By now you probably read last week’s story about the former ADT employee who tapped into home security cameras and watched private moments nearly 10,000 times over a five-year period. He was able to do this because he quietly added his email address to the customer’s ADT account for remote access.
This isn’t the first such incident either. Although the situation is different, employees at Amazon-owned Ring were fired in early 2020 for accessing customer’s camera footage stored on the company’s servers. And we’ve seen unauthorized users tap into Nest cameras in the past because the account holder’s password was stolen, enabling outsiders to see inside a person’s home.
These and other similar privacy invasions surely give some consumers pause when outfitting their homes with connected devices. And they should: Our homes are our most private spaces where we should feel at ease and comfortable. So when adding smart devices to your home, there a few key privacy features you should be looking for on your devices and specific actions you should take.
Two-factor authentication: A necessary inconvenience
Before buying a connected camera, speaker, home security system, or even a smart home hub, look to see if the company supports two-factor authentication or 2FA. This is a secondary authentication method used in addition to your device account password. If your account credentials (think ID and password) are compromised, 2FA can still keep the bad guys out because it’s an always-changing piece of data.
Device makers have slowly been adding support for 2FA but not all of them do. I’d steer away from those who don’t because they’re not offering that crucial second layer of protection. For example, anyone with the ID and password to your smart camera account could log in as you and remotely view live footage. With 2FA, however, they wouldn’t be able to do that.
Some device makers use SMS or text messaging to send you the 2FA data, typically a numeric code, and that’s better than not having 2FA enabled. However, this mechanism isn’t encrypted and can be intercepted or spoofed.
A better alternative is to enable 2FA with a third-party authentication app, such as Authy, Google Authenticator, or Microsoft Authenticator. These and other similar apps create a one-time code for the second authentication factor and the codes typically expire in 30 seconds. Yes, it can be a pain to enter in a second credential when updating accounts or adding device access to a new household member. However, it’s a minor inconvenience compared to having strangers look in on your smart home.
App notifications for account changes are key
Part of the reason the former ADT employee was able to add himself to customer accounts is that the customers simply weren’t notified of his actions.
Most smart home device apps are good about informing you of account changes, but not all of them do. Look for devices that do include such notifications in their app so that if someone is added or removed from the account, you are immediately notified.
Also, if you can add multiple device administrators, that’s a benefit. I’ve seen too many stories about one person in a home victimizing another through connected devices and there was little the latter could do about it.
Visual indicators on cameras and speakers
If a skilled hacker is accessing the cameras or speakers in your smart home, they can very likely turn off any visual cues that your device is actively watching or listening to you. But most such intrusions to date are more basic, with remote access simply enabled. For that reason, lean towards smart devices that have some type of visual indication of activity.
I personally prefer webcams that have a small LED when they’re actually viewing the inside or outside of my home, for example. Not all of them do. The same goes for smart speakers and smart displays: When they’re recording audio or video, I want to see some indication that lets me know I’m using the device.
If those cues are on when it’s quiet or I think the cameras are off, I know that my privacy is very likely compromised. On a related note, some smart devices equipped with cameras have privacy shutters to cover the camera sensor. These can be physical or electronic shutters to disable remote viewing access; I’d trust a physical switch over an electronic one personally.
Full end-to-end encryption of your data
Many security cameras and video doorbells on the market send video footage to the cloud, which can be great. If you need to go back and review a particular incident, like when our parked car was hit in front of our house, it’s easy to do. That convenience can come with a cost though if the data isn’t fully encrypted.
Before any device purchase, check the company’s approach to encryption. It’s great (and fairly common) if they encrypt the data on their servers but that only helps you if their server is hacked. You also want your home’s audio or video history encrypted as the data is sent up to the cloud.
In 2018, Apple introduced this with its HomeKit Secure Video service that some camera makers have incorporated. Not every device maker implements this type of encryption though, so research before you buy. Or you can do what I do: Look for devices that record and store your private data locally.
One of the reasons I prefer the low-cost WyzeCam devices is because I’m in charge of my data: It’s stored on a microSD card within the device, so third parties generally don’t have access to it. The exception is if you opt-in to advanced services such as person detection. Unless the device has AI-capabilities to analyze and act upon data, it has to rely on the cloud.
Don’t buy devices you don’t need
Although this might sound somewhat silly, the more connected devices you add to your smart home the more privacy threat vectors you’re introducing to your smart home.
Do you really need a cheap knockoff showerhead to stream tunes during your morning shower, telling hackers when they have a 10-minute window to break into your home? Aside from the running water, the music will help drown out the sounds of a break-in.
I actually have a connected device that fits this category, and no, it’s not a showerhead. It’s my connected door lock. Don’t get me wrong, I love that I don’t have to carry a house key with me. I just use the capacitive touchpad and enter a keycode to get in the house. And I appreciate the automation I set up to lock the door if it’s been unlocked for more than five minutes.
Outside of those situations, I really haven’t taken full advantage of the connectivity though. I’ve never had to remotely open the door for a delivery or to check on our dog, for example. The benefit of having the smart lock is pretty minimal when compared to the potential of providing information about my comings and goings. I’m actually thinking about just using the keypad feature and turning the connectivity off. Sure, I’ll lose my auto-lock function, but I think I can live without it.
While stories of privacy breaches can certainly scare you away from building or expanding a smart home, there is a way to be smart when choosing your devices. Pick the right ones that protect your privacy the most and make sure you’re following best practices when securing your accounts. Your home is sacred but it can still be smart while protecting your privacy.
Fazal Majid says
For 2FA, the most secure option is to use a USB key supporting the Webauthn/FIDO2 or FIDO U2F protocols, like Yubikeys. Unfortunately very few sites support them.
6-digit TOTP code generators like Google Authenticator are vulnerable to phishing, and SMS-based 2FA is actually worse than nothing: it’s security theater (SMS can be intercepted with less than $1000’s worth of Software-Defined Radio hardware) and it provides a false sense of security.
Afton Jackson says
Thank you so much for helping me understand why two-factor authentication is important for security systems. I’ve always wondered why people are so averse to having these kinds of systems in their houses since these are the kinds of things that are supposed to protect you. Now that I know what to look for. I’ll make sure I talk about this with any security system contractor in the area that can help me out.
Pete Staples says
Although the alliance is relatively young, this article ought to mention ioXt as an industry-led standard for raising the bar for security in connected devices: https://www.ioxtalliance.org/
It is much quicker and easier for consumers to look for a logo than to study security specifications.