Your next home will be connected in creepy ways. It will take a while, but eventually every machine and device in your house will talk to everything else, and Consumer Electronic Show (CES)-born inspiration will be at their roots. From e-toothbrushes to connected e-toilets that can detect a health issue (Really!), the items in your home will be controlled via the internet and will be everywhere. But what does that mean for security?
Some powerhouses in the industry, the kind with the huge CES booths and budgets, have started ramping up security in their connected products. But around the back corners of the digital exhibit halls where the next aspiring hot startup is located? Don’t count on it. The problem is, time-to-market often trumps security, so safeguards get pushed aside with the promise that future firmware updates might address those issues someday. Or not. Anyone got a ten-year-old router that still works fine but is full of holes? Yeah, that.
But back to the creepiness: Recently, a ransomware campaign took control of a home device – a chastity belt – demanding payment in order to have the belt unlocked. And new automotive vendors have trotted out the ability to determine things like your weight, sex, age and mood, and even increase vent airflow in your car to “cool you down” if you seem angry. Expect this level of invasiveness in your new home – if you allow it.
Who wants your home data? Vendors who will offer discounts in exchange for slurping more and more personal information from your sensor-riddled dwelling. At first, some will welcome the discounts and opt in, but eventually insurance companies’ insatiable actuarial data hordes will be more insistent, tying your home sensors’ information to insurability. Without having to say whether they’re most interested in your weight gain (or loss), sugar content in your e-fridge or whether you’re brushing your molars effectively (your new toothbrush will know), their magical black box will ratchet rates up or down, or even prompt policy cancellation.
Later, you’ll have to pay more if you don’t provide that information. This slow move from opt-in for discounts to penalties if you opt-out is a trend we’ve seen in retail over the last few years. Today, if I don’t provide a rewards card at the gas station, I have to pay 16 cents more per gallon. That’s what my personal information is worth to them, and it’s a hard profit for them to ignore. This oozing market-backed privacy blight will continue into your connected home. And while privacy pundits will continue to balk, marketers will be very motivated to grab every scrap of your data.
All the tech to make it happen already exists.
Next, expect the insatiable hunger by platform manufacturers to consolidate the home-data harvesting empires to their platform. Think Android and iPhone years ago. The eventual winners (among many entrants) will now have a duopoly on your mobile experience. The same will happen in your home.
All of this will make data breaches that dump your private “fingerprint of your life” onto the web very painful to recover from. You’ll have to reset your whole house. Which will be tied to your car. Which will be tied to your work. Which will be tied to your bank account.
Can we stop this with better laws? Maybe. In the EU, there are legal actions aimed at sending a cooling signal to overzealous data collectors, and more of a clear history favoring privacy. There are similar examples forming in the U.S., and we expect such legislation to expand and spread to other markets worldwide soon.
What can you do in the meantime? Log into the devices you buy and uncheck a bunch of over-sharing boxes, likely enabled by default. If you don’t need your device to interact with the cloud, disable that. Uncheck boxes that offer sharing of information for “a personalized experience”. That means they can watch all your activity, then flood you with advertising. You can watch forums for product-specific security tips and learn how to disable unnecessary functions; often times YouTube has great tutorials on popular devices.
Opting out continues to be more painful. A colleague of mine bought a new home entertainment system – every piece of it had an app for you to install if you want to configure more than basic functionality.
Using a VPN can offer some protection, such as for thwarting some geolocation tracking for example. But if your device knows who you are and interacts with cloud services with a unique identifier or other fingerprinting techniques, they’ll know where you are anyway. Still, VPN use is a good idea for lots of security-related issues, so it’s generally beneficial to have.
But if hackers can somehow break into any of your devices and listen into your home and capture your voice, they can pretend to be you and do creepy things like send ransomware threats to people you love. Enabling multifactor authentication (MFA) on sensitive logins can help prevent these creepy hacks from harvesting and using your credentials if they gain access to your home network. But you still don’t want them there.
So maybe less-connected home devices are more. After all, do you really need a robot to get you a new roll of toilet paper (yeah, that was a thing at CES) in the unfortunate event you are mid-task and unable? How have we survived for generations without this? We mostly managed. We bought a few extra rolls and invested in close-proximity storage. You are, of course, free to get a toilet paper-fetching robot, but does it really need to be connected to the network? It’s a question we all need to take more seriously.