Last week in Las Vegas was the annual Black Hat USA cyber security conference. Apparently, this is the place where the nerds most concerned about online security geek out. Besides the usual sessions like (“A Scalable, Ensemble Approach For Building And Visualizing Deep Code-Sharing Networks over Millions of Malicious Binaries”–just writing that made my head explode), there was one particularly relevant session, “Smart Nest Thermostat: A Smart Spy In Your Home”… say what?! Click here to read more about it.
Apparently as part of this conference, several grad students from the University of Central Florida, Grant Hernandez, Orlando Arias, Daniel Buentello, and Yier Jin got up on stage and right there in front of the crowd they hacked into a Nest Thermostat… in 15 seconds!
From that point, they went to work, showing they can turn a home into a haunted house, taking note of when people are home and when they are not, sifting through home data to find things like credit card numbers, bumping up the thermostat to burn energy, etc. etc. Admittedly these guys cheated a little bit by physically plugging into the thermostat but, as we all know, it is only a small step for them to do it all remotely, particularly as the Nest sends data up into the cloud.
To a certain degree this is old news, almost exactly a year ago, Kashmir Hill, a journalist at Forbes.com wrote a story called, “When ‘Smart Homes’ Get Hacked: I Haunted A Complete Stranger’s House Via The Internet.”
You know the punch line: Kashmir (excellent name, excellent reporter) starts trolling the internet, finds people’s homes online (some devices actually post a home’s information online without the homeowner knowing about it) and then starts messing around. She then calls up these people (who she doesn’t know) and starts turning on and off their lights, plays with the thermostat, turns on the TV (if its connected to the home’s network), as they stand there, dumbfounded. One can call this little exercise a success: Not only did she creep out a bunch of complete strangers (who are ready to tear out anything that buzzes), she successfully showed how insecure your home might be because of these conveniences.
For us at BTW, this is an issue that we’ve grappled with. In April, we hosted a panel discussion on this very topic [link to our video], only we were coming at it from a slightly different perspective. Instead of talking about the security threats, we focused on the issues around consumer threats: your home generates a lot of data, data that is valuable to companies and advertisers. The question is, What will they do with this data and how will that affect you, for both good and bad? For example, when my Nest thermostat tells Google that I came in late from work, does one of their advertisers call me to see if I want a pizza? If Nest can tell I spend a lot of time in my basement, does it start sending me advertisements for a dehumidifier? And is this bad?
Putting both the issues of security and consumer targeting together begs the question of how I should feel about my Nest and my smart home. Candidly, I’m not quite sure.
Image source: KRWG
A smart home is going to be an incredible convenient place to live. It is a place which you can unlock remotely to let your mother-in-law in when she comes to town, a place where you can check if your kids are actually home when you want them to be, and a place that will always be at the right temperature. And we trade convenience for security and personal transparency all the time, whether it’s keeping the key to the back door under the mat, continuing to use Google despite being bombarded by ads, or using my super market loyalty card recognizing that now the world knows about my fondness for pig rinds and wine coolers. Am I creeped out by always getting junk mail that is just a wee-bit too personalized – “Hello Howard, May we interest you in our fine selection of pig rinds?” First off my name is Harold, not Howard, and second my pig rinds comment was a joke – not really. I just throw it out, and don’t think about how they know all they do.
In my mind, here’s the rub: I may leave the key under the mat, but I’m not leaving my front door open; I use Google, but I’m not volunteering too much information about myself online; I use my supermarket’s loyalty card but that’s because we get coupons. So if I have any philosophy about online privacy and transparency it goes something like this: if you want my information, you gotta show me some love. Either be super convenient like Google –that’s easy to use and better than everyone else–or give me some money for giving you my information. No coupons, the loyalty card gets trashed.
Also, when it comes to security, just give me some sense that you recognize that this is an issue and you’re staying on top of it. Nest, come-on. Those dudes hacked your system in 15 seconds–WTF! You just got $3.2 billion from Google! It should’ve at least taken them 30 seconds. All the other smart home companies: an enterprising journalist who isn’t an engineer hacked in to a bunch of strangers’ homes basically by messing around online. You don’t think this gives me pause about buying your stuff? Of course it does.
So in fact, I am on pause. I don’t have Nest thermostat; my home isn’t smart. We turn our lights on manually. Will it be a smart home one day? Almost certainly, but with each report I get like the ones above, that day becomes further and further away.