Juniper Research predicts that the number of IoT sensors and devices is bound to exceed 50 billion by 2022 and with that comes major cyber security concerns.

Gartner estimates that 40% of global smart home appliances are being targeted by botnets and that number may increase to 75% by 2021. “In the rush to get to the market, lot of companies are plainly ignoring security by design, which should have been the part of the product’s development life cycle,” says Jaspreet Singh, partner, information security at EY.

“Chain together” and “centralized data store” routines

According to a paper written by Adwait Nadkarni and Denys Poshyvanyk, two researchers at the College of William and Mary in Virginia, there are two main categories of smart home “routines”: one that allows users to “chain together” a number of devices using a third-party app interface, and one that utilizes a “centralized data store” as a sort of switchboard where devices and applications can communicate with one another over the internet.

These are intended to make smart home automation more seamless for the user, and both were found to be vulnerable, enabling cyber criminals to attack all internet-connected devices in the home.

For the centralized data store platform, when you use your mobile app to communicate with a low-security device (for example a light switch) the device accesses your smart home using an authorization token. “Anybody can steal that access token,” says Nadkarni. And use it to, say, make your smart home think you are inside and turn off the security camera. The two scientists truly believe it is not that complex to achieve. “You don’t need any specialized education,” states Poshyvanyk. “You just need to know how to run certain programs. Even a high schooler could do that.”

(Smart home “routines”) are intended to make smart home automation more seamless for the user, and… were found to be vulnerable, enabling cyber criminals to attack all internet-connected devices in the home.

They both blame such vulnerabilities on consumer demand and the headlong rush to meet it. “Manufacturers race to release these systems without having a good understanding of how they will be used in the wild,” says Poshyvanyk.

After the researchers identified the security flaws, they reach out platform vendors Google and Philips and app developer and manufacturer TP Link to report what they found. As of January 2019, TP Link had fixed the flaw in its latest Kasa Switch light dimmer app, which prevents the kind of theoretical lateral attack previously explained. Philips was expected to implement a fix to its platform and Google was working to address vulnerabilities as well.

The industry needs to get smarter about risks

The issue is bigger than a few products or companies, it’s really the industry as a whole that needs to get “smarter” (pun intended) about risks.

“The reality is that security is fundamental. Your consumers must feel that their devices not only work flawlessly, but also secure your private data,” says Sam Salem, Senior Director at Jabil. For adoption to truly match innovation, security will have to become a bigger aspect. Customers have to feel that they are safe to bring new technology into their homes.

The issue is bigger than a few companies, it’s really the industry as a while that needs to get “smarter” (pun intended) about risks.

Scott Robinson, CIO of the GlenMill Group, a research consortium specialized in artificial intelligence and enterprise architecture recommends the following smart home cyber attack prevention strategy:

1. Never publish device serial numbers on social media sites or product forums, even if it’s necessary to mention the make, model and version number of an IoT device to get help from product forums. 2. Always change default passwords, replacing them with strict and complex ones. Update them regularly. 3. Always install patches and updated firmware, even if it’s necessary to do so manually. 4. Check vendor sites regularly for security alerts and known vulnerabilities, and sign up for notifications on new threats. 5. With digital assistants, turn off voice input, via the mobile app, and use the voice remote instead. Doing so prevents triggering malevolent skills via voice squatting, as there is no wake word, just a press-and-hold talk button; disable voice purchases, or set up a PIN for voice purchase access. 6. Use digital assistants only over a secure Internet connection, and change wi-fi passwords often 7. If you’re really worried about Alexa or Google Home being compromised directly, put them on a second router, making them harder for an attacker to reach.

While the popularity of smart home devices has boomed, it’s important to note that such technology is still early stage, and needs to mature… and with maturity comes responsibility (including committing to increasing consumer security).