It feels like every week there’s a new story about a smart home being hacked. From a Nest Camera convincing a US family that North Korea was about to attack to an Amazon Echo being turned into a spy device, you’d be forgiven for thinking smart devices aren’t secure.
But, let us assure you, if a manufacturer takes the right steps, by investing and testing, the devices which make up the Internet of things (IoT) are totally secure.
How can a smart device be hacked...
There are two main ways. The first, a vulnerability is missed during the device's development. With budgets and deadlines, tech teams under pressure to deliver, so it's difficult to check every nook and cranny for computer bugs. Even huge companies like Apple miss things, recently a bug was found in FaceTime that lets users eavesdrop on one another.
In an ideal scenario, the bug is exposed by a friendly tech enthusiast and it’s fixed quickly via a patch - this is how the FaceTime bug was repaired. Unfortunately, this isn’t always the case and sometimes the bad guys get there first.
The second most common attack is when your login credentials get stolen. In individual attacks, the criminal will target you with things like fraudulent emails or malware. On a larger scale, teams of hackers (sometimes Government-backed hackers) will steal huge customer databases from multinational companies. From Yahoo to the Marriott Hotel, there have been too many high profile cases in recent years.
Once a hacker has obtained your details, they’ll use them for what’s called “credential stuffing.” This is where the hacker wanders from website to website, plugging your credentials in until they work. So many people reuse passwords that this tactic has a scarily high success rate.
Remember, it’s down to you to protect yourself. By learning about online security measures you can ensure that you’re never a victim of a cyber attack.
Top 10 things to keep your smart home secure
1. When 2-factor authentication is an option use it
With two-factor authentication (2FA) you’re asked to enter a secondary form of verification after the username and password. This creates a second layer of security which can stop the most persistent hackers.
Most banks use 2FA as standard, and will text you a unique code if you're logging in from an unfamiliar device. Facebook has always been a bit more creative, asking you to identify people in photos.
The consequences of neglecting 2FA can be serious; recently a hacker spoke to a baby through a nest security camera before hiking up the central heating. 2FA would have prevented this.
2. When it comes to passwords, length is strength.
Make sure your password is unique and at least 12 characters long. It also helps if you don’t use full words, for example MySecurePasswrd is far more secure than MySecurePassword simply because it’s missing the "o".
Adding numbers and symbols helps, but not at the expense of character length. The password H@GG1s! is way less secure than haggis-is-tasty which is more than double the characters (15 vs 7). Also, hacking software knows exactly which letters can be replaced with numbers or symbols, so don’t try that either.
With a good password you won’t fall victim to a "brute force" attack: a trial-and-error method where a computer submits thousands of passwords, using common words and patterns, to gradually narrow it down.
To help you remember all the different passwords, we’d recommend using a password manager like LastPass or Dashlane. There are also some built-in options like Keychains for iOS or Password Manager for Google Chrome.
Also, to secure your smart home you should remember to change your broadband network’s name to something obscure. Naming it “William’s Wi-Fi,” for example, is not ideal. Pick something like your favourite movie or car model. You could even go for something funny that your neighbours will see, like “Pretty Fly for a Wi-Fi” and “The LAN Before Time.”
3. Create a Secondary or ‘Guest’ Network
Every broadband supplier allows you to create multiple networks on your wi-fi router, most commonly used to create a kids’ networks with parental controls or a guest network for visitors. Well, you should do the same for your smart devices. Create a separate wi-fi network so that your IoT devices operate separately from personal devices like your laptop and phone.
Note: when you create a new network, if it allows you to choose between WPA and WPA2, make sure you choose WPA2. This is the standard encryption method throughout the world.
4. Get those bugs patched
One of the most common ways to target a smart device is by exploiting a vulnerability that the developer has missed. It’s also one of the easiest issues to address - you simply update the device. These days you don’t need to look too far for an update; you’ll usually get a notification on your phone or laptop from the tech brand.
5. Disable features you don’t need
Smart devices come with a variety of features such as remote access, often enabled by default. If you don’t need it, be sure to disable it.
6. Works with Alexa? NSI certified? Check for these ....
You can take comfort in big tech certifications, like the “Works with Alexa” and “Works with Apple HomeKit” badges. These are awarded to devices which meet certain standards in responsiveness, reliability and functionality.
If you're buying a smart security device look for relevant certificates. In the UK a smart alarm needs to be certified by either the National Security Inspectorate (NSI) or the SSAIB if you want a police response.
7. Don’t access your smart device via a public Wi-Fi network.
Public Wi-fi has very weak security protocols, and information transmission is generally unencrypted. If the hacker manages access the Wi-Fi router then they can easily intercept your information without you noticing. This is what’s called a “man-in-the-middle” attack.
If you want to control your smart device while you're out and about, simply use 3G / 4G. You can check your CCTV or turn on your central heating with complete peace of mind.
8. If you insist on using public Wi-Fi, make sure it's legit.
There is another man-in-the-middle attack called “Evil Twin,” where the hacker creates a Wi-Fi network to mimic a public one nearby. For example a hacker might name a network Free_Cafe_Wifi next to a Starbucks. This technique is particularly dangerous because the hacker can place login pages in front of you, prompting you to enter in personal details.
The simplest way to avoid this threat is to not use public Wi-Fi. If you have to use it, ask a cafe employee what the Wi-Fi is called.
9. Keep your phone and smart accessories locked and stashed
A simple but important one. Make sure your smartphone has a passcode that isn’t easily guessed.
Additionally, you should keep track of portable smart home accessories. These days smart alarms come with key tags, allowing you to easily set and unset your alarm by hovering them in front of a panel. If you or another keyholder loses a key tag, make sure you deactivate the tag on your smartphone until you find it.
10. Buy from brands who give a damn about Cybersecurity
Not every brand is willing to invest in cybersecurity, beware of the “poundshop” brands you see on Amazon or Ebay that boast good reviews and low prices. Do your research: look up the brand’s website and check what news-sites and forums say about them.
It’s also worth checking whether the brand encrypts all your personal content. Ring is known for not encrypting customers’ videos because of Ring leadership’s “sense that encryption would make the company less valuable.” Earlier this year, this created a storm when allegations arose that Ring’s Ukraine-based employees had unfettered access to video created by Ring cameras.
And what about Boundary?
As well as preaching the virtues of smart device security, we’ll also be doing our bit. We intend to use industry recommended X.509 encryption extensively to protect all data sent to and from our servers. Additionally all of our staff must pass criminal background checks to allow them to work at Boundary. We will also be adding 2-factor-authentication as standard and we’ll be incorporating castle.io - a tool which alerts not only us, but our customers if there is any suspicious activity on their account
Want to be the first in the know about all that’s happening here at Boundary? Sign up to our newsletters to hear our latest updates, including information on our Kickstarter campaign and how you can be one of the first to get your hands on our groundbreaking smart home intruder alarm.