3 tips to secure your connected home
MOUNTAIN VIEW, Calif.—Google’s voice-activated Assistant is about to get an impressive power boost. At its annual Google I/O developer conference here Tuesday, the company revealed a new Assistant feature that can carry out an entire phone conversation on your behalf.
The feature, called Google Duplex and available on its Google Home, Android, Chromebooks, and other devices, has been in development “for many years,” CEO Sundar Pichai told the crowd of more than 6,000 Google developers and media.
“We’re still developing this technology, and we want to work hard to get this right,” he said. Google designed Duplex to help consumers do daily tasks like schedule hair salon appointments and make restaurant reservations, even when the human on the other end of the call is not a native English speaker or otherwise not speaking clearly.
READ MORE ON THE CONNECTED HOME
Your old router could be a hacking group’s APT pawn
Shut the front door: The state of the ‘smart’ lock
5 questions to ask before buying an IOT device
4 ways to protect your data when using Google Home and Amazon Echo
How to secure your home Wi-Fi
New ‘secure’ devices aren’t cheap
It’s just one example of how “Internet of Things” connected devices, from personal assistants like Google Home and Amazon Echo, to smart locks like August and Ring, can seemingly give your home powerful technological upgrades.
Internet-connected home devices appear to be at the beginning stages of a massive upward adoption rate. A PriceWaterhouseCoopers study from January 2017 found that 26 percent of U.S. Internet users already own a “smart home” device, and 43 percent plan on buying at least one in the future. An Altimeter report from August 2017 came to similar conclusions, with current usage rates at 23 percent of those surveyed, and consumer intent to purchase a connected home device “very strong.”
An important thing to realize when connecting physical components of your home to the Internet is that the conveniences come with trade-offs, including security and privacy risks, says Eric Michaud, CEO at Rift Recon, a San Francisco-based security company, who has spent more than a decade working on the intersections of physical and electronic security.
While a properly configured smart lock can help consumers gain far more insight as to who has entered their home than a standard lock, for example, it also presents more opportunities for hackers to get in, such as through a Wi-Fi or Bluetooth vulnerability, or a vulnerability in the app controlling the device, or even the device itself. Michaud refers to this as a wider “attack surface.”
When you activate a smart lock, Michaud says, you are “expanding the attack surface, but then I am getting something back because of that visibility: the ability to respond.”
Anticipating new security weaknesses, and taking steps to reduce their exposure in a more Internet-connected home or small office, can shrink some of those “attack surfaces,” he says.
First, Michaud says, use a separate email account for your finance and banking services from the email account you use to manage your IoT devices. That prevents banking spam emails from going to your banking email account, as no other service should have that email account address other than your financial institutions. And if you’re not getting spam sent to an account, the logic goes, you’re not likely to see email-based phishing attacks, either.
Another preemptive technique he recommends is investing in a modern Wi-Fi router that supports guest networks. Many modern routers’ setup assistants help users create guest networks, a feature that can be used to segment all your IoT devices, from lightbulbs to door locks to voice-activated personal assistants, away from your phones, laptops, and tablets. When you set up a separate network for your IoT devices, a hacker can’t use a vulnerability in it to reach your more valuable devices, such as your laptop or phone.
However, Michaud cautions, some devices don’t work as well when on a guest network, and some routers don’t do a good job of separating IoT traffic from laptop or phone traffic.
“All these IoT devices are coming out, and yet our routers are still not built for IoT devices,” he says. “They’ve been focused on making sure your devices can get enough bandwidth, as they need it. They’re not built for IoT security.”
Users will be forced to choose between security and convenience until IoT devices have been engineered to run smoothly on guest network, and vice versa, he says. Today, connected devices simply don’t work as well on networks with multiple SSID (service set identifier) names.
Michaud also recommends checking out an IoT device vendor’s website before purchasing a product, and making sure that the company has a vulnerability disclosure policy. Many IoT vendors say they have “bank-grade” or “military-grade” security, he says. That just means that information sent by the device uses Secure Sockets Layer, or SSL, which protects data in transit—but not against the exploitation of software vulnerabilities.
“It doesn’t tell you about any application security written in their code, their cloud environment, their service environment. It just means that they don’t know what they’re talking about,” he says. “They told that to the marketing team.”