Smart home security: your questions answered

If you’re worried about security and data privacy in your smart home, believe me, you’re not alone. “Considering that two-thirds of consumers agree it is impossible to keep data completely secure, it’s no surprise that 55 percent are ‘very concerned’  — rating 6-7 on a 7-point scale — about personal data security,” says Chris White, research director at Parks Associates, a consumer technology research firm. 

Concern is not unwarranted, given that data breaches make the news headlines regularly. Some of those news stories are closer to home than others. Take, for example, the recent Amazon Ring settlement with the FTC for $5.8 million for alleged privacy and security violations.

“The FTC complaint makes it clear that this practice ceased after Amazon acquired Ring,” says Cobun Zweifel-Keegan, managing director, DC, of the International Association of Privacy Professionals (IAPP), a not-for-profit global information privacy community and resource. “Other companies are hopefully closely watching this FTC enforcement and ensuring that their internal access controls ensure unauthorized access to video data does not happen.” 

Amazon was hit with another $25 million in penalties for Alexa violations of the Children’s Online Privacy Protection Act Rule (COPPA Rule). “Last week’s FTC action against Amazon’s Alexa service alleged that the company was using some of these audio recordings and transcripts to help improve its speech recognition capabilities. The fact that children’s voices could be captured and might be used for training models [algorithms] even after the audio files were deleted was a problem for the FTC,” says Zweifel-Keegan.  

That’s likely an issue with many parents as well. 

Taking steps to ensure your personal data remains private and secure is always prudent. However, going overboard won’t accomplish the goal. It’s important to know which devices and circumstances pose a potential threat and which likely don’t. That way, you’ll know what to do to protect your data.

To help you sort out the risks, here are solid answers to a few common concerns about smart home privacy and security.

Is my smart speaker listening to me? Why, yes, it is. But it is only “always listening” for when you say its wake word. That’s when it will start to record and then analyze your words. “While it’s a common belief that smart home devices are always monitoring you, that’s not entirely accurate. They typically only record or listen when you use a specific wake word or command,” says Doug Roberson, COO at Allterco, which offers a smart home automation product line called Shelly. 

“However, it’s crucial to remember that smart assistants are essentially voice-operated search engines, and these services often generate revenue through advertising. You can enhance your privacy by choosing an unusual wake word, if possible, [to prevent unwanted accidental recordings] and by regularly deleting stored data from your account,” Roberson adds. 

Whether a company uses its smart assistant for advertising depends on which you’re using. Apple is one of the only companies that has stated categorically that it doesn’t use its assistant (Siri) to build a marketing profile. 

And if you’re concerned, there are steps you can take. You can mute Alexa and Google speakers so that they are blocked from listening in. You can also turn devices off and / or delete recordings so they are not stored indefinitely. Apple provides instructions on how to delete recordings here, Google provides them here, and Amazon here. 

Finally, be aware that keeping smart speakers out of your home doesn’t ensure that nothing is listening in. For one thing, your smartphone — and your entire family’s phones plus any visitors’ smartphones — are potentially listening for wake words as well (although phone companies spend a lot of resources making sure their phones and phone OSes are secure). Ditto for devices with speakers and microphones embedded in household gadgets, such as those tucked inside an Ecobee thermostat, a smart fridge, smart TVs, or a voice-activated TV remote. 

Does my smart home know everything about me? Smart home devices need access to some personal data in order to provide you with the best service so that the information they provide is both relevant and tailored to your personal preferences and circumstances, such as your location for weather reports. But giving wide access to your personal data feels risky. 

“Commercial smart home systems rely on a wide range of sensors to collect data about the environment, some of which may be personal data or could be used to infer personal data,” says IAPP’s Zweifel-Keegan. “Microphones and cameras are widely understood, but consumers may not recognize ultrasound sensors or spatial mapping systems that may be incorporated into smart speakers and virtual reality headsets, for example,” that could be used to collect or infer information, such as your location within your house.

Keeping an eye on what data is collected and how companies are collecting it, as well as how they use it and protect it after collection, is key to keeping your family’s information private. Most companies adhere to general privacy standards and consumer protection laws. But it’s prudent to be aware of each company’s data privacy policies.

Since we know that privacy policies can be, well, complex, you might want to copy a company’s data privacy policy and, even if you’ve already agreed to it, read it when you have time. You might try pasting it in a ChatGPT prompt to get a condensed version in plain, understandable language. For example, I took one company’s data privacy policy to ChatGPT and typed in the prompt bar that I wanted a condensed version of the policy in fourth-grade-level English. The result was enlightening. 

You can also check with your local government’s consumer protection agency to view complaints that may help you steer clear of companies with bad data practices. Often such an agency can help you resolve data privacy issues, too.

However, “privacy is only as good as the safeguards that we implement around it. More connected devices and ubiquitous sensors mean that there are more opportunities for privacy slips to happen,” says Zweifel-Keegan.

Can my smart lock be hacked? It’s true that nothing on this earth is unhackable. However, it is also true that no physical lock is unbreakable.

“Both smart locks and regular locks are ultimately vulnerable to a strong brute-force attack. If someone comes at your door with a police-style battering ram, there’s not a lot you can do to keep them out. Beyond that, traditional locks can be picked; smart locks [without keyways] can’t. That in itself makes smart locks safer,” says Rob Gabriele, home security expert at SafeHome.org, a provider of home security products.

