Are Home Devices Really Spying On Us?
By James I. Marasco | Managing Partner
With the holiday season over, many of you may have purchased or received a smart device. Almost seven out of ten of American households reported owning a smart product. A smart product/device for the purpose of this article is a device that can connect to the Internet using Wi-Fi or Bluetooth—such as a smart speaker, TV, doorbell, lock system, and even pet cameras/treat dispensers. Sales of smart devices increased by 25% in 2018 and are expected to have double-digit growth over the next 4 years. The growing popularity amongst consumers has also opened a door of opportunity for manufacturers and hackers to gain access to your personal lives.
Smart Device Capabilities
Years ago, baby monitors were found to be transmitting conversations through neighbors radio frequencies, causing quite a stir. This pales in comparison to the creation and evolution of smart devices which have grown rapidly in the past few years. Not only are there smart speakers and TVs, it seems like there is a smart device version of everything— a doorbell, refrigerator, light bulb, door lock, thermostat, and even a smart treat dispenser for your furry best friend. As easy as it is for the consumer to remotely unlock their door, turn up their thermostat or spy on their pet, manufacturers and hackers can gain the same opportunity.
The greatest threat you face with your smart devices is getting hacked. Because smart devices are typically installed somewhere in the home, they don’t face the same threat as a smartphone—being lost or stolen. However, if they’re hacked, the perpetrator can download the app that corresponds to the device and gain complete access to your private information. With some of these devices, that means the hacker will be able to unlock doors, access security cameras, control lights, and in some cases, even use the microphone to speak to you or your family. Imagine they gain control of your refrigerator and raise the temperature such that all your food spoils or they gain access to your home thermostat and turn it off while you are out of town and freeze your pipes.
In late 2019, over 3,000 Ring Doorbell users were urged to change their passwords and use two-factor authentication following reports that claimed Ring login information may have been exposed online. Gaining access to someone’s login information allows hackers to have the ability to view the live camera feed and recording, as well as personal information like phone numbers and addresses. Hackers are able to get this information through a method called “credential stuffing”—this is done by taking usernames and passwords from other data breaches to gain access to your account.
With the world being as digital as it is, almost everything we do requires a username and password. That being said, it would be nearly impossible to keep track of all of them if you made every one of them different. For convenience, many people choose to use the same username and password for a multitude of devices and/or websites. This is exactly what hackers are counting on. If a hacker gets a hold of your username and password for one of your smart devices, they may gain access to your other ones sharing similar login credentials.
Another threat is ransomware. This is a type of malware where a hacker locks your system and demands that a user pay a price to regain control of compromised devices. Municipalities all over the U.S. have fallen victim to this type of attack. For example, in 2018, Atlanta spent several million dollars recovering from a ransomware attack, while Albany, NY spent hundreds of thousands in 2019. Unfortunately, individuals are also falling victim to these type of attacks from hackers as well. As we allow more Internet-connected devices into our homes, our risk increases.
Every time a consumer pushes a request through a smart device either through an application or voice command, it is recorded in a server and pinged back to the device to execute the command. All of these commands are being recorded by the manufacturer or service provider. In the privacy settings, some allow you to disable certain features, but most default settings allow for the recording and retention of this data. For example, if you have a Google or Amazon smart hub, you can actually review archives of everything it has listened to or captured through your voice commands. Simply, go into your account, select the device and review. Hopefully, the information it captured was triggered by the “wake” command and not random listening!
Safeguarding Your Smart Devices
One of the best ways to safeguard your confidential information and privacy with your smart devices is to have different usernames and passwords for each of them, not just the smart ones. According to consumerreports.org, 52% of Internet users reuse or modify the same passwords—that makes it easy for hackers to gain access to your smart devices. Other vital precautions include:
- Set up a password manager – A password manager can generate very strong and random passwords for your accounts. Not only that, but it will store them securely and remember them for you. Many of these applications are even free to download!
- Enable automatic updates – By regularly updating your devices when a new software is available, you limit the ability for hackers to use a company’s known vulnerability as a hole to break in.
- Set up two-factor authentication – If the device allows for it, this extra layer of security allows the application to send you a one-time code via email, text message or even a phone call that you input with your username and password. With this feature, if someone attempts to gain access to your device’s account, they won’t be able to without the one-time code.
- Do your due diligence – Be sure to read the terms of service, review the features, and read the manual of the device. Since these documents are typically very long, you can try finding one online and searching for words such as “camera,” “microphone” and “privacy”. Since this information is being collected and retained by the manufacturers who sell you these products, buy from a trusted source and not the cheapest option available.
- Turn off device when not in use – If a device isn’t being used, turn it off. If a feature is not used, be sure to disable it in the settings. For example, if you are not using the camera function on your Smart TV, go into the settings and disable the function. If this is not available in the settings or you are still concerned about features like the camera, you can put a piece of black tape over the camera.
- Pay attention to where you place your smart hubs – Be mindful of where you place devices that are always on and waiting for a specific wake up call, like an Amazon Alexa or Google Home. They should not be placed close to first floor windows and entrances as someone could access them from outside your home.
A Balancing Act
It’s become so convenient to walk into a room and commend Google, Alexa or Siri to turn on the lights, request the weather or call for takeout. But keep in mind, you are giving up a ton of personal privacy by allowing that information to loosely regulated manufacturers. Furthermore, hackers are finding their way into these same devices raising the stakes considerably. At what point, have we gone to far?
About the author James I. Marasco: Jim is the Managing Partner at EFPR Group, LLP and one of the Founding Members of StoneBridge Business Partners, an affiliated consulting firm. He is a member of the firm’s Business Valuation, Litigation Support & Forensic Services Group and other nontraditional accounting services. Jim has been with EFPR Group for over 20 years and is a full-time management consultant traveling extensively throughout the country. He has helped safeguard some of the largest Fortune 1000 companies from fraud and abuse and has assisted in the identification and recovery of millions of dollars back to the affected parties. His experience is mainly concentrated in the healthcare distribution and franchise fields, where he has worked with over fifty of the top franchisors in the U.S. In addition, he has worked closely with the Catholic Church in the U.S. for the past five years assisting in their compliance efforts to ensure the safety of children within the church. Jim is also a court-recognized expert, lecturer and author on varying subjects of fraud and forensic auditing.