Managing smart device risk: A "how-to" for the average human.

A tweet went out today from an IT professional that sparked vigorous agreement and endorsement from people concerned about the security and privacy of smart devices, and a lot of strong disagreement from the security community:

I work in IT, which is the reason our house has:
 — mechanical locks
 — mechanical windows
 — routers using OpenWRT
 — no smart home crap
 — no Alexa/Google Assistant/…
 — no internet connected thermostats

It’s safe to say I’m in the “strong disagreement” camp, for reasons I’ll explain at the end of the post… Let’s do the helpful stuff first.

Now I’m scared… What should I do?

I’m going to provide a practical, ubiquitous, and risk/benefit focussed version of the advice in the tweet, aimed at the average Internet citizen who wants to take advantage of these technologies, while understanding how they can minimize the risks that come with their use.

Ready? Here goes:

IOT (Locks/windows/thermostat/smart-home)

  • DO buy from a vendor with strong brand-accountability
  • DON’T buy the cheapest knock-off you can find: These are far more likely to ship with major privacy and security flaws, and to go without maintenance after they are sold.
  • DO look for visible signs of a proactive security program. The presence of a /security page is a good start, as is the presence of a vulnerability disclosure or bug bounty program. These aren’t a silver bullet, but do show that someone at the company is trying to improve security which, unfortunately, isn’t a given these days.
  • DO ask the person you buy it from it software updates are automatic: Most of the time they are, but it’s better to check.

Router

  • DO take the same advice as you did for IOT.
  • DO use a product from a team which has more than 4hrs/week to work on the security and stability of the product…
  • DON’T confuse “open-source” with “secure”- More often than not the opposite is true.
  • DO double-check if automatic updates are configured for the device after you install it — This is the “castle’s gate” for your home network and deserves extra-special attention.

VUI assistants (Alexa/Google Home/other)

  • Same as above
  • DO consider that the device you’re reading this on has microphones in it too and that you have no idea what those microphones are doing right now.
  • DON’T ignore how that makes you feel, and channel that energy into clicking the “Install Update Now” button that you’ve been putting off for a few weeks. While you’re there, set updates to install automatically.
  • DO consider that reputable VUI’s look after security updates automatically, and receive a great deal of scrutiny from the security research and legal community to confirm that they are as private as claimed.
  • DO consider all of the other things that have “stuff that might spy on you” in them, and see if they need updates installed too (cellphones, TVs, your car, etc…)

A quick note on risk/benefit modelling…

The thing that ground my gears about the tweet wasn’t the expression of concern around security and privacy: If anything, I believe people should be more mindful and concerned about this type of thing. My issue was the “security theatre” nature of the advice — The tweet first established a tone of authority, then recommended a bunch of stuff that’s not, even for a moment, going to improve the risk situation for 99.999999% of people.

(Caveat: I have no idea of the author’s threat model, and this isn’t an attack on their own risk/benefit decisions — The problem is that the advice was presented as universally true and credible because of the author’s career, despite being extremely narrow, and objectively poor.)

Security theatre is dangerous because it tricks you into thinking that you’ve made yourself safe — when in reality you haven’t made much of a difference at all.

What do I mean? Let me give you some examples:

  • The average residential lock on a window or door can be bypassed by the average person with an hour on Youtube, a few hours of practice, and $10 worth of tools that you could order on Amazon and have in-hand tomorrow morning. If you don’t have that kind of time, bricks are a time-tested and Novice-friendly alternative.
  • (ps… That’s assuming the door/window was locked in the first place…)
  • (pps… Are all your doors and windows locked right now?)
  • (ppps… Isn’t making it easy to assure that your windows and doors are locked a huge part of the point of smart-locking devices? You see where I’m going here.)
  • To date and for the foreseeable future, bad guys aren’t going to care about harming you through your thermostat. If you live in an extreme climate the potential impact makes this riskier for you, but still so unlikely to be targeted that selecting a good vendor and keeping things up-to-date will be enough for you to “outrun the other guy” if we see the bad guys targeting these things in the future.

Right on cue, there has been a flurry of connected device attacks including this rather horrible story about manipulation of cameras and thermostats. I stand behind my recommendation on how to choose a more secure product, but stay tuned for Part Two on what the average human can do to avoid making a good product less secure.

  • On the security of voice assistants: You have at least three devices around you right now that could listen to or take images of you, including the webcam you’re probably staring into right now. Are you more concerned about a device that’s designed for you to speak to it than the ones that have had the ability to listen to you for the last 10 years? Is that rational? If you haven’t needed to factor this into your home security before, you don’t need to suddenly apply hysteria to it now.

I’ll leave it there… I’m getting ranty, and that wasn’t the point of the post.

Sorry!

I do want to finish this by apologizing on behalf of the cybersecurity community for confusing you…

We love breaking things and we love hypotheticals — They’re like a choose your own adventure novel of us. The newer or the more novel a piece of technology is, the more fun it is for us to mess with, the bigger the bang when we break it, and the more you’ll likely hear about it.

The important thing for you to remember is that when we do that, we’re actually talking to the vendors who make these products, not you fine folks.

We do it to provide a “breaker’s eye view” and help them design security and privacy in early, fix issues quickly when they arise, and use those learnings to avoid repeating them in the future.

We want to educate you as well as the lay-user of these amazing innovations, but it’s to help you make practical risk/benefit decisions like the ones I’ve laid out above — Not to terrify you into a state of paralysis.

We’ll work on that.