Technology & Science·CBC AT CES

For new smart-home gadgets, the spectre of insecurity looms

In recent months, hackers have bent armies of internet-connected cameras, routers, and similar devices to their will to launch crippling cyberattacks — putting the spotlight on makers of similar products at this year's CES.

At this year's CES in Vegas, some companies are keenly aware of recent threats facing products

Carrier unveiled a new line of internet-connected products for the home at CES 2017, the annual consumer electronics show in Las Vegas. (Matthew Braga/CBC News)

Amongst technology experts, it's often said that the internet of things is a security nightmare.

The term is commonly used to refer to the myriad connected devices that are increasingly making their way into in our homes — from Wi-Fi-capable dishwashers to vacuum cleaners, light bulbs and more. 

Within each product is basically a tiny, low-powered computer. But unlike a laptop or smartphone, many of these devices have been found to be notoriously insecure.

In the past few months alone, hackers infected thousands of vulnerable internet-connected cameras, routers and related devices, and used their combined power to launch crippling cyberattacks on popular internet websites.

Researchers, meanwhile, have found flaws in popular internet-connected light bulbs — bugs that have since been patched — and even suggested a well-crafted virus could spread from bulb to bulb.

The security of these devices, this is what's going to make the smart home happen or not.- Romain Paoli, head of product at Netatmo

And, of course, there is the ever-present fear that connected, smart-home devices — especially ones capable of recording audio, video, and other personal information — could be used to spy on their owners. (It certainly doesn't help that voice recordings from Amazon's personal assistant, Alexa, are being used in court as evidence for the first time.)

"The security of these devices, this is what's going to make the smart home happen or not," said Romain Paoli, head of product at Netatmo, a maker of connected home security cameras, thermostats and smoke alarms. "We're not happy to see competitors fail, because it hurts us too."

Addressing security issues

CBC News interviewed representatives for Netatmo and a handful of companies with connected smart-home devices earlier this week, at a preview event for the Consumer Electronics Show (CES 2017) in Las Vegas that officially opens today. All are keenly aware of recent threats facing their competitors' products and the industry at large.

Naturally, they all praised the security of their devices — and frankly, it would be weird if they didn't — but at the same time, admitted that no piece of technology can ever be completely secure.
A Samsung refrigerator with Family Hub 2.0 was among smart-home products on display before CES International opened Wednesday in Las Vegas. Family Hub 2.0 features an interface on the refrigerator with apps that can be controlled by voice recognition. (John Locher/Associated Press)

"We're trying to sell this thing to every homeowner in America," said Bryan E. Mitchell, a public relations manager for air conditioner company Carrier, which also has a new line of connected smart-home products. "So we have to go to the homeowner and say, 'Hey listen, we live in a vulnerable world, we're going to do all we can.'"

Carrier, alongside Netatmo, Moen and Somfy, say they've enlisted third-party companies to conduct regular audits of their hardware and software — something that security experts typically consider good practice. This means reviewing codes for bugs, and attempting to find vulnerabilities in devices much as an actual attacker would, in a process called penetration testing.

Each company also boasted of using end-to-end encryption to protect data travelling to and from their products, and the importance of having strong password requirements that are less likely to be easily cracked or guessed.

Mitchell went so far as to claim that Carrier relies on "the same folks that are testing our systems to make sure the fighter jets and space suit technology is safe." (Carrier is owned by United Technologies, a manufacturer of aircraft engines and aerospace equipment for military applications commercial aerospace, defence and building industries.)

Step in the right direction?

Moen, more commonly known for kitchen and bathroom fixtures, unveiled a connected shower system that can be controlled from a phone. Though some of the software and intellectual property was developed in house, the company turned to a third-party hardware company called Grid Connect to put it all together.

"This is Moen's first smart-home product, so we're not going to just jump in and do it ourselves with no experience. We want to make sure it's done well," said a spokesperson.

All of these efforts certainly sound like a step in the right direction for a product category that hasn't had the best security track record of late. But whether the industry as a whole is moving in this direction likely won't be obvious for quite some time. A thermostat or dishwasher isn't something that gets replaced often, and even with software updates, insecure products already in the market will undoubtedly remain in use for years.

At the same time, the sheer number of connected devices coming online means it may prove impossible to adequately secure them all.

And as with any technology claiming top-of-the line security practices, in the absence of an independent third party to verify such claims, you only have companies' word that they're telling the truth.

A good place to start: don't trust anyone that claims their products are 100 per cent secure.

"If they do," said Jean-Sébastien Prunet, marketing director for Somfy, which introduced a new home security camera, "it's a lie."

About the Author

Matthew Braga

Senior Technology Reporter

Matthew Braga is the senior technology reporter for CBC News, where he covers stories about how data is collected, used, and shared. You can contact him via email at matthew.braga@cbc.ca. For particularly sensitive messages or documents, consider using Secure Drop, an anonymous, confidential system for sharing encrypted information with CBC News.