Six years ago, the world’s top cybersecurity experts gathered in the Netherlands to talk shop. At one point, an 11-year-old toting a stuffed teddy bear took the stage. None of the brainiacs was sure why.
The sixth-grader — whose name was Reuben Paul and who had come all the way from Austin, Texas — calmly proceeded to scan the audience for Bluetooth connections using a pint-sized computer called a Raspberry Pi. He easily stole dozens of phone numbers from the crowd. Then he hacked into his own teddy bear with a few lines of Python code and recorded a message on it from the by-now-speechless IT specialists.1
I bet little Reuben Paul drew a standing ovation that day. But his hijinks were also more than a little scary. If an 11-year-old with a $40 computer can hack a room full of cybersecurity experts in minutes, what about the rest of us? Our homes are packed with smart tech. Would we stand a chance?
The answer is yes — if we take some fairly simple precautions. Here are five of your softest smart home targets and how to protect them from thieves, stalkers … and your own kids.
“I’m in Your Baby’s Room.”
The internet is everywhere today — in vacuums, refrigerators, phones, toys. Our physical world has become so internet-saturated, we even have a name for the new hybrid environment we’ve created: IoT, or Internet of Things.
The IoT is what automates our smart homes. It’s what our mobile phones use to tell our smart heaters to lower the temperature in a room no one’s in and what our home security cameras use to tell us that the suspicious shape at the window is just the dog. To cyber predators, on the other hand, the IoT is like a multiverse they can pop in and out of at all hours and with very little effort end up in the worst possible places.
Like Ellen and Nathan Rigney found out when they woke up one midnight to a sicko growling at their sleeping 4-month-old baby via a baby monitor hooked up to a Nest camera in the baby room. In one heart-pounding instant, the pervert claimed to be in the house with them. But he wasn’t. He’d just jimmied his way into the Rigneys’ network, probably via an easy-to-crack password, and taken control of every device in the house connected to Wi-Fi.
How does that make you feel? Probably like Ellen Rigney. “You have something that’s supposed to make you feel better, and instead it makes you feel the opposite. It makes you feel invaded and uncomfortable.2”
How to stop this from happening to you: Upgrade your router to WPA3 security, if it isn’t already using it. WPA3 technology (which replaced WPA2 in 2020) makes it much harder for wannabe snoopers to snatch even simple passwords from you and impossible for them to listen in on your home traffic. This is a good first step. For ironclad protection, slap a quality VPN down over your whole network via your router.
FYI: You don’t even need to share your password to give visitors access to your WPA3-protected Wi-Fi network. You can simply share a QR code with them. On Android phones, find your network in your network settings, and tap on the gear next to it. Tap the share option, and you’re good to go.
Alexa, Buy Me a Dollhouse and Four Pounds of Cookies
How much does a KidKraft Sparkle Mansion dollhouse and four pounds of sugar cookies cost?
The answer is $160, the Amazon tab a Dallas family picked up for their 6-year-old daughter after she asked Alexa to buy them for her on a whim. The technical term for what happened is “voice purchasing,” and, no, your children shouldn’t be doing it.
But $160 is peanuts compared to some of the astronomical Apple Store bills parents got stuck with when their clueless kids when on in-app spending sprees, but the lesson is the same: If you’ve got kids and a smart speaker in the same house, you’ve got to flip those parental controls on.
How to stop this from happening to you: Devices like the Amazon Echo and the Google Nest run with sister apps. With the Echo app, go into the settings, find Voice Purchasing, and set up a four-digit pin. (Don’t share it with your kids.) For Nest users, the simplest option is just to disable “Pay through your Assistant” on the Google Home app.
Did You Know? Kids aren’t the only members of our households with a knack for making unauthorized purchases on the Amazon Echo. In 2017, an African Gray Parrot named Buddy ordered a set of $12 decorative gift boxes from Amazon. How did he get away with it? By learning to impersonate his owner’s voice.
The Hidden Life of Smart Bulbs
Smart bulbs are changing the way we live. Smarter light means healthier sleep and less electrical waste. Despite the higher upfront costs, which are getting cheaper by the year, clever bulbs, like smart thermostats, should also bring our electricity bills down over the long run.
Those benefits have translated into huge (and growing) smart bulb sales. Researchers predict that today’s $8 billion smart bulb market will hit $28 billion before the decade’s over.4
The only issue with smart bulbs is a microchip-sized hole in their technology the smart bulb execs never saw coming.
In 2019, a few professors at the University of Texas at San Antonio wanted to see if they could hack into a smart bulb through the infrared light it emitted. Sounds like science fiction, but it actually worked. From a distance of 50 meters, the scientists found that harnessing the light waves let them talk to any other devices connected to the network, which meant they could peer at and snatch up any data that happened to be circulating over Wi-Fi — video, photos, messages, emails, etc. — unobserved.5
How to stop this from happening to you: Smart bulb manufacturers like NanoLeaf and Philips need to address these security concerns ASAP. For the time being, corral your smart bulbs into a central smart hub so that they’re communicating with each other over the hub, not openly over Wi-Fi. That should keep any eavesdroppers at bay.
