The Internet of Things (IoT) promises a revolution in how we live, connecting our homes to our smartphones and other mobile devices. Already, a variety of appliances and devices like refrigerators, washing machines, thermostats, security systems and even the insides of walls are embedded with sensors, enabling them to exchange data with each other and with us.
This information flows wirelessly over the internet to provide useful information, such as when an appliance is in urgent need of maintenance, or that someone has violated the home security system. Using just our smartphones, we can effectively run the home, turning the thermostat up before pulling in to the garage, or switching on lights when we’re out of town.
Sensors and cameras embedded inside IoT-enabled devices can determine the kinds of groceries remaining in the fridge and pantry. If there’s no time to buy the provisions, the information can be transmitted to an application that can devise a variety of recipes that can be made from the existing foodstuffs. Homes will soon have two-way microphones inserted in lighting fixtures and connected to the IoT that can respond verbally with recipe recommendations, advising “lasagna” or “Sloppy Joe’s.”
Since high-net-worth families often are the early adopters of cutting edge technologies, they’re likely to be the first beneficiaries of the extraordinary efficiencies promised by home automation. While this Jetsons-like future is wondrous to behold, it is not without personal risk. The chief downside is this: Every IoT-enabled device accumulates, transmits and stores data for access — and where there is data, there is the threat of data breaches.
Can Your Control Be Hacked?
To gain a deeper perspective of home automation risks, I contacted Steve Sanders, director of business development at IDT911, a top provider of identity theft management and data breach response services. Sanders pointed out a number of financial exposures created by home automation that I had not considered, such as the ability for a hacker to remotely control the security cameras at a house.
“If you have the ability to turn on and off the security cameras in the house using a mobile wireless device over the internet, a hacker that gains access into the system now has that ability as well,” Sanders said. “Everything can be reverse engineered in a way to make things do what they’re not intended to do.”
These “things,” in the IoT Age, are pretty much everything, with an estimated 6.4 billion connected devices around the world by the end of 2016, according to Gartner. By 2020, there will be an estimated 20.8 billion connected devices in use worldwide by 2020.
Embedded in these objects and devices are sensors that measure the ambient environment, reporting on air temperature, water pressure, humidity, chemical concentrations, vibration, oil pressure, corrosion, electrical and magnetic data, and the presence of microscopic fragments of metal or other materials. Manufacturers are utilizing the IoT in smart machines to improve production processes, remove bottlenecks, enhance product quality, improve safety and reduce labor costs.
This information also is a goldmine for all homeowners, wirelessly informing us when the furnace requires immediate maintenance, when a pipe is leaking a trickle of water behind the kitchen wall that could cause a mold situation, or when the sump pump is drawing more power than it should, a suggestion of imminent failure.
Is Your Password Still ‘1234’?
The drawback to many IoT devices is their vulnerability to cyber breaches. A 2015 study of connected home security systems by Hewlett Packard found that many contain vulnerabilities, including weaknesses associated with account harvesting and password security. The report noted, for instance, that all of the tested devices allowed simple passwords such as “1234,” and 90% lacked two-factor authentication.
I asked Sanders what he thought of the study’s findings. “The reason we are able to have all these IoT devices is because the technology behind them is super simple,” he said. “Security is often an afterthought. Manufacturers are focused on acquiring customers, rather than keeping them safe.”
Once an IoT device is breached, its connection to other devices opens near-clear vistas for a hacker. In July 2015, Wired magazine commissioned two “ethical” hackers to see if they could hack into a particular vehicle’s collision avoidance system. They succeeded, breaking into the vehicle’s entertainment software, which opened a pathway through the onboard computer to the steering and braking systems.
As more devices connect to the internet, the risks enlarge on an exponential basis. “The IoT is all about having this cool tool to do cool things, as opposed to considering the potentially devastating risks it creates,” Sanders explained. “Of course, this is exactly what the bad actors are considering — how to make the device do what they want it to do.”
One such threat involves the aforementioned ambient listening and communicating device to help determine the evening’s dinner fare. “If some ‘thing’ in the house listens to someone when the person calls its ‘name,’ there is then the risk that someone can hack into the device and listen to the individual’s other conversations, using this information to blackmail the person or learn about business deals for corporate espionage purposes,” Sanders warned.
IDT911 endeavors to imagine such out-of-the-box risk scenarios to put in place risk mitigating factors before they come true. “One [scenario] we came up with recently involved the possibility of someone taking over and attacking a critical water main to flood the homes of hundreds if not thousands of people, and then shorting the stock of an insurance company serving the region to cash in,” Sanders said. “It sounds like the premise for a Hollywood thriller, but it is certainly feasible.”
Risk and Insurance
At present, there are no insurance policies that specifically protect against financial loss caused by an IoT device, although there are services provided in some traditional homeowners policies to assist policyholders to address the issues created by identity theft. Nevertheless, the insurance industry is carefully studying the IoT’s wide range of cyber loss exposures to consider the development of new products and other solutions down the line.
In the meantime, the onus is on HNW homeowners and their advisors to evaluate the risks brought about by IoT devices. In this regard, both Sanders and I cannot overemphasize the importance of recruiting a third-party expert to ensure proper security standards, such as encryption and password protections. This should not be a “one and done” exercise, as the variety and sheer number of IoT devices are bound to increase.
As Sanders recommended, “Have the security consultant give your house and network the once-over each year for viruses, malware and other vulnerabilities, much like scheduling a regular health checkup.”