A couple of years ago, two security researchers named Andrew Tierney and Ken Munro showed up to the hacking conference Def Con with a fun, new project. They were able to take control of a smart thermostat and demand money - in this case Bitcoin - from the 'user' to unlock it, or else they'd keep increasing the temperature on the hour every hour. Fresh hell indeed.
This type of attack is known as ransomware, for obvious reasons, but it was the first time it had been seen on a smart home device. And while ransomware tends to be used against big corporations and 'high net worth individuals' who can pay large sums of money - i.e. not you and I - proof of concepts like Tierney and Munro's thermostat still keep security experts and execs up at night.
McAfee's chief scientist Raj Samani says that attacks on Internet of Things (IOT) devices are one of four "next-generation threats" that his team at the anti-virus company has identified. Part of his job is to hack into connected coffee machines or Belkin WeMo smart switches and Rickroll his neighbour's connected car to see just how easy it is. The team got into a DVR in 54 seconds so... pretty easy.
Which leaves us with the question: How did we get here?
Shiny tech interfaces
There's a bit more to security than smart home owners being super lazy with passwords but we'll get back to that. Futurist Tom Cheesewright argues that over the past few decades, our everyday technology has become more and more frictionless, requiring less and less input from us. We've gone from labouring over manual records to typing into PCs to swiping at touchscreens to in 2018, chatting to voice and contextual AI. Overall, that's a good thing - but there's a catch.
"The further we lower the friction in these interfaces, the less conscious we become of the amount that we’ve outsourced, the more we’re placing ourselves and the extended perimeter of ourselves, at risk," he says. "And that’s true for our physical person, it’s true for our property and all those connected devices and it’s true for the place we work as well."
So the very arguments that Amazon and Google make to sell us these products - that they will automate and manage our entire lives to the extent we don't have to think about it - are the same reasons we think less about managing the devices and platforms themselves, leaving them open and vulnerable. Because no-ones needs to manage the manager, right?
The rise of cybercrime
Here's some stats to make you want to hide under the covers then jump back out of bed and unplug every internet-connected device in the house. By 2021, there could be 25.1 billion connected devices in the world! That's 4,800 new devices going online every minute of every day. But how about that crime?
53% of crime in the UK is cyber related. Last month there were 285,000 unfilled cybersecurity jobs which could grow to 3.5 million in three years. And 84% of businesses say they're unprepared to deal with securing the Internet of Things. Awesome.
Which is all to say that some very intelligent people are describing the fight against new forms of IOT attacks as "terrifying" and "extremely daunting". The most famous so far is Reaper, a botnet (a group of hacked computers and devices) that cybersecurity company Bullguard says could affect as many as 378 million devices. Unlike last year's biggie, named Mirai, it's not just looking for gadgets with default passwords, it's going after routers and specific flaws in smart home and IOT tech.
So who is behind the attacks and what do they want? Samani says that more and more it's not all organised crime networks but instead a combination of state sponsored attacks on one hand and on the other, people trying to buy a house, pay off student debt or who live in developing countries.
Cheesewright agrees, saying that the ease with which anyone can buy kit or get involved with malware online means "the average criminal is becoming more technologically advanced". Researchers have also found that people with the right skills are turning away from hacktivism (think Anonymous and the like) and towards criminal activities with a rise in attacks on mobile and smart home devices.
Shiny, unsecure devices
The good news for smart home fans is that we have some time to get our, ah, house in order. "To be very frank, the real challenge is - how are the bad guys going to make money from it?" says Antonio Gaetani, director of partner solutions for McAfee's new Secure Home Platform, which comes bundled with some D-Link and Arris routers instead of a dedicated device like Bitdefender.
"There are two or three things you can do [to make money]," he continues. "There was some very famous research where hacking into your doorbell, you were able to take control of the entire home. So the first IOT device is the Trojan horse for you to get you into the home. The other thing is that some IOT devices really have a value because they capture images from our home - cameras for example."
A huge problem, though, is that the tech companies building these connected cameras, thermostats, speakers and thingamajigs are prioritising keeping up with the Bezos' over security. It's something we hear whenever we talk to security nerds about the smart home. We don't want to hear that gadgets aren't encrypted properly or that they connect over http and not https, making certain types of attacks more likely. We'd just like to know easily whether the rando security cam we've seen online is too risky. The problem being, of course, that according to most studies, the big names aren't currently too much better.
That's why we'd like to stick The Ambient's name down on plans, in the very early stages, to build a ratings system for smart home tech that lets you see the security standards at a glance before you buy. Because, like we said, it's just not something we want to spend a lot of time thinking about...
And yes... you not changing your password
Smart home tech is supposed to make your life more convenient with fewer daily or weekly chores not fresh, new ones like checking how secure each of your smart light bulbs is.
One of the biggest pieces of advice for protecting your smart home is to simply change the default passwords on your kit. Easy, right? Well turns out that big tech can be to blame here too - because there are plenty of devices that don't prompt you to do this or make it near on impossible to even get to a screen that lets you do so. It also leads to reasonable questions like: is the password for my Nest devices the same as my Nest account? (Yes).
Smart home security tech like McAfee's Amazon Alexa compatible platform and kit from startups like Fingbox is designed to provide a basic level of security for all your devices and will alert you to weak or (much worse) default passwords. But it'd be better for all concerned if this was forced when we're setting it up.
So even when it is your fault, it's not your fault. But try to change your passwords - or you'll have to answer to your rogue thermostat.