Smart home complexity is its own security risk

Quick, how many connected devices are in your home? If you have more than 10, then you are courting a level of complexity that will burden you rather than make your life easier, according to a new report from TrendMicro. For anyone with a plethora of connected devices in their home, this isn’t news, but it is part of a rarely discussed phenomenon that will affect how widely the market for smart homes can expand and the security of such products.

Security firm TrendMicro took on the complexity of smart homes and issued a report this week that I think is a must-read for anyone in the industry. Such complexity also has implications for the folks deploying connected gear into an enterprise setting, although those staffers will have more resources to draw on.

Let’s dig in.

The report is primarily focused on the smart home, which TrendMicro breaks down into two categories. The first is for those that are purpose-built, in that they employ dedicated and sometimes proprietary protocols that are wired directly into the house. In such cases, there’s likely wiring to every room and a server closet somewhere in the home from where all of the devices are managed. The other category, which is more common to my readers, is what TrendMicro calls a “bolt-on” smart home.

To research complex smart home environments, TrendMicro built one of each type of smart home and controlled them using two different home automation platforms. In Germany, TrendMicro used open-source home automation server FHEM and protocols such as EnOcean to manage more than 70 devices as part of a purpose-built smart home. In the U.S., it added some 30 connected devices — such as an Ecobee thermostat and Hue bulbs — to create a bolt-on smart home. It managed the U.S. home using Home Assistant, a home automation server that runs on dedicated computers, like a Raspberry Pi.

Both smart homes, with their many devices and their reliance on a centralized hub that connects to the internet, were found to be vulnerable to a variety of attacks. Those attacks were as simple as finding an exposed automation system and using it to monitor people in their homes using sensors and cameras, to more complex attacks that involved creating a virtual device and inserting it into the network to fool the system.

What’s disconcerting is that the more devices a user chains together to create a routine or automation, the more likely it is that the systems will glitch or get pulled into some type of attack. For example, if I enable some type of presence detection around the home using Bluetooth or other sensors and then tie that to my doors locking or unlocking, a hacker might just create a virtual sensor in my online automation server that “looks” like me, and in the process, also be able to lock or unlock my doors.

Far-fetched? Maybe today, but TrendMicro also discovered that a lot of these automation servers are online and showing devices to anyone who looks. Some of those devices could even be remotely controlled. More shocking is that when TrendMicro scanned for those servers, they found some from open-source groups but also from commercial vendors.

That means it’s not just super nerds who might be exposed; small businesses and consumers who have paid for a commercial system could also be at risk. As a person who is well aware of how these complicated systems can create hours of headaches for users just to keep them working, the associated security risks were unsettling.

I mean, I already spy on my family using our sensors and notifications when I’m out of town. I know when they leave the house, can tell when my husband is working out, can ensure my daughter goes to bed — I even know when someone gets out of the shower. It’s honestly pretty creepy, even though they know I have this access. Imagining that someone else could see all those things and add new features or elements to routines without me knowing is gross.

So what might stop this? TrendMicro goes through traditional ideas such as avoiding hard-coded passwords, regularly changing passwords, and limiting the number of devices on the network. However, the company also suggests some things I wish the industry was moving more aggressively on, such as ensuring that every device type is categorized and known to the network. That kind of visibility helps by letting consumers understand what’s on their network, but it also helps firms building automation hubs create logical rules for specific device types.

For example, there’s probably no reason for my light bulb to talk to my thermostat or for my oven to talk to my door lock. Certain devices might need rules that prevent them from talking to external web servers that aren’t run by their manufacturer. Essentially, as these networks get more complicated and the things connected devices control play more of a role in our security and comfort at home, we’re going to need enterprise-level network security products that are designed with consumers in mind.

Already companies including TrendMicro are building such services for the smart home. Comcast just launched one, Eero provides one, and consumers can also buy standalone devices from BitDefender and Cujo. It won’t help with the human need for AI to help manage more than 10 connected devices in the home, but it will help secure them.