New security research finds surprising flaws in popular smart home devices

YourThings ranks security of devices including Nest, August, Alexa, and more

New website rates security of smart devices
The Ambient is reader-powered. If you click through using links on the site, we may earn an affiliate commission. Learn more

Ever wondered how secure that new smart camera you set up in your baby’s room is? Or whether your connected cooker is safe from hackers? We’ve all heard the horror stories of strangers talking to children in their nursery through insecure IP cameras, or the botnets that took over connected devices and essentially disabled the internet. So, just how are we supposed to figure out which devices are safe to bring into our homes?

A new website run by security researchers from the Georgia Institute of Technology and the University of North Carolina at Chapel Hill is trying to help. Yourthings.info has ranked 45 smart home devices with grades of A through F in four categories, with about 30 more products coming soon.

While it's hardly a complete roundup of smart home gadgets, it’s a huge step in the right direction. Ultimately, we may need some type of FDA-style approval process and EnergyStar-type labelling to help people understand exactly what they’re bringing into their homes.

“A lot of people who purchase these devices don’t fully understand the risks associated with installing them in their homes,” Omar Alrawi, a graduate research assistant at Georgia Tech, told The Ambient in an interview. “We want to provide insight by providing security ratings for the devices we have tested.”

Nest, Piper, come top in new smart home security rating system

Security researchers Chaz Lever, Manos Antonakakis and Omar Alrawi are part of the team behind the new website YourThings.info (Photos by Allison Carter, Georgia Tech)

The team developed a framework for analyzing each device's various security components, testing and rating them in four areas: the devices themselves, how they communicate with cloud servers, the applications running on the devices, and the cloud-based endpoints. You can read the full methodology on the YourThings website.

The results were eye-opening to say the least. “We saw the full spectrum of good and bad, and were quite surprised at the results of our evaluation,” said Alrawi.

For example, August’s popular Doorbell Cam Pro came away with a terrible grade, scoring C, D, F and F respectively. LIFX’s smart bulbs similarly got all Cs and Ds. On the other hand Nest products, including the Google Nest Cam and Nest Guard security system, scored highly, except in the mobile category – which rates how well the app deals with sensitive data and whether it asks for more data than it needs.

Alexa's Echo smart speaker hovered in the Fs and Ds, just scraping a B for its device security. The only Apple device tested, the Apple TV, got excellent grades in every area but cloud security.

Very few devices scored well across all the categories. “That was something else we were really surprised to find – varying security practices from good to poor, for a single device," Alwrai said. "Even those built by the same manufacturer had different security levels.”

Essential reading: Best smart home security systems

Getting As in every stage is extremely hard. I don’t think any manufacturer could hit all As

Of the few devices that did do well across each category, Alrawi was most impressed with the Piper security camera. “It scored very highly," he said. "In general, the ones that scored best were cloud managed, so they don’t communicate over your network. A lot of the Nest devices scored well because they’re cloud managed.”

While the cloud can be a vulnerability point, these manufacturers did a good job securing their cloud end points, explained Alrawi. “They don’t run unnecessary services and they’re very locked down, whereas with some other devices their cloud end-point was full of holes.

“Getting As in every stage is extremely hard, realistically I don’t think any manufacturer could hit all As,” Alrawi said. “These criteria are based on one instance of what we think a good security framework is. It’s an example of how you can look at these devices and assess their security – a single snapshot.”

Ultimately, YourThings.info isn’t designed to be a complete resource; it is more a proof of concept product, designed to encourage better security by device manufacturers and push for some form of regulatory framework around the security of these devices. But for now, it's pretty much all we've got.

“Maybe your smart TV gets hacked and you can’t watch your show, that’s not a big deal – but if your oven gets hacked and burns down the house, well that’s a much bigger problem,” Alrawi said. “We haven’t gotten there yet, but we want to prevent us from getting there. We’re just saying, ‘Hey we’re heading in a direction that might be worrying.’”


Related stories

televisions How to pair an Xbox One or PlayStation 4 controller with the Apple TV
lighting C by GE smart bulb review: Made for Google, but not much else
google The Week in Smart Home: Another celeb voice comes to Google Assistant
amazon We asked the experts: Do Alexa's new privacy tools go far enough?
amazon Brilliant Alexa Easter eggs: Funny things to ask your Amazon Echo
amazon Alexa can now speak Spanish, as Amazon rolls out multilingual mode in the US
What do you think?
Reply to
Your comment