Security of IoT: Do Your Devices Compromise Your Home Privacy?

Adjusting your home thermostat while away on vacation or checking on your kids via your in-home nanny camera are conveniences of the modern technology age. But, are you the only one getting into your home?

In light of recent events in the news with Facebook, Cambridge Analytica, and the emerging idea of big data collection, concerns about personal data privacy and its collection are on the rise. How do you protect your personal data when using smart devices like Alexa or Google Home Assistant in your home? We talked to technology and security experts to gather their tips and insights on how to keep your home secure and private.

The Rise of IoT Home Devices

The Internet of Things (IoT) includes devices such as wearables, appliances, and vehicles that transfer data over a network. But it’s much bigger than just a couple devices talking to each other through your home WiFi — it’s an ever-growing ecosystem of networks, databases, and devices transferring and sharing data. The number of IoT devices will skyrocket to 20.4 billion by 2020, according to a 2017 Gartner report. What does this mean for your home’s privacy?

Sadie Cornelius, who is a marketing expert at Safe Smart Living, where she’s been writing about smart home living, personal finances, wearable tech, security, and identity theft since 2014. Having more than a decade of experience in digital and traditional media, she also leads brand management, social media strategy, and overall marketing initiatives for Safe Smart Living. Cornelius states that your entire home network — and all of your personal data — is vulnerable if a hacker gets into even one device.

Any device connected to your home’s network, including smart speakers like Alexa and Google Home, can be vulnerable to an attack. Once hackers find a way in, your entire home network is up for grabs.

We know that these devices are collecting data (including how often we come and go from our home when we are home or not, how we regulate the lights and temperature of our home) but we don’t know to what extent they are using the data.

Darren Guccione is CEO and Co-founder of Keeper Security. With extensive experience in product design, engineering, and development, he is regularly sought after as a cybersecurity expert. Guccione describes how IoT devices send outbound information despite typical security measures, which can leave your home’s privacy and data security vulnerable to attacks.

You're essentially giving that device full access to your network, behind your firewall and router. Most firewalls in the consumer world only block inbound traffic, allowing any IoT device that has malicious code on it to exfiltrate information out of your network making these devices possible surveillance devices for hackers.

So how much of your data is at risk? Greg Miller, President of CMIT Solutions, provides IT support and technology services to small and medium-sized businesses throughout Orange County, New York. Miller argues that all your data is potentially vulnerable.

All software has bugs. Bugs can provide a method for unauthorized access to your IoT devices. Therefore, all data used by your IoT device must be considered at risk.

Any personal information that is made public, by the consumer, by the product vendor, or by more nefarious means, adds the risk that the consumer will become a target of a scam or social engineering attack.

Protecting Yourself from IoT Data Leaks

It takes two minutes or less of being connected to the internet for IoT devices to be compromised, according to findings in the 2017 ISTR report by Symantec. Once security is lost, so is privacy.

George Brostoff, Co-founder, CEO, and Director of Sensible Vision, has been an industry-recognized entrepreneur in the computer, security, and communications industry for more than 20 years. Enhanced authentication is an additional security measure that is becoming more and more essential.

Today, the best solutions for secure authentication leverage tiny 3D cameras, dedicated mobile AI [Artificial Intelligence] chips and powerful software to manage access. The use of 3D face authentication for Smart Home devices is an area ripe for innovation.

Adoption of 3D, AI-driven face authentication will revolutionize how people access their smart home devices and will not only improve and simplify the customer experience by providing a much more intuitive interaction, but also increase the level of protection for personal information.

There are some immediate actions homeowners can take to safeguard their family’s data privacy. Sadie Cornelius (of Safe Smart Living) offers this additional advice on monitoring and protecting the data trails generated by your IoT devices.

Theoretically, services like Alexa and Google Home are using our smart home search inquiries and purchase history to help better serve the end user and re-target other related products [or] services based on our anticipated usage and behaviors. However, most should have pretty strict privacy policies in place as far as selling data to third-party companies without a consumer’s permission. And as with your online search history for home assistants, you can delete your user data and control your privacy using their apps to add an extra layer of security.

It’s been known for years that computer cameras and smartphones are potential hacking targets. And while firewalls and other security measures can prevent intrusions from the outside, IoT devices present a new avenue of opportunity for privacy invaders.

