CyberSecurity: How Smart Are Smart Homes? Not That Smart

By James Stickland

After years of discussion, expectation and experimental products, it looks like the smart home is finally having its moment. It’s becoming increasingly commonplace to see things like connected fridges and smart thermostats in our friends’ houses, and Apple’s latest iOS reboot came with a connected home function, demonstrating the widespread adoption of these devices.

The “big guys” are also throwing their weight in this game in a major way: Amazon’s Echo and Google Home – those small, cylinder-shaped, monolithic-looking objects designed for your kitchen or living room – were hot items this past holiday season and at this year’s CES, bringing even more of our homes onto the IoT grid. Their appeal is self-explanatory: they bring the internet into your living room without a keyboard intermediary. It certainly isn’t laborious to type into your browser, or – even easier – to pull up the weather app on your phone; but it’s simpler still to just voice a question (“Alexa, what’s the weather?”) – especially if you’re already engaged in a task, like cooking dinner.

Consumers love this type of ease. Think about how we use our phones: it has been almost three years since Apple first introduced the Touch ID fingerprint scanner to its devices and it has changed the way we interact with the device. Now, a split-second touch lets us not only bypass our four-digit password, but allows us to access our mobile banking apps and even buy gold bars in Candy Crush. I’m certain we’ve all groaned before when the fingerprint scanner didn’t work and we were “forced” to type in our passcode.

Of course, these convenient and exciting devices are still new, and that means there are still bugs to work out. One of the biggest things that will need to be addressed in subsequent generations of these products is authentication and security: how can they verify who is giving the command – and if that person is authorized to do so?

Many connected home devices – Google Home and Amazon Echo in particular – come with top-notch voice recognition software that allows them to understand and act on a command. They can differentiate the voices of different people: they might not know who they are, but they do know they are different. Convenient – however, this lack of authentication could be a big problem for a device connected to an account: anyone can talk to a product and order something that will be billed to the account associated with it without any specific checks and balances. Without protecting the data stream and ensuring that the voice of the owner is in fact the person who commanded the AI (artificial intelligence) to do something, bad things can and will happen. It’s only a matter of time before someone figures out how to feed these home appliances information remotely...something we’ll see in the headlines later this year?

The solution here has to be secure authentication to proceed with data-critical commands: unlocking doors, ordering a new book, etc. Consumers used to the convenience of swift interaction will loathe typing in or saying a password, which makes biometrics an ideal solve here. We’re all used to fingerprint scanning; but the already oral nature of these devices – and their existing voice sensors – makes voice biometrics an obvious application. And indeed, this is starting to happen: at 2016’s TechCrunch Disrupt NYC Hackathon, startup Sesame built an app that layers voice authentication onto certain Echo tasks.

However, voice is one of the less secure biometrics and, when used alone, creates a critical potential security risk – someone could record you and play it back to the device. Deploying facial recognition is better, but ideally such a system would use fingerprinting or a combination of biometrics, such as behavioral, face, and voice, to confirm your identity. This way, you can be sure that only you can access and control the system.

Ultimately, the flow of data between a biometric capture device (ideally your smartphone), and the AI needs to be protected. The right security framework will ensure encrypted and secure communication protocols, like 2-way TLS or HTTPS/2, but also ensure that interacting with the system is easy and streamlined. The use of biometrics can increase the security of devices themselves significantly, but it alone cannot stop all attacks. Deploying multi-factor biometric authentication that combines multiple identifiers – perhaps a spoken passphrase, the unique device identifier of your phone, and a biometric scan – could drastically improve security and ensure that an AI system continues to provide a convenience, rather than becoming a threat.

As our homes become smarter, we need to become smarter about protecting them – whether that be against sophisticated criminal hackers or unwitting four year olds.

About James Stickland

A seasoned executive in the financial technology space, James Stickland is tasked with driving business revenue and investment growth, as well as leading the company’s global go-to-market strategy for its flagship solution, VeridiumID.

More About James