Pro Tip: Security glitches notwithstanding, LED smart lights are money savers. An LED bulb costs about $1 per year to run compared to its incandescent cousin, which costs about $7. If you multiply that $6 savings by the average number of light sockets in U.S. homes (40), you end up with a savings of $240. Not bad. And that’s not even figuring in the money you could potentially save with motion-activated lighting.6
She’s Listening
When’s the last time you Googled the weather? I mean actually typed in the words “weather today in my area” on your phone. If you’ve got a Google Nest or an Amazon Echo, like roughly 25 percent of the U.S. population over 18, finger searching ended once you set your smart speaker up on the kitchen counter. Now it’s “Hey, Google. What’s the weather like today?”
Good? Great! When you’re rushing to get out the door in the morning, a smart speaker saves time. If you’re hooked up to an Echo Dot, Alexa, Amazon voice’s assistant, can do a lot more for you — like ordering your groceries or Christmas gifts. Or sending a private, late-night conversation to a random person in your contacts list by accident.
This actually happened to an Oregon couple a few years back. Alexa woke up by accident and started recording a conversation they were having about … hardwood floors. In a second fluke, Amazon heard “send message.” Where did this command come from? Probably from the TV playing in the background, which also told Alexa to send the voice recording to an employee in the husband’s contact list.
Fluke or not, everything that Alexa records gets sent to the Amazon cloud for instant analysis. That data stays on its servers indefinitely, unless you delete it or set a shelf life of somewhere between three and 18 months. Is that worth the convenience of being able to order toilet paper with your voice? Your call.
How to stop this from happening to you: Alexa and the Google Assistant need to be listening in the background all the time if you want them to wake up when you speak to them. If you’ve got an Echo in the living room or bedroom — or anywhere there’s a TV in range — you should be extra careful. For total privacy, switch the microphone off. It’s also not a bad idea to set your Alexa cache to delete itself every three months.
FYI: The incident I described above is an outlier, but it’s not uncommon for Alexa to record conversations by accident. According to a Bloomberg report, per Reader’s Digest, about 100 accidentally recorded transcripts get sent to Amazon every day.7
Bad Apps
Chet Wisniewski had a question. He wanted to know how secure some of the knockoff smart devices he’d seen at Fry’s Electronics actually were. Wisniewski is the head security researcher at Sophos, a cybersecurity company, so finding out the answers to questions like that is all in a day’s work.
Wisniewski filled his Fry’s shopping cart up with smart devices that each cost a fraction of what he would have paid if he’d assembled a quality smart home system, paid, and lugged them all home. What he discovered was jaw-dropping. Wisniewski didn’t even have to hack any hardware to worm his way onto his network through the cheapo smart gadgets. The software, riddled with vulnerable, outdated code, was all he needed. It took him under an hour.
We’ve written extensively about how easy it is for hackers to turn apps into multimillion-dollar scams. We’ve also documented scary cases where criminals hijack physical infrastructure in heists that make the crippling Colonial Pipeline ransomware attack read like backpage news.
Hacks targeting smart home apps would lie somewhere in between. Using poorly secured software as a backdoor, hackers could theoretically gain control of our homes’ hardware from afar — even our connected home security systems. A backdoor through our apps would also expose any data on any of our connected devices (phones, laptops, and tablets) to theft and worse.
To sum up Wisniewski’s research: Cheap may be OK when you’re buying a T-shirt, but when you’re automating your home, it’s a huge risk.
How to stop this from happening to you: There’s a reason that top-rated smart devices make our best-of lists, and it’s not just because they look great in our homes. Like best-in-class home security systems, best-in-class smart products take security seriously, software included. This isn’t the case with any off-brand product you find on the shelves at Walmart. Your best defense against a lousy app riddled with dangerous security holes is to invest in well-made products that are constantly updated.
Did You Know? Nearly 80 percent of U.S. households reported owning at least one smart device in 2021.
Final Thoughts
Smart, connected homes are the future because they save us time, are better for the environment, and have the potential to bring down our utility bills. Think of a smart refrigerator that could tell us when our eggs were about to expire, or a smart thermostat that knew where we were in the house and adjusted itself accordingly.
But like every invention in the history of mankind, smart homes come with risks. Or maybe I should say, with all progress come hordes of lowlifes out to exploit it for a buck. Because that’s basically the real headache of outfitting a smart home: keeping safe.
Now for the good news. Keeping safe doesn’t require a degree in IT.
First, don’t skimp on smart products. Knockoff smart devices come with knockoff security issues.
Second, every product has its own set of security protocols. For Amazon, keeping safe might mean disabling Voice Purchasing — if you’ve got kids. For your network, it might mean upgrading to a router with the latest WPA3 security.
Bottom line? By investing in high-quality smart products that you maintain properly, your only real headache will be figuring out how to make those smart light bulbs actually work.