IoT and Privacy: Smart Speakers

Smart speakers, such as Google Home and Amazon Alexa, offer a ton of convenience. You don’t have to do anything but talk to have a smart speaker order a pizza or turn off the lights. But, smart speakers can record conversations — even when you’re not talking to them.

Mitchell Klein, Executive Director of Z-Wave Alliance, is a leader in smart home and IoT and has over 30 years in the industry of IoT, consumer electronics, home automation, and the integrator market. Manufacturers create these smart devices with good intentions of making your life more convenient, but you still need to be smart with the devices you bring into your home.

Thanks to smart speaker devices like the Amazon Echo and Google Home, smart home products are becoming more mainstream, user-friendly, and affordable.

Manufacturers may collect data broadly about usage patterns generally in order to predict and learn about consumer habits and living patterns. That idea makes some uncomfortable, and it’s important to research and understand what each brand you bring into your home is doing with your information and data.

It’s equally important to make sure the devices you allow into your home are secure and protected from cyber intrusion and hacking. Do some research into what type of layered security is offered by each product manufacturer you bring home.

Scott Amyx is an author and internationally recognized thought leader, venture capitalist, and speaker on exponential technologies and the Fourth Industrial Revolution. He advises to erase conversation histories or turn the microphone off on Google Home and Amazon Alexa when not in use.

Aside from [deleting recordings and interactions], depending on the nature of conversation that you're having near the systems, simply turn it off. Going to another room may not be sufficient.

A Checklist for IoT Data Security

You don’t need to be afraid of technology, just be smart with it. There are some security measures you can take so that your IoT devices (and your home) don’t fall prey to a hacker.

1. WiFi router — Wired Equivalent Privacy (WEP) protocol is outdated security that’s easily hacked. Use WiFi Protected Access II (WPA2) protocol, with all the security settings turned on, and set up a strong, complex password. Name your WiFi signal with non-identifiable information, not your surname.
2. Guest network — Most WiFi routers have guest networking so an internet connection can be made without gaining access to network devices. Put IoT devices on the guest network if you are unsure about their security.
3. Passwords — Don’t reuse passwords. If a hacker gains access to one device, an attempt is often made to hack the other devices with the same password. Also, don’t use the WiFi password that comes on the router manufacturer box. There isn’t any regulation or standard for security protocols of IoT devices, which means the manufacturer password is only as strong as what the manufacturer believes is necessary.
4. Universal plug and play (UPnP) — Although UPnP is an easy way to network devices, it does so without configuration and makes it easy for hackers to discover all your network devices from beyond your local network. Turn off UPnP.
5. Personal information — Limit the personal information that you provide to only what you are comfortable making public.
6. IoT connections — Make sure your IoT devices have all security settings enabled to minimize risk of unauthorized access. Only link IoT devices to the internet if absolutely necessary.
7. Smart Speaker/Home Assist — Products like Amazon Echo and Google Home are always listening. “Mute” the device when you have a sensitive conversation to prevent the device from recording conversations. Use any web service’s settings to limit how it can use your data.
8. Default settings — Many IoT devices come with services such as remote access default-enabled. Turn off features and services that you don’t need.
9. Wired connections — Wired connections are harder to hack. Use wired vs. wireless connections when possible.
10. Firmware updates — Check the device manufacturer’s website regularly for firmware updates. These are security patches that fix vulnerabilities. Set your devices for automatic updates when possible, or manually check for updates frequently
11. Firewall — Install a firewall for the network with a stand-alone appliance or software that comes with the router. This restricts incoming connections.
12. Unified threat management appliance (UTM) — Install a UTM if you have an extensively networked home. This can detect and prevent breaches, manage the internet gateway and offer network antivirus protection.
13. Secure authentication — Use two-step or facial authentication when possible. This added layer of security helps prevent hacks.
14. Security software — Install such software on mobile devices used to control IoT devices. It’s easier for hackers to access an IoT device, such as a smart thermostat, via a malicious app versus hacking the device directly.

Learn more about safeguarding your home and your family with our Home Security Experts’ Tips and Tricks roundup.

Be Smart with IoT Security and Privacy

You can enjoy the convenience of smart devices, just be proactive in making sure you’re using the security measures and privacy settings that you need.

The views, information, or opinions expressed in this blog do not necessarily represent those of PennyMac Loan Services, LLC and its employees.