managing smart-device risk - a how-to for the average human.

managing smart-device risk - a how-to for the average human.

A tweet went out today from an IT professional that sparked vigorous agreement and endorsement from people concerned about the security and privacy of smart devices, and a lot of strong disagreement from the security community:

I work in IT, which is the reason our house has:
 — mechanical locks
 — mechanical windows
 — routers using OpenWRT
 — no smart home crap
 — no Alexa/Google Assistant/…
 — no internet connected thermostats

It’s safe to say I’m in the “strong disagreement” camp, for reasons I’ll explain at the end of the post… Let’s do the helpful stuff first.

Now I’m scared… What should I do?

I’m going to provide a practical, ubiquitous, and risk/benefit focussed version of the advice in the tweet, aimed at the average Internet citizen who wants to take advantage of these technologies, while understanding how they can minimize the risks that come with their use.

Ready? Here goes:

IOT (Locks/windows/thermostat/smart-home)


VUI assistants (Alexa/Google Home/other)

A quick note on risk/benefit modelling…

The thing that ground my gears about the tweet wasn’t the expression of concern around security and privacy: If anything, I believe people should be more mindful and concerned about this type of thing. My issue was the “security theatre” nature of the advice — The tweet first established a tone of authority, then recommended a bunch of stuff that’s not, even for a moment, going to improve the risk situation for 99.999999% of people.

(Caveat: I have no idea of the author’s threat model, and this isn’t an attack on their own risk/benefit decisions — The problem is that the advice was presented as universally true and credible because of the author’s career, despite being extremely narrow, and objectively poor.)

Security theatre is dangerous because it tricks you into thinking that you’ve made yourself safe — when in reality you haven’t made much of a difference at all.

What do I mean? Let me give you some examples:

Right on cue, there has been a flurry of connected device attacks including this rather horrible story about manipulation of cameras and thermostats. I stand behind my recommendation on how to choose a more secure product, but stay tuned for Part Two on what the average human can do to avoid making a good product less secure.

I’ll leave it there… I’m getting ranty, and that wasn’t the point of the post.


I do want to finish this by apologizing on behalf of the cybersecurity community for confusing you…

We love breaking things and we love hypotheticals — They’re like a choose your own adventure novel of us. The newer or the more novel a piece of technology is, the more fun it is for us to mess with, the bigger the bang when we break it, and the more you’ll likely hear about it.

The important thing for you to remember is that when we do that, we’re actually talking to the vendors who make these products, not you fine folks.

We do it to provide a “breaker’s eye view” and help them design security and privacy in early, fix issues quickly when they arise, and use those learnings to avoid repeating them in the future.

We want to educate you as well as the lay-user of these amazing innovations, but it’s to help you make practical risk/benefit decisions like the ones I’ve laid out above — Not to terrify you into a state of paralysis.

We’ll work on that.

Casey John Ellis

Casey John Ellis

founder bugcrowd and, keynote speaker, security strategist

comments powered by Disqus
rss facebook twitter github gitlab youtube mail spotify lastfm instagram linkedin google google-plus pinterest medium vimeo stackoverflow reddit quora quora