Sorry for the salacious title, but I’m trying to make an analogy about promises made when there is a dependency on trust. Here’s the question: how many professional cheerleaders would agree to perform naked if everyone in the stadium promised close their eyes and not to peek. The obvious answer: none. Why? Because it’s not reasonable to trust that in a stadium full of people that everyone would do as they promised. Some will, perhaps most, but certainly not all. Just as a stadium fills with people of all types, retailers’ shelves are filled with smart devices from every type of manufacturer.
Geoffrey Fowler of The Washington Post just authored an article entitled “How we survive the surveillance apocalypse“. He recognizes the power of personal data and how its value makes the temptation to collect it almost irresistible. Most reputable device manufactures will respect the privacy of the people that invite their wears into their homes, some won’t. Communications with back-end servers are frequently encrypted so all users can do is trust that they are not being spied on.
His examination of privacy settings and opting out of collection programs lead him to the inescapable conclusion (spoiler alert), that manufacturers need to provide transparency of the data collected had how it’s used, and broad privacy laws need to be enacted to prevent devices from spying on us.
Here’s the problem: smart home devices can’t be trusted not to spy, and here are a few reasons why (in no particular order):
Use of Shared / Open Source Code
There is a lot of pressure to get products to market as quickly as possible. Manufacturers will use open source code in their development whenever possible so the don’t have to re-invent common functionality. The problem with reusing shared code is that you often inherit vulnerabilities along with the functionality you’re looking for. That’s why IoT viruses are so prolific – once a vulnerability is discovered by hackers it can be exploited across many devices from different manufacturers. If a device is compromised there can be no expectation of privacy.
3rd Party Services
When smart devices allow support for 3rd party software, devices and functions, the manufacturer can lose control of the governance of the privacy policies. For example, hackers where able to trick users of Alexa and Google Home into thinking that the smart speaker was not listening when it actually was.
The electronic components that populate printed circuit boards in EVERYTHING come from China. There are few exceptions. Bloomberg News reported that Chinese manufacturers where adding components to spy on the end users. They claimed that the purpose was industrial espionage, but China is the largest surveillance state on the planet. A spy chip can allow the device to do things that the operating system and application firmware are unaware of and unable to prevent.
The most common architecture for Smart home devices has the devices in your home communicating to remote servers. These servers can be cloud based or reside with the manufacturer, and increasingly that means the servers are in China. Real Clear Politics reported on research from Dark Cubed that found unexpected and inexplicable chattiness between many smart home devices and servers in China. What exactly they’re reporting can’t be determined because the communications are encrypted.
Weak security, Hackers, Viruses and Compromised Devices
As mentioned earlier, if a device is discovered and compromised by hackers there can be no assurance of privacy. Smart home devises are designed for the consumer market, and for even devices with good security capabilities, the weak link is the end user. If the manufacturers of smart home devices forced the end user to use strong passwords, change them periodically, and update firmware as improvements are made available, most consumers would throw them out. Current reality is that consumers want to buy the least expensive devices with the most features, plug them in and play with them, then move on. There is little appetite to play IT personnel in the evenings or weekends. Eventually, good security will happen automagically, but not in the foreseeable future.
Electrical components and be so small as to be nearly invisible to the naked eye thanks to advances in MEMS (Microelectromechanical systems) technologies. Manufacturers can add any number of sensors (camera, microphone, motion, temperature, shock & vibration, et.) at very little cost. They may do this in anticipation of future functionality, or undocumented functions. USA Today reported that Google “forgot” to tell consumers that Nest Secure came with a microphone. This may be just what it seemed, but it exposed the possibility that other device manufacturers may have more nefarious intentions. Covering a camera in a smart home device may prevent that camera from spying, but how many other cameras are there?
The people most concerned about government surveillance usually have good reason to be (i.e. they’re criminals). Rachel Levinson-Waldman with the Brennan Center for Justice wrote “The US government is currently operating under the theory that it must collect the entire haystack to find the needle. But what happens to the rest of the haystack – information about law-abiding citizens that gets swept up in the mix?”. That sums up the broader concern about spying smart home devices well; can the data collected about us in our personal lives in our most personal moments be used by law enforcement against us. The potential exists to get caught up in a broader search because your home happens to be in the wrong place, and you said the wrong things at the wrong time. The more devices in your home the greater the data about you in the world. The FBI recently warned that your smart TV can be used to spy on you… they should know.
I have close to 20 gadgets and gizmos on my home network. I enjoy telling Google Home “good morning” and having it turn on the lights, update me on the current weather, and brief me on the latest news while my coffee brews. I know that while the devices are connected to the internet they are listening and reporting, but I limit the connection time to something close to the time that I’m actually using them – keeping the network normally off. This can be done manually by unplugging your WiFi router, or automatically using Off Hours.
January 6, 2020