perhaps approve or deny a loan or job.

But the worry among manufacturers is that Washington lawmakers will make policy based on what could happen, throttling a vibrant economy before it really gets off the ground. "If we spent all our time worrying about worst-case scenarios and making policy based on that, then best-case scenarios will never come about," Adam Thierer, a senior research fellow at the Mercatus Center at George Mason University in Washington, said.