The important thing to remember is that you want to make breaking into your home so difficult that it simply isn’t worth the effort. In the case of physical locks, physical attributes matter most. In the case of smart locks, buying from reliable vendors is an absolute must. Top-notch vendors stay abreast of security issues and update their products regularly to prevent attacks.

“While some examples of hacking smart locks have been shown, this is difficult compared to a lockpick who could likely open the door in minutes,” says Grayson Milbourne, security intelligence director at OpenText Cybersecurity. 

But if someone were to somehow get the password or key, “it’s easy to change the smart lock password, and it’s hard to replace a regular lock if the key becomes compromised,” says Milbourne. 

And if you’ve got a smart lock, you can check to see if you’ve left your door unlocked — which in itself is a huge security advantage. 

Can utility smart meters and other energy devices create privacy and security issues? Some smart devices collecting data from your home belong to utility companies — your gas, electric, and water meters collect your usage data by definition. Others belong to you but serve as an extension of energy services — many electricity companies offer rebates if you give them access to your smart thermostat, for example. Data collected from those can reveal more about your family than just the amount of energy used. For example, energy usage data can reveal when you’re home and when you’re away, when you have company and when you may be alone, and more.

Utility companies can use devices like smart thermostats to throttle your energy usage during times of peak demand. That access presents potential security issues. 

Contact your utility company and any service providers such as smart thermostat manufacturers to learn their data privacy and security policies as well as to gain insights on what additional steps you should take — and how much access you want your utility company to have to your thermostat.

Can someone access my security camera video footage? The most publicized smart home camera hacks have come from security company employees acting improperly to spy on customers or from outside hackers gaining access to your login information via phishing and other means. A camera company could also provide police and other law officials access to your footage without your permission or knowledge. The list goes on, but at issue is a basic lack of control over videos that can reveal quite a lot about your personal life.

The best way to prevent your smart home cameras, including security and nanny cams, from being hacked is to buy them from well-known vendors whom you trust will prioritize their reputation — hacked home security cameras are not a good look. Even then, double check the security measures they have in place. Avoid no-name brands.

Look for products that provide security updates. “One challenge with IoT devices is that not all are able to update their firmware. If a vulnerability is discovered, these devices become permanently at risk. Some devices auto-update while others require the users to check for updates,” says Milbourne.

Check for security updates on software your devices use, too. “Software security vulnerabilities are discovered at a faster rate than ever before. The world is adding more software in more places than ever before, so this trend will continue. To stay as secure as possible, prioritize keeping devices and software up to date,” Milbourne says. 

Do not buy products from a company that does not provide security updates or that does not enable two-factor authentication as an additional security feature. Be sure to look for products with end-to-end encryption, too, like those offered by Apple HomeKit Secure Video, Ring, and others. Most manufacturer apps will either auto-update device firmware or check for updates at regular intervals, but you should check the apps regularly to make sure you haven’t missed an update. 

Can my fridge kick off a DDoS attack — or attack me? It’s one thing to discover that you’re accidentally growing a  grotesque science project in your fridge. It’s quite another to find it infested with computer bots and joining legions of botnets to kick off a Distributed Denial-of-Service (DDoS) attack. A DDoS attack floods a server with internet traffic to block anyone else from accessing services available on that site. Typically, it shuts down a company’s online services or e-commerce website.

While your refrigerator taking part in an attack on a major company may sound like the plot of a bad science fiction movie, it has happened. In 2016, a massive DDoS attack against Dyn’s domain name services (DNS) servers broke the Internet. The hacker used malware called Mirai botnet to link together IoT devices like smart refrigerators to launch an attack. This attack was the first of its kind in both the target and the execution.

“Giving devices access to your trusted home network presents a number of ways for cybercriminals to make money. In particular, they can sell access to your network to pass sketchy traffic,” says field security researcher Kody Kinzie at Varonis, a cybersecurity company. “A subnet can limit the damage that can be caused if one device becomes compromised.”

A subnet is simply a separate network cutoff from your main home network and is commonly called a “guest network.” Subnets can be good supplements to your security protections to prevent attacking fridges and such, but they can also make your devices more difficult and complex to manage. 

A better course of action is to add strong passwords and two-factor authentication to your devices and your home network. Prioritize your security efforts to address the biggest vulnerabilities first. For example, it’s more useful and effective to keep your router firmware up to date and to secure your entire home network with two-factor authentication than it is to set a new password on your smart plugs. 

Be sure to drop any old devices from the network that you no longer have or use. Also, be careful about disposing of old devices. Most people know that they should erase their personal data, but it’s easy to overlook erasing your network’s password, too.

When all is said and done, let practical assessments rather than fears guide your smart home decisions. There is no such thing as being 100 percent secure. Your goal is to assemble enough obstacles to make attacking you not worth the effort.

“Yes, there have absolutely been exploits found in home IoT devices like door locks, and there will continue to be so,” says Chris Clymer, CISO of Inversion6, a cybersecurity risk management provider. “These often garner headlines, but you have to ask yourself which is easier and more likely: a hacker choosing to remotely hack my lock so that they can later come physically on-site and enter my house or a criminal choosing to simply break a window or pry open a side door?”