According to projections, more than one-fifth (precisely 21.3%) of households worldwide would be using smart home devices by 2025. To put that into perspective, the penetration rate in 2020 stands at 4.9%. Here is all about smart home and data protection and the struggle between convenience and security.
What is the cost of your privacy and cybersecurity?
While smart home devices’ proliferation is for good causes (safety, comfort, convenience, wellness, entertainment, etc.), more than enough reports have shown that these benefits come at the expense of privacy and cybersecurity.
Research has shown that most people have little trust in smart device providers.
According to an ADT survey, 93% of smart home devices consumers are concerned about how companies share their data. The human wariness factor is certainly not misplaced.
Smart home devices collect very personal information, and security is paramount.
Data Security Concerns
The fear of users of connected devices is two-fold. On the one hand, there are suppliers infamous for unauthorized data collection, usage, and sharing. On the other hand, some attackers would stop at nothing to intrude on devices and access a user’s data for nefarious purposes.
- Unauthorized data collection and usage (suppliers).
“New technologies cause new problems,” said Surya Mattu as he received his 2018 Technology in Journalism award. This is the award that Mattu won with his co-journalist, Kashmir Hill.
Together, they investigated how much data smart home devices collect and share about their users. By building a special router to monitor the smart home devices installed in Hill’s apartment while the experiment lasted — Mattu was able to collect personal and sometimes very sensitive data about her and her husband.
As an ESET study revealed, even in privacy policies that guarantee user data protection, the use of the term “but not limited to” in privacy policies — extends the potentials of data collection.
Agreeing to these terms may inadvertently grant the vendors unrestrained access to and usage of other forms of data than the ones that have been explicitly stated in the policy.
In addition, there may be privacy risks through device integration across vendors, especially when one of them has significant security issues.
- Unauthorized data access and intrusion (attackers).
Last year, several reports emerged of vulnerabilities in the Nest Cam IQ indoor camera that could enable hackers to hijack the device and interrupt the network.
The vulnerabilities found included denial-of-service (DOS), code execution, and information disclosure.
Compared to other devices such as smartphones and laptops, smart home devices are notorious security liabilities.
The backup data contained the owner’s personal information, including location and contact details. Apart from that, the team exploited a remote code execution vulnerability to access the smart hub, all the devices it controlled, as well as the home network.
With an attack such as this, there was hardly any conceivable limit to what hackers can do. Anything from pulling off a prank to robbing the house is possible.
Examples of attacks that smart home devices may face.
- Man-in-the-middle (MitM) attacks allow a hacker to intercept the communication between two devices to steal personal information, impersonate a party, or corrupt data, among others.
- Denial-of-service (DOS) attacks interrupt a device or network, rendering it unavailable to the rightful users. An example is the Mirai botnet attacks that occurred a few years ago. Permanent DOS attacks can cause irreparable damage to a device.
Regulations and Government Policies
Apparently, governments have not lived up to expectations as regards regulating data protection for smart home devices.
Some of the minimal laws that exist contain ambiguous provisions that complicate data protection issues. Two of the major laws that address smart home devices are the GDPR and the CCPA.
The EU General Data Protection Regulation controls the use and sharing of personal data collected by businesses. The data includes smart home device vendors.
The GDPR does not prevent the use and collection of data. However, and more importantly, it forces companies to become transparent in handling users’ data and gives consumers more power over control of their data.
The introduction of the California Consumer Privacy Act at the beginning of the year rightly generated plaudits.
The act included a section that tackled IoT security specifically. The IoT security law, as SB 327 is regarded, requires manufacturers of connected devices to “to equip the device with a reasonable security feature or features.”
However, the ambiguity of the text complicates matters. Therefore, the law has been deemed inadequate for guaranteeing IoT security.
The reality is that there aren’t enough regulations globally to ensure the security of smart home devices.
Perhaps, the technology is developing at a pace faster than the law can keep up with. This means that users of smart home devices have an enormous responsibility for vigilance in protecting their data.
Smart Home Safety
Permission settings allow you to determine how your data is used and share and integrate controls for other devices and apps. Deny permissions that are too intrusive or that you are not comfortable with. And consider as a potential threat any permission to edit router settings.
Note that some permissions are set by default. Therefore, one of the first actions to take after purchasing a smart device is to check all the permissions and deny the unwanted ones.
Likewise, when you stop using a device, whether because it stopped working or otherwise, don’t forget to disconnect it from your network and from other devices.
- Secure Access
Observe basic security hygiene to keep your devices away from unauthorized intrusions. For passwords, change the default password to a strong password you can easily remember. Likewise, use different passwords for each device and change these passwords intermittently to secure access to your device.
Another important measure is enabling multi-factor authentication. This provides an additional layer of authentication, making it difficult for an intruder to access your account, even if they know your password and username. Also, do not forget to secure your network.
- Network Segregation
Segregating your network based on the behavior of your devices helps you to protect your most personal and most sensitive data.
Even the FBI recommends it. Keep all your IoT devices and appliances on a separate network from personal devices such as smartphones and laptops. The basic way to do this is to use different routers.
Alternatively, many Wi-Fi routers allow you to create virtual networks that operate as separate networks but are run on the same network. You just have to know how to set these up.
In the end, those who regard convenience as the enemy of security are not entirely wrong.
Applying tighter security measures to smart home devices would accelerate the adoption of these products as a by-product of abating many people’s fears. No one should have to give up their privacy just because their speaker or their lighting system is connected to the internet.
However, while the goal of not giving up your privacy remains the aim — there is a great responsibility for users of smart home devices to ensure their data protection.
After all, the ADT report also stated that less than 40% of the survey respondents were taking any data privacy measures at all!
Image Credit: sebastian scholznuki; unsplash