As Steven Rosson, his wife, their toddler, and their newborn enjoyed time together in the middle of their living room recently, they looked like a typical young family. Except that they live inside what is essentially a great big computer. Steven Rosson has tricked out his home with probably more than twenty smart devices and sensors. In fact, he has even started a blog to help guide other people interested in making their own homes smart.
We watched as Steven barked a series of commands to his house, which dutifully complied each time. He instructed a voice assistant to add avocados and scotch to the shopping list and it did. He demanded that the smart vacuum cleaner go and clean the kitchen floor and it immediately fired up and raced toward the kitchen. The vacuum is Chinese-made.
“It spoke Chinese to me right out of the box," Rosson said.
But Google Home knows how to translate his English commands into computer-speak that the robot understands.
“The convenience factor is huge," Rosson said, "being able to control the entire house without moving”.
Much of daily life in the Rosson household doesn’t even require commands to be said. Temperature and lighting settings are automatic. At the push of a button they can remotely soothe their toddler with lullabies piped into her room. There is even a button attached to a pill bottle.
“So you open it up take your pill and push the button," Rosson said, "and then it sends you an email saying you took it at this time. And then it sends another hours later to tell you hey it is time to take your antibiotic again.”
Rosson set this all up himself.
“It’s a hodgepodge of a whole bunch of different components," he said. "We have two or three Amazon Alexas, five Google Home minis, a couple Quickset locks, Nest thermostats, a wide array of various sensors around the house”.
He said it’s all run by $35 small clear box with a computer chip inside.
“This is a ‘Raspberry Pi,'" he said. "This is the brain”.
The smart house regularly sends them emails about how various systems are operating. Rosson pulled up one of the messages for us.
“It told me the doors are locked and the home is secured, but if I hadn’t locked the doors it would have sent us an alert telling us we hadn’t locked the door," Rosson said. "There is a big peace of mind element to it.”
But will that peace last?
We visited a threat hunting lab at Trend Micro’s U.S. headquarters in Irving.
Mark Nunnikhoven, the vice president of cloud research at the global cyber security company, pointed to a monitor where cryptic descriptions were scrolling next to a digital count that was already well past 50,000, and rising fast.
“This is real-time – you can see this flying by here live attacks," he said.
More than 50,000 live attacks, and Nunnikhoven told us that represents a "slow day."
In the room with us were rows of analysts at their workstations, poring over the threats and formulating solutions to help protect Trend Micro’s customers. Many of the attacks they see are known threats, but, Nunnikhoven says, “They’re also seeing new and novel things that nobody has ever seen before."
Trend Micro predicts that by next year there will be 50 billion smart devices connected to the internet from homes around the world. They also predicted that we will see a big increase in the frequency and scope of mass hack attempts on those devices.
Nunnikhoven lined up a row of smart home gadgets on a conference room table to break down some threats – and give some advice on how consumers can better protect their in-home technology.
We started with voice assistants.
“This is a Google Home, a voice assistant similar to Amazon Echo on display here," Nunnikhoven said.
Voice assistants have revolutionized interactivity between people and their home environments. But he said placement is critical.
“If you’ve got this in your bedroom, it is listening," he said.
"The way the voice assistants work is that they are always listening for that key word and anything after that is considered a command. That may or may not be something you want in your bedroom."
Taking that a giant step further, he said that in the past, hackers have been able to commandeer some voice assistants by getting into "smart" music speakers placed near the assistant.
“We showed a vulnerability in smart speakers where people were playing attack commands through the speaker to control the voice assistant because the speaker was broadcasting next to the voice assistant and now you’ve got control of the smart home," he said.
He said there can be a vulnerability in devices that are specifically built for convenience.
“It is assumed anyone giving a voice command is an authorized or appropriate user," he said.
Depending on what a voice assistant controls, a cyber intruder with control over one could conceivably secretly record audio or images from inside the home or run up a bill if a credit card is associated with the voice assistant.
Nunnikhoven said these are not hypothetical concerns: “We have seen all of these things happening in the real world."
His expert advice: don't put a voice assistant near another gadget that can talk to it, also be mindful about how it and other devices it controls could be misused. Also, when you are not going to be using a voice assistant, you should turn it off, or mute it. And if the assistant is associated with a credit card, you can place a spending limit on the account.
Amazon responded to a request for comment about all this with some useful information. First off, a spokesperson said, “We take privacy seriously and have built multiple layers of privacy protections into Echo devices including a mute button, as well as, the ability to review and delete voice recordings in the Alexa app or on the website. Customers can also set up a four-digit voice confirmation code that’s required before every Alexa shopping request.”
In addition, Amazon offered these additional layers of protection:
• Echo devices come with a mute button built in that makes it very easy for you to control when your devices are ready to detect the wake word. Echo devices are designed to detect only your chosen wake word (Alexa, Amazon, Computer or Echo). The device detects the wake word by identifying acoustic patterns that match the wake word. No audio is stored or sent to the cloud unless the device detects the wake word (or Alexa is activated by pressing a button).
