How to make sure you smart wifi thermostat won’t get hacked.
Smart thermostat security is one of the questions asked on the latest Pew Consumer Survey about smart devices. Most people are worried that their information is going to be stolen or these devices are not advanced enough to be trusted.
Security companies have tried to hack into the brands reviewed on this site for years. Their conclusion is the only way to hack into these devices without a password is by being inside your house and opening the device to reset it.
Make sure you set a password when you first install the device. I know it sounds very simple but there are a lot of smart devices connected to the internet at this moment without a new password. The only way to hack into devices is by knowing your password. If you change your factory set password you are fine.
If you like to take extra precaution, you can use a VPN(Virtual private network) to connect to the internet. This will ensure that your information is protected. It’s very easy to setup and it will protect everything on your home network.
You can monitor your router as well. You can install a third party program or access to your router to get reports. Nowadays most routers have apps, to check traffic logs. You can even setup email notifications as well.
You can use Shodan. What is Shodan? “Shodan is a search engine that lets the user find specific types of computers (webcams, routers, servers, etc.) connected to the internet using a variety of filters. Some have also described it as a search engine of service banners, which are meta-data the server sends back to the client”. You can discover which of your devices are connected to the Internet, where they are located and who is using them. I checked if any of the thermostat reviewed on this site are listed and the list came up empty. You can go ahead and do a search for your thermostat as well. There was not a single thermostat with open access by Nest, Ecobee, Emerson or Honeywell on the list when I did the search on 11/1/2016.
Smart Thermostat Security Paranoia
“I don’t trust wifi devices because of security and privacy concerns. I will never buy one.”
This sentence reads like what you’d overhear 10 years ago when people were skeptical about smartphones. Or what you still hear when you meet an exceptional Luddite.
Why do I need an IoT(Internet of Things) fridge? What a stupid thought. You don’t look at an appliance and then try to invent a use-case for automation. You look at problems that you have that you think could be solved by automation. If you have a cat that pisses on your plant, you can get an IoT scarecrow to growl at the cat when it’s too close to it. If you’re cooking and your fingers are oily, you might want to shout for voice control to start your favorite song, to convert from Fahrenheit to Celsius or to set a timer. Or maybe you’re someone who forgets his keys, so you install an electric strike that reacts to your phone (yes, NFC has encryption. That’s why people use Apple Pay), or your NFC ring or passcode.
Security paranoia. Your front door jamb uses screws which are so short that you can break off the hinges in less than a minute. Your lock is so simple, it can be picked in less than a minute. Or you just break the lock, no skill required for that. Security isn’t sexy. People complain about it even though they went for cheapest option which happens to be insecure unless paid attention to (like using long screws or setting a password).
These misconceptions stem from an often complete unfamiliarity with the stuff.
Smart devices are very dumb
Most IoT or smart devices are very dumb actually and rely on hubs. Hubs can be secured .
Only very few actually communicate with internet servers directly. Most could be kept on a separate network.
Internet access can and should go through a firewall.
There is a plethora of APIs and protocols. You have complete access to your own devices but you will still need to put a lot of effort in for everything to run smoothly. Imagine someone trying that without complete access.
Creating your own devices is remarkably easy. Exploiting a device that is only known to the creator is not. The least secure area of IoT, the interface between your home and the Internet, is the easiest to custom make.
If you don’t want anything to do with clouds or online services, then you don’t have to. It can all be handled by your own machine that runs open source code.
You wouldn’t expect your grandfather to have secure passwords and browsers free of toolbars. It takes effort and experience to make technology secure. The same goes for IoT.
But I think only a few would (currently) be Tech savvy enough to manage the kind of security methods I am describing. Most users would always get plug-and-play devices without any understanding of the exact security measures in place, nor the possible consequences of a “breach”
Why smart devices need an internet connection?
You might think none of these simplified examples really are IoT related, most of that can be done perfectly well without a constantly active Internet connection.
That is the crux, right? Personally, I don’t ever use the term IoT because it leads one to think that the internet is an integral interface for these solutions. If we think of these solutions in terms of automation and smart devices, we can see how the internet rarely becomes involved. It doesn’t really make sense to call each and every device in home automation an IoT device but because the technology is so new, everything gets thrown together.
Now, to be more concrete with the examples I’ve mentioned.
Unlocking the door via non-internet methods. Just sensing and identifying me. No problem but of course I could also unlock the door remotely over the internet if I wanted. Maybe I’m at work and my girlfriend locked herself out naked without any ring, phone, key. I could then just send an unlock command to my door. That also opens up a security issue but that just means we need to pay special attention to it.
