Smart home products are becoming more and more integrated into our daily lives, from voice assistants to smart speakers, doorbells and heating systems. Security, however, is not keeping up with technological progress, cyber-experts told the Digital, Culture, Media and Sport (DCMS) Committee in parliament this week, while manufacturers are not sufficiently warning consumers of the privacy risks associated with their products.
How many people use smart home devices?
In 2021 there were more than 258 million “smart homes” globally, Statista estimated. These are homes that have a central hub, such as an app, linked to at least two connectable consumer products. According to the UK government there could be up to 50 billion connectable products worldwide by 2030, and on average there are currently nine such devices in each UK household.
Why are connected devices at a higher risk of being hacked?
Smart home products have numerous benefits, including automating mundane and time-consuming tasks and helping people with limited mobility. The potential risks include privacy intrusions, data hacking and householders’ physical safety being compromised (for example, if someone were to hack smart locks). According to a Which? investigation a smart home could face more than 12,000 scanning or hacking attempts in a single week.
George Loukas, professor of cybersecurity at the University of Greenwich, told the committee that connected home devices are particularly vulnerable to hackers due to their large supply chains, alongside the fact that they are designed to be left on permanently, whereas a laptop will be switched off. He added that there are enough flaws that some of his students search for vulnerabilities in smart home systems and submit them to manufacturers for a monetary reward on a weekly basis.
The problem starts with the design of devices. cybersecurity and electronic engineering are separate disciplines, Loukas said, and are taught in different university departments, which means that skilled computer engineers often have little knowledge about keeping devices secure.
It’s also very easy to learn how to hack nowadays, said Simon Moore, director for strategic engagement at the cybersecurity company Palo Alto Networks. “Today, you could Google ‘how to hack a BT home hub’,” he said. “That’s out there.”
What laws are in place to regulate connected home devices?
The Product Security and Telecommunications Infrastructure Bill is making its way through parliament; it is intended to make connected devices more secure against cyberattacks, and better protect individuals’ privacy and security. It will also require the smart device supply chain – manufacturers, importers and distributors – to comply with security requirements, and it will enforce stricter rules around “insecure” products being available in the UK.
What more could the government be doing?
Loukas said that smart device manufacturers should be mandated to disclose any cyber-risks associated with their products, so that people can make more informed decisions. “It’s a matter of risk management, [and whether the] benefit is so significant to override any concerns,” he said. “If you are extremely stressed that someone might break into your house, then maybe when buying a smart lock, you should be alarmed about the likelihood of [it] failing.”
There should also be better advice on the safe disposal of old devices, he added. Businesses and consumers should be informed of when to stop using outdated equipment that can no longer support software updates, said Matt Lewis, research director at the IT security company NCC Group. The government could also introduce an official certification system for smart home products to ensure manufacturers meet security standards.
Teaching in schools about cybersecurity should be improved, added Loukas; he said that knowledge in this area lags behind social media safety. “From that perspective, education is far behind when it comes to ‘Internet of Things’ security,” he said.
The government could also support Internet service providers such as BT or Virgin Media to play a bigger role in helping customers, said Moore, because they are perfectly placed to monitor Internet traffic and spot whether a device has been compromised.
What can individuals do to protect themselves?
The experts gave three simple tips that anyone could follow to improve their cybersecurity: use a password protector, which stores multiple passwords; use multi-factor authentication for any device that allows it; and ensure you do regular software updates.