Can the smart-home industry cope with growing cybercrime threat?

Joan McGuire

The Internet of Things adds new layer to cyber risk.

Share this article!

Burglars of the future won’t need to pick locks. They could steal the front door PIN that you type into your smartphone.

Arsonists will no longer need to kindle a match. They could press a button to overheat a smart oven.

Hackers could trigger a fire alarm. They could disable a home’s “vacation mode setting,” which keeps the lights and security system on alert. They could hijack your remotely controlled cameras.

“The risks are quite serious,” said James Motley, vice president of engineering at IOTAS Home, a Portland company that installs smart devices in new properties. “We’re dealing with a lot of devices with Wi-Fi and Bluetooth connections that can be easily hacked.”

We have entered the age of the “Internet of Things,” in which computers are embedded in our watches, refrigerators and cars. Now experts worry these “smart tech” features will create heightened cyber security risks.

“You just need a smartphone, and a lot of these apps are available on the Internet,” said Brandon Nesbit, a Portland-based senior managing consultant at Kroll, a cyber security consulting firm. 

Related Story: On the Scene: Cybercrime threatens U.S. manufacturers

University of Michigan researchers examined vulnerabilities in SmartThings, a platform Samsung developed for creating a smart home. SmartThings offers an app store with around 500 options from third-party developers. The researchers tweaked some of these SmartApps to steal data and make covert changes after users downloaded the apps onto their phones.

The researchers created one app, disguised as a battery level monitor, that recorded a user setting a new PIN number, then texted it to a hacker. Another app they created programmed a second PIN into a home’s electronic lock, essentially creating a spare key.

“You just need a smartphone, and a lot of these apps are available on the Internet” —Brandon Nesbit

Researchers have also pulled off hacks with smart vehicles. In one study they remotely stopped a car. Hackers could even tamper with a car’s GPS or smart cruise control to cause a collision. 

Even parking isn’t safe. A Smart Garage broadcasts signals that hackers could tap into to tell whether the owner is home.

Although these attacks sound terrifying, Nesbit says many of these attacks are difficult to execute. They require a lot of time, effort and familiarity with a given home.

Still, Motley takes the threat seriously. A successful cybercrime could devastate IOTAS’ business.

“Big companies that have a lot more money than we do are getting hacked,” he said. “And our company might not recover in the way Google would.”

IOTAS tries to subdivide connections between devices as much as possible. If one device gets hacked it won’t hand over information on other devices. It’s similar to guerilla fighters creating a network of isolated cells to guard against leaks.

“Big companies that have a lot more money than we do are getting hacked. And our company might not recover in the way Google would.”

—James Motley, IOTAS Home

Motley’s team hand selects every light switch, wall socket, motor sensor and other smart device IOTAS installs. His home has become a laboratory for testing new products. He prefers manufacturers who build in end-to-end encryption.

“It doesn’t come down to the brand name as much as the effort they’re putting into security,” he said.

IOTAS prefers not to leave device selection or set up to the “whims of the user,” Motley said. Devices are most vulnerable during the pairing process, so IOTAS sets up the connections during construction, when no one is around.

Motley generally avoids smart door locks all together. As the University of Michigan study demonstrated, these are among the most vulnerable smart devices. Some even rely on voice recognition. To break in, Motley said, “someone just has to yell outside your door.”

In the case of a hack, the cyber insurance policies currently on the market often don’t pay out enough for companies to recoup their losses, so it’s key to be proactive. 

“Security isn’t something that just happens,” Nesbit said. “You have to work for it.”