Skip to main content

Smart Homes and Policy: Cybersecurity Risks and Tradeoffs

As the prominence and adoption of smart home devices have accelerated in recent years, so too have the cybersecurity threats associated with them. Previous blogs in this series have explored the current state of the smart home industry and how standardization may alter the market. This blog will examine the future of cybersecurity for smart devices with consideration of the broader impact of proposed legislation.

Cybersecurity Risks with Smart Homes

Though new internet of things devices unlock new possibilities for utility and convenience, each new device also introduces a new opening for potential cybersecurity vulnerabilities and attacks. Recent years have seen numerous disturbing attacks on connected devices, illustrating the potential for harm that accompanies the technology, from baby monitor cameras being used to spy on families to smart thermometers being remotely set to dangerously high temperatures to Peloton bikes being maliciously accessed by a third party, a wide variety of devices have been and continue to be targeted. These attacks are often carried out through weaknesses in encryption protocols, improper storage of user data and credentials, failure to install security updates, or other vulnerabilities along any stage of the smart home stack.

Beyond gaining access to the most immediate data from the device itself, these attacks are dangerous because access to a singular poorly secured part of a smart home can provide malicious actors wider control and information about other devices on a network. As a 2019 report by Trend Micro detailed, access to a singular part of a smart home, like an automation server that governs the rules and interactions of other devices in the home, could be leveraged to set commands which automatically control other parts of a network. For example, smart door locks could be set to unlock automatically at a certain time of day, or smart speakers to bypass voice authentication security checks by other devices.

These attacks are particularly alarming because, in some cases, they may not require complex, technical exploits but rather leverage simple methods like easy-to-guess or repeated passwords. Because many users will use a single password across many or all their accounts across the internet, data breaches that reveal a user’s email and password combination for a single website can be used to gain access to many others. Another common weakness comes from smart devices, which frequently ship with a simple, singular default password many users fail to change, giving hackers even easier access.

Cybersecurity Tradeoffs & Current Legislation

Though technologies like two-factor authentication can help to prevent these breaches, some companies are hesitant to adopt requirements for such technologies because they make the log-in and user experience more cumbersome for users by increasing “friction.” Particularly for brands like Google’s Nest, which aim to expand access to smart devices by making them simple to use, they face a legitimate tradeoff between security and ease of access. As the second blog in this series discussed, the smart home market remains highly competitive, and development costs can incentivize a lack of robust back-end security measures. Similar incentives exist for consumer-facing measures in attempting to simplify the user experience and reduce “friction,” creating a threat of reduced security.

As the first blog in this series discussed, federal legislative action aimed at smart homes and the internet of things has been relatively limited, with the focus primarily placed on cybersecurity. Most prominently, the Internet of Things (IoT) Security Improvement Act of 2020 put in place baseline cybersecurity requirements for IoT manufacturers who contract with the federal government. Though the legislation itself does not mandate cybersecurity protocols for consumer smart devices, it aims to encourage the adoption of them in consumer devices through the process of contracting firms complying with the standards of the federal government. In May 2022, the National Institute of Standards and Technology (NIST) published their report and recommendations for cybersecurity labeling on packaging for smart home devices as directed by a 2021 executive order focused on improving cybersecurity from President Biden. These types of recommendations often indicate regulatory interest in an area and often preempt broader policy action, suggesting that these actions may be looming. Finally, several states, including California and Oregon, have specifically passed legislation targeting cybersecurity for internet of things devices. These bills share similar language, including provisions that require manufacturers of connected devices to ship devices with unique default passwords and mandate “reasonable security features” relevant to the type of device.

Conclusion

The rise of affordable, internet-connected smart devices has opened new doors for convenience and efficiency for users, but they have also provided new possibilities for malicious actors looking to access the value that smart devices generate. As this blog has discussed, weak links at any point along the chain of devices and systems involved in powering smart homes can create risks for attacks. These factors demonstrate the need for comprehensive, end-to-end cybersecurity measures and knowledge of everything from platforms and standards to user behavior. Policymakers should be wary of the confluence of the factors discussed above – perverse incentives for user-facing security, tradeoffs from development costs, and risky user behaviors – and consider their impacts on safety and security.

Share
Read Next

Support Research Like This

With your support, BPC can continue to fund important research like this by combining the best ideas from both parties to promote health, security, and opportunity for all Americans.

Donate Now
Tags