Smart Devices Aren’t Always So Smart—and Could Be the Leak That Lets Cybercriminals Into Your Home
The good news? Fixes are easy.
Admit it: You’ve been reading a bit too much about a certain deadly virus that can kill human beings. Relative to that, viruses that can cause your home network to fail or steal your identity are minor. Still, the headache from having your credit card hacked or your kid’s face splashed in dark corners of the web should alarm you. And yet, about a third of all Americans owned a smart speaker circa 2018, and market research firm IDC said last fall that smart devices (including locks, lightbulbs, cameras, robo vacuums, etc.) were expected to grow at an annual rate of 23 percent, with 815 million such semi-sentient widgets shipping by the end of last year.
What’s the connection? Smart devices were a bit late to the party when it comes to data privacy protections, and hackers, just as they are with attacking your web browsing, are increasingly clever. Still, for all the fears, there’s some basic advice everyone can and should do to protect themselves, and it’s not as scary as you think. Also, remember that, as with coronavirus, the basics protect you from most of the risks.
Two main players in the IoT (Internet of things) realm, Apple and Google, approach device security differently, but Mike Bergman, VP of technology and standards at the Consumer Technology Association, a trade group, and Paige Hanson, chief of cyber safety education at NortonLifeLock, both say that huge corporations like these, as well as name brands you know, tend to chase security measures harder than little-known labels because they’re not fly-by-night entities making copycat products.
That means that if you want to have IoT devices around, like smart speakers, a wiser route is going to be by shopping in Apple or Google’s walled gardens, and here we’ll break down their different approaches and product solutions in both realms.
Google says any device that has Assistant function (like an Android phone, smart speaker, a TV with Google’s Chromecast built in, or a Nest product, since Google owns Nest) is in standby mode until you use the trigger phrase, “Hey Google.” Then there’s an indicator light on devices like speakers, so you know it’s listening. You can also turn off all listening in any device in the Google sphere, including third-party ones like Sonos. Just say, “Hey Google, stop listening.” Google does send searches to its servers, but they say this info is encrypted and secure. FYI, if you want extra security, go to Google’s activity controls setting and swipe off voice and audio controls. (If you have an Alexa speaker, you have to navigate to privacy settings on the Alexa app, scroll to Alexa Privacy, tap Manage How Your Data Improves Alexa, find the tab that says Help Improve Amazon Services, then hit off.)
Hanson also adds that you should turn off “one-click” style purchasing. It might be easier, she says, but it means a company is storing your credit card information, which always makes it more vulnerable. And if you just can’t live without that convenience, Hanson says then only register a credit, rather than debit card. That way your whole bank account can’t be fleeced in a data breach.
As for search, Apple’s policy is that Siri commands aren’t just encrypted, but that they’re depersonalized, meaning there’s no IP address associated with the search that’s traceable back to you. The search isn’t stored on any server for Apple to release, so a query like asking about the five-day forecast won’t result in weather apps spamming you online.
Apple and Google rely heavily on two-factor authentication (first a login, then a one-time PIN sent to your phone, etc.) for any action that might put either personal or data security at risk. For instance, Apple’s smart speaker, HomePod, as well as Apple TV and Siri on an iPhone or iPad, all allow voice control of other IoT devices, but they don’t allow voice control over physically unlocking a door, window, or disarming security (though you can lock a door, because it’s assumed you’re already indoors).
For control of IoT physical locks and security devices in the Google sphere, the company ensures all devices have two-factor authentication.
Instead, the captured content goes to iCloud, so you can view it remotely (after two-factor login), and then is erased after 10 days unless you download it. You can set these systems up to notice when your infant is crawling in her crib or a delivery person arrives, or to be specifically aware when your teenage child is back home, but the content isn’t accessible by anyone but you, and Apple cannot see it, either. You can also set up the Netatmo Smart Indoor Camera to ID (via facial recognition) in- and out-groups. If there’s someone in your home who shouldn’t be, the camera will fire you a shot/video of the person’s face.
Google operates slightly differently around face identification for devices like Nest Hub Max, which is like a smart speaker and tablet in a single device, as well as for standalone Nest cameras. Google says Nest cameras use facial recognition to identify it’s you (or people within a group you’ve given certain permissions to) and then two-factor ID is used after that to use voice to control locks, alarms, etc.
But none of this data is shared beyond your network. While your search settings on a web browser will allow some customized advertising, Google’s privacy commitments say that they will not sell/customize based on voice or recorded video content or home environment sensor readings.
One way Apple and Google divide themselves is via centrally designed controls. Apple’s Homekit ecosystem lets you set permissions for how every device on it is connected to the greater web. Does your thermostat, bulb, plug, or doorbell actually need web access? Likely the answer is no, and it’s easy to customize the access of each device—or using a smart router, you can globally set how all devices on your network do or don’t access the internet. You can do something similar with Nest WiFi (explained below), and you can control a lot of your device settings through the Google Home app, but you cannot limit web access to a connected object without cutting it off from all WiFi entirely.
Brad Russell, who is the research director at Parks and Associates, says as much as the world was scandalized by Ring video doorbells recording personal activity late last year, a far bigger gateway to data breaches gathering dust in your closet is the modem provided by your cable company, and likely, the ancient router connected to it. “Networking hardware in most homes is really old,” Russell says, and that means you’ve probably replaced four smartphones in the time you’ve been running that old modem. What’s the risk?
Possibly, according to Bergman, your data could be stolen, because old hardware was frequently hard coded with weak or zero security. Though Bergman thinks it’s far more likely your connected devices will be used for botnet attacks for larger cyber-theft operations. In that case, you’ll know because your web surfing and binge-watching will screech to a halt—and sadly, you’ll never know exactly why.
So which routers do security experts dig? Ones that offer more control, for certain. The Eero, for instance, lets you see every single device that’s connected to your home network and control what it can and cannot communicate with. Set up the Eero to ping your phone if a new device tries to connect to your network and that way you’ll have additional control over random drive-by WiFi grifters.
Nest WiFi works like Eero, in that it’s scalable, allowing you to add repeaters if you need to spread connectivity over a larger area. Like Eero, it also lets you see who’s online at any point, scheduling digital “timeouts” for your kids, as well as prevent them from surfing content that’s inappropriate. And you can guardrail which devices do and don’t have web access, too.
Hanson says that, like that old router and modem, the most neglected piece of tech in your home is often the printer—and that makes it vulnerable. She points to the fact that printers take pictures of everything they print, and that the smartest thing you can do to prevent a data leak of that information is to set your printer to auto-update its software rather than advise you it needs updated, only to have you probably forget to do that manually.
Bergman says that even if you replace your router, and are then able to see what hardware is on your network, that may not be enough to prevent cyberattacks on the network itself, which is why he recommends getting another device: a smart firewall, which monitors all home network traffic, sniffing for suspicious activity. There are many brands of these, but one called RATtrap combines a lot of the ingredients of the best versions into one device. It analyzes traffic from and to your home network, but the analysis happens locally, not in the cloud, so if the manufacturer itself gets hacked, your personal information stays safe. There are also global parental controls that let you set limits on your kids’ web access. And because it monitors all the devices on your network, RATtrap also knows when your smart devices are acting like doorbells or vacuum cleaners—and when someone’s trying to hijack them for a scary botnet.