Yesterday, CBS New York ran a piece on how smart devices can leave your home open to security threats.
The second line particularly stands out to me: “Even your light bulbs could leave you vulnerable.”
Is there any truth in it? Well, yes — technically speaking, a skilled hacker could gain access to your home through your smart home devices and let themselves in. But only if you have a smart lock.
It’s possible. It’s not remotely likely.
Smart home vulnerabilities
The smart home is by no means perfect. We’ve written about security flaws quite often (most recently the undisclosed vulnerability in the Wyze Cam) and how to avoid them. At the same time, companies learn of these vulnerabilities and take steps to correct them. In its early days, Ring was the focus of quite a few hacks. Now Ring is one of the most-lauded brands for home security.
Even though companies strive to fix these flaws, it doesn’t mean you shouldn’t be concerned. There are privacy implications to consider. No one wants an uninvited person spying on them through their home security cameras, or worse talking to their children. There have even been cases where smart bulbs could be exploited to gain access to the broader network.
The CBS article focuses on the different ways a hacker could take advantage of the smart home to gain access, mentioning things like door locks, doorbells, and even smart thermostats. The idea is that a hacker could learn you’re away from home or on vacation based on the settings of your devices, like the programming of your thermostat. They’re right, a hacker could learn this information — but they could also learn this information from hacking your email and reading a trip itinerary, a far easier task than breaking into a smart home.
The article implies that the smart home is a massive security flaw and overstates the risk. It isn’t a question of whether something is possible, but how likely they are.
Brute force is easily thwarted
The primary form of hacking mentioned in CBS’s story is a brute force attack, which uses an algorithm to test thousands of username and password combinations. It states that it guessed the username and password in a matter of seconds. There are a more than a few problems with that statement, though.
First, brute force attacks aren’t that fast. They take time to guess your passwords through a series of combinations. With proper password practices (no common words, varied uppercase and lowercase letters, numbers, and symbols), a brute force attack could take a long time. That time increases for every character you add to your password. If you have trouble remembering long, complex passwords, use a mnemonic to keep it straight — or take the easy route and user a password manager.
Secondly, brute force attacks are easily thwarted by two-factor authentication. Even if someone gains access to your password and username, they can’t access your account without the 2FA code. Have it sent to your phone rather than an email account.
Whatever example CBS used, that person practiced poor cybersecurity.
Most burglaries are not well-thought-out heists
Unless you live in a million-dollar mansion (and even that might not qualify you given the real estate market these days) with valuable art hanging on the walls, a burglar isn’t likely to plan out exactly how to approach. The majority of burglaries and thefts are crimes of opportunity. A would-be thief spots the empty box for a new TV on the curb and no car in the driveway and sees the chance to nab something valuable.
The idea that someone would take the time to hack your smart home just to disable your security system or learn your schedule is ridiculous. No one is going to Oceans Eleven you or your smart door lock, especially when it’s easier to break a window and climb in.
According to FBI crime data, in 2019, 55.7 percent of all burglaries involved forcible entry, while another 37.8 percent involved unlawful entry — such as walking in an unlocked door. In these cases, a smart doorbell might have actually prevented a crime, since the majority include autolocking features.
Your home is far more at risk by you forgetting to lock a window or letting deliveries pile up on the porch, sending a clear signal to everyone that you aren’t home. Your smart home is highly unlikely to aid in a burglary.
CBS ends its article by saying there are no industry standards for how secure smart devices need to be. There is truth to that, especially among smaller companies without the backing and funding of giants like Google and Amazon. However, it’s becoming more and more common for smart devices to utilize advanced encryption protocols and to require two-factor authentication for all customers.
Your smart doorbell might get hacked and let someone in, but they’re far more likely to just kick down the door. Don’t fear the smart home.