Don’t overlook security features when buying smart home devices
31 January 2021
By now we’ve all heard the horror stories about hackers accessing peoples networked home cameras and baby monitors. I wanted to take a deeper dive around smart home security as a follow up to last week’s post. Last week a story broke about a former ADT employee who tapped into home security cameras to watch thousands of private moments over a 5 year period. He was able to do this because he quietly added his email address to the customers’ ADT account for remote access.
And this isn’t the first time this kind of thing has happened. Although the situation is different, employees at Amazon-owned Ring were fired a year ago for accessing customer’s camera footage stored on the company’s servers. And unauthorized users tapped into Nest cameras in the past because the account holder’s password was stolen, enabling hackers to see inside a person’s home.
These and other privacy invasions make smart home consumers hesitant when deploying connected technology in their homes. And they should. Our homes are our most private spaces and we should feel completely comfortable there. When adding smart technology to your home, there a few significant privacy features you should be looking for on your devices and specific things you should do.
Before buying a connected camera, speaker, security system or smart home hub, you should see if the company supports two-factor authentication (2FA). This is a secondary authentication method used in addition to your device account password. If your ID and password are compromised, 2FA can still keep the bad guys out because it’s an always-changing piece of data.
Smart home technology companies have slowly been adding support for 2FA but not all of them do. My recommendation is to avoid those who don’t use 2FA because they’re not offering that critical second layer of protection to protect you. After all, you wouldn’t want anyone with the ID and password to your smart camera account to log in as you and remotely view live footage. With 2FA they wouldn’t be able to do that.
Some device makers use SMS or text messaging to send you 2FA data, usually a numeric code, and that’s better than not having 2FA enabled. However, this mechanism isn’t encrypted and can be intercepted or spoofed.
A better alternative is to enable 2FA with a third-party authentication app, such as Authy, Google Authenticator, or Microsoft Authenticator. These and other similar apps create a one-time code for the second authentication factor and the codes typically expire in 30 seconds. It’s a minor inconvenience compared to having strangers snooping in your smart home.
Part of the reason the former ADT employee was able to add himself to customer accounts is that the customers simply weren’t notified of his actions. Most smart home device apps are good about informing you of account changes, but not all of them do. Look for devices that include notifications in their app so that if someone is added or removed from the account, you are immediately notified. Also, if you can add multiple device administrators, that’s a benefit in the event of equipment or administrative issues.
If a hacker accesses the cameras or speakers in your smart home, they will very likely turn off any visual cues that your device is actively watching or listening to you. Most similar intrusions are more basic, with remote access simply enabled. For that reason, you should look for smart devices that have some type of visual indication of activity.
I’d recommend devices that have a small LED when they’re actually in operation at your home. But not all of them do. Personally, I want to see some indication that lets me know I’m using the device.
If those indicators are on when it’s quiet or I think the devices are off, I know that my privacy may well be compromised. Some smart devices equipped with cameras have privacy shutters to cover the camera sensor. These can be physical or electronic shutters to disable remote viewing access; I’d trust a physical switch over an electronic one personally, again due to remote access concerns.
Many security cameras and video doorbells on the market send video footage to the cloud. This is convenient and allows for viewing for playback. If you need to go back and review it’s easy to do. That convenience comes with a cost though if the data isn’t fully encrypted.
Before any device purchase, check the company’s stance on encryption. It’s fairly common if they encrypt the data on their servers but that only helps you if their server is hacked. You also want your home’s audio or video data encrypted as it’s sent to the cloud.
In 2018, Apple introduced data encryption with its HomeKit Secure Video service that some camera makers have incorporated. Not every device maker implements this type of encryption though. Do you homework before you buy. Your other option is to look for devices that record and store your private data locally. I’m looking into this as part of our smart home plan as I plan to have a NAS (Network Attached Storage) on our network for file backup, music for whole home audio, favorite movies, etc.
One of the reasons I prefer the camera devices from Wyze (besides the low cost) is because I control my data. I have a camera I test with and store data on a microSD card within the device, so third parties generally don’t have access to it. The exception is if you opt-in to advanced services such as person detection. Unless the device has AI-capabilities to analyze and act upon data, it has to rely on the cloud. But always remember that the more connected devices you have in your smart home the more privacy threat concerns you’re introducing to your smart home.
I’ve also been looking into connected door locks. I love the idea that Debbie and I don’t have to carry a house key. Many use a capacitive touchpad and you enter a keycode to get in the house. And automations can be set up to lock the door if it’s been unlocked for more than five minutes or if either of us leave the house.
Another benefit of smart locks is to remotely open the door for a delivery or family that needs to get into the house. Ultimately, the benefit of having smart locks is pretty minimal when compared to the potential of a breach or unauthorized access to data around our comings and goings. Until the technology becomes more mature, another option may be just using the keypad feature and turning the connectivity off. It would eliminate the auto-lock function, but we’re used to locking up our home manually anyway.
While stories of privacy breaches can certainly scare anyone away from building or expanding a smart home, there is a way to intelligently choose your devices. Pick the right ones that protect your privacy the most and make sure you’re following best practices when securing your accounts. Your home should secure and comfortable but it can still be smart while protecting your privacy. A lot of these things sound really technical or complicated but really aren’t if you do a little homework. Remember, your privacy could be at stake.
Debbie and I are still a long way off from final decisions about the smart home technology we’ll end up installing. But security will be top of mind as we move forward to protect ourselves and our family. If you’re new to smart home, security should be a concern of yours too. Standards in smart home technology are starting to surface but are still unsure at this point. Don’t let this scare you off, just do your homework.
As always, we’d love to hear your comments about this post, others or something new you find interesting — I’m always looking for interesting new topics to cover. Please leave comments or shoot us an email. Until next week, stay safe out there.