• Echo devices provide you with a clear indication of when audio is being streamed. When the wake word is detected, a blue light illuminates, either on top of the device or on the display, to clearly indicate to the customer that it is streaming audio to the Amazon cloud. When the Echo device is muted, the light ring will turn red indicating that the mics are disconnected.
• You can manage Alexa Shopping settings in the Alexa app, such as turning off voice purchasing or requiring a four digit confirmation code before every order.
• You can review voice recordings associated with your account and delete individual utterances or delete all voice recording history in the Alexa app or at https://www.amazon.com/alexaprivacy.
Next: Smart thermostats, doorbells, and cameras.
Nunnikhoven called these gadgets “Very convenient…lots of practical uses."
He said, for instance, that a smart thermostat can save you money by figuring out more efficient patterns for heating or cooling your home.
But to do that, Nunnikhoven pointed out this class of smart helpers collects a lot of data about your comings and goings and your everyday living habits.
“You really should take a step back and say wait a minute, if I have a doorbell and a smart assistant and a couple of cameras, it’s pretty easy to figure out how our family lives…when people are home and when they are not home," Nunnikhoven said.
He said the most vulnerable access point for these devices is often the same access point that makes them so useful to consumers – the ability to have an account that shows them their home’s data.
Consumers – and potentially hackers – can access those accounts with a password. We hear this all the time, but Nunnikhoven stressed that it is imperative to give each account its own unique, very strong password.
Also, he said when you activate one of these devices, beware of the Terms of Service.
“It’s my job to read them and even I have a hard time going through them and understanding what they man and what the real-world impact is," he said.
He said the terms often prevent you from going in later and deleting your data patterns that have been collected.
Google passed on commenting directly to the thoughts expressed here by trend Micro, but the company offered the same advice as Nunnikhoven, saying, "we encourage all customers to use two-factor verification for added account security, along with not reusing passwords."
Finally, WiFi routers.
“You thought about it maybe the day you established your internet connection and after that it is gathering cobwebs somewhere," Nunnikhoven said. "The biggest vulnerability is they are often un-updated for years so any issue with the software they use is exposed and left exposed. Trend Micro just published a report on this where cyber criminals are attacking something on the inside and using that to log in and own the router.”
Once someone "owns" your router, “They own everything else," Nunnikhoven said. "Every single device we have talked about communicates through this box out to the internet."
Nunnikhoven recommended you check for updates for your router every three months or so. Also, you should develop a very strong password for your WiFi router. And you shouldn’t give that password out to people who visit your home.
We spoke with Apple about the issue of router updates. A spokesman told us the company still produces and distributes router updates whenever they are necessary.
He also said Apple tries to make the process as easy as possible. The easiest way for people using an Apple router to stay protected is to say yes to automatic updates and to say yes to installing those updates when the computer indicates one is available.
Regardless of what brand of router you use, you can click here to go to a great article by Consumer Reports about updating your WiFi firmware. About midway through the article, you can find links to tell you exactly how to update your individual brand of WiFi router.
As we made our way down the line of smart products, we arrived at one made by Trend Micro.
There are competing devices that do the same job. It is a home network security gateway; a non-descript box that goes in near the router.
Nunnikhoven described it this way: that your router makes sure that the traffic is moving between your home and the internet – and your gateway (if you have one).
“It looks at all the traffic going to the router and doesn’t just look to see if the highway is open," he said. "It’s going to look inside each car.”
And he says it will stop some of that traffic and then warn you that it found something suspicious. Many people may not have such a device.
Nunnikhoven said a lot of us tend to wonder why anyone would possibly be interested in hacking us. He said you may be a lot more vulnerable than you think because you are targeted randomly, or because hackers are after a network that you might have access to – like your employer’s.
“Every attack is automated – that’s the easiest way to think about this," he said. "I think people are thinking old-world crime vs. the new realities of cyber crime. Somebody across the planet can hack you simply because you are a number. They don’t care who you are. They care you are an accessible resource or a potential source of money for them. And the second side of that is that more and more of us are working from home so it’s not about us; it’s who do I work for? So instead of going to attack the secure fortress that is corporate headquarters if I can hack you at home if I am a cyber criminal that’s an easy way in … to get at what I really want and that is who you work for.”
And he said many employers aren’t taking that threat as seriously as they should.
“A lot of organizations have policies about show secure your laptop has to be how secure your phone has to be," he said. "But there’s no mention of locking down your voice assistants or your home router.”
With all this considered, we wondered, back at the Rosson home, how all the risks compute.
“I have concerns," Rosson said. "And I think like everything we do in life. There is a risk tolerance that we all have for anything we do whether it is driving or eating a cheeseburger. If somebody wants to get into my house they can go build the computer skills to develop an algorithm to hack into my lock, or they can just go break my window and come in anyway.”
Trend Micro has a great infographic on threats to smart devices and some best practices for securing them, like renaming your voice assistant for example.