How security experts manage their own ‘smart’ homes
Roula Khalaf, Editor of the FT, selects her favourite stories in this weekly newsletter.
Raj Samani jokingly describes himself as the least popular person in his own home. At work, he is chief scientist at IT security company McAfee, a special adviser to the European Cybercrime Centre in The Hague, and the author of several books on cyber security.
But at the home just outside London that he shares with his wife and three children, he is considered a spoilsport, whose concerns over security and privacy thwart his kids’ desire to use new “smart” home devices and apps.
“It’s a constant battle,” he says. “I’m really, really cautious about what devices we enable in the home and I’m constantly trying to educate my kids about the risks.”
Sometimes he bans a device or an app outright. That is often based on consultations with colleagues at work, where a threat research team is constantly analysing smart home devices for vulnerabilities. In August, for example, it uncovered a problemwith the Wemo Insight smart plug, a WiFi-connected electricity outlet. The team found that a particular vulnerability in this device — which the researchers reported to the manufacturer — might provide a hacker with a gateway by which they could compromise an entire home WiFi network.
On other occasions, Mr Samani reaches a compromise with his children. His daughter was allowed to install a personal digital assistant, but must keep it switched off most of the time, turning it on for just a few hours in the evening. “The risks of a microphone in the room that’s always on and constantly listening just freaks me out,” he says. “I know I’m in the minority, though. Most people that I know outside of the IT industry are embracing this fully connected, smart home lifestyle.”
Gartner, the market research company, estimates that homes worldwide will host 20.8bn connected devices by 2020. Some of these could open homes up to new security risks.
Keiron Shepherd, a senior security systems engineer at F5 Networks, recently decided to take a closer look at an internet-connected security camera he had set up at his home.
When looking through the underlying code for the camera, he discovered a default admin password hard-baked into the code, which meant that if the manufacturer itself was breached by a cybercriminal, the hacker could use that password to gain instant access to every camera shipped to customers.
“I contacted the company to make them aware, and they admitted that the flaw had already been disclosed to them, but that the software was provided to them by a third party, and they were waiting for that provider to do a fix,” he says.
In central Tel Aviv, Orli Gan and her husband, Ory Segal, founder and chief technology officer at security start-up PureSec, use their industry expertise to continuously monitor their home network. In total, the couple and their children have more than 30 internet-connected devices on their smart home network. “We periodically perform penetration tests and occasionally ‘hire’ our expert friends for additional validation,” says Ms Gan, who is head of threat protection solutions at IT security firm Check Point.
Not everyone will have access to these kinds of resources, but the good news, she says, is that experience has taught the couple that most attackers are just looking for “the path of least resistance”. Fending them off typically boils down to the kind of responsible IT hygiene that can be practised easily by non-experts.
The advice from IT security professionals to smart home owners is to keep security top of mind when buying a device. Simple internet research can quickly reveal if problems with a particular device have come to light.
When installing devices, change the default password shipped with the product and make sure it is a strong password. Once a device is installed, keep its software current by regularly checking for updates and, where possible, setting the device to auto update.
Finally, it makes sense to secure the internet router, which represents the gateway to the home, typically setting it to the WPA2 standard.
It is worth being selective about the devices you connect, says Mr Samani at McAfee. “Any device we deploy in my home goes through some degree of due diligence and, in many cases, that process starts with the question: ‘Do we really need this?’,” he says.
“Yes, I could buy a smart doorbell — but what’s wrong with a normal doorbell? I don’t buy anything just because it’s ‘cool’. In fact, I want as few devices in the home as possible, because the fewer devices you have, the less effort is involved in keeping it all secure.”