My cat scarecrows toy. I would get notified when I am at work that my cat has been attempting to piss on my plant. I might then be inclined to check on my IP camera. Or if there’s a camera in the first place, maybe I get a short video to have something to post on giggle over.
Voice command at home in my kitchen. That can inherently be an IoT device because the voice command processing would happen at Amazon’s or Google’s servers. The Amazon echo would be an IoT device. Not necessarily though of course because offline voice recognition is really good. You just don’t have the intelligent Amazon/Google engineering behind it to use more flexible commands. It would then be a list of predefined commands with some parameters. Microsoft’s speech recognition is actually really advanced. If you really wanna dig into it, you can get a lot out of offline voice commands.
Here I’ve been justifying why an internet connection could be helpful but objections are very valid. The problems didn’t scream for an internet solution, and I am rather artificially creating the need for the internet solution.
There are scenarios in which the internet becomes important for the solution. Anything that has something to do with geofencing for example. Geofencing is when you are defining certain areas or specifically, radiuses around your home. Certain tasks can then be executed when you cross a certain geofence because it supposedly means you are coming home for example. Your phone is checking whether you are on your way home, 5 minutes before arrival, it sends the command to turn on the AC in your living room. Same thing when you leave the house turns it off for you.
The devices which are capable of sensing certain environmental conditions or the devices which change the environment. Let’s say a motion-detecting device and a light bulb. Both of these devices were made smart by me (my preferred term over IoT). By that, I mean that they were integrated into the home automation system. The motion detector in the bathroom will not be connected to the light bulb but to the home automation hub. The hub will be programmed by me to take the information from the motion sensor. The light bulb in the bathroom is connected to the hub as well. I program the hub to turn on the light bulb when motion is detected.
Why is that a smart device in the first place and not just a ‘dumb’ motion detecting light bulb that I could buy as is? If I just programmed it to act like that ‘dumb’ device which I could buy and plug in, I gain nothing. But I have all the flexibility to make it as smart as my creativity allows. If it senses my motion, and the bedroom light was off, that should tell the system that I was just sleeping and thus turn on the light dimmed or even only with a red hue to not wake me up too much. Or it senses that I turned on the light in the bedroom, maybe knows that I am working, just give me the whole brightness. Or it knows that a movie is playing in the bedroom, so maybe keep the light off completely and not disturb my girlfriend’s watching experience.
Why would that be an IoT device nevertheless? Because inherently, all home automation smart devices can be. The home automation hub has access to the internet and allows me to interact with these devices through the hub over the internet. It is trivial to just check up on connected devices. I can connect to the hub, and check the log for the motion detector or see whether the light is on or not. It’s not an IoT device because it needs the internet connection but because it is already part of the home automation setup and the home automation hub allows me control and surveillance of all the devices over the internet, by default.
Why bother? Because making devices and appliances ‘smart’ is cheap and easy, and most of all…it’s fun. It’s $3 for a wi-fi chip on a small board that can easily be fitted with every sensor you can imagine or modified to control appliances. The chip itself retails for around $1.50. It’s very easy to see why cost won’t remain a factor. Off-the-shelf smart devices are shockingly expensive. How much is it? $60 for four light bulbs by Philips? Anyone who is a tinkerer with regards to electronics can do it very cheaply, though. The cost doesn’t lie in the electronics, the manufacturers are just charging a premium.
A lot of devices don’t necessarily need to be “internet connected” for smart functionality, but that adding this connection is or will be a cheap and an efficient way to make them more programmable/versatile compared to pre-built and locked devices.
I guess most of the confusion I see comes from the fact that IoT is being promoted as a new and unique thing by a lot of manufacturers for marketing purposes.
However, it’s more of a continuation of what tech devices have been growing towards for a long time. Basically, the $25 Wireless Printer a lot of us have at home already is an IoT device, newly produced cars often come with remote applications (like your front door unlocking example) and even our smartphones are basically IoT device/hub in one with all the apps that offer a connection between different platforms.
Very good article, thanks for sharing.
I enjoyed reading your article especially the comparison of the short screws in the door lock jamb. Are you able to direct me to the type of settings on my router where I can at least block Ecobee’s access to my Ecobee 3 smart thermostat? I just installed one and in checking the firmware # realized it wasn’t current. I assumed it might update itself (still not sure it won’t) but in a comment email to Ecobee they responded that they had signaled my thermostat to update its firmware.
Of course, it wouldn’t be an Ecobee hacking my home network and attached devices, it would be an unscrupulous employee or ex-employee… you get the picture.
Is there anyway to protect against this? I don’t mind Ecobee thermostat reaching out to the network… I just don’t want anything coming back in.