How The Internet Of Things Is Making Our Homes Smarter (And Easier to Hack)
Wednesday, September 11, 2013
First it came to our computers. Then it was on our phones. Fast forward to the present, and the Internet seems to be everywhere, connecting everything to everything else.
Aired 9/11/13 on KPBS News.
These days, the Internet seems to be everywhere, connecting everything to everything else. That can make our daily routines a lot easier, but sometimes, it can also make it easier for hackers to invade our privacy.
As more and more of our stuff gets tied into the web, our daily routines are getting easier. However, all this interconnectedness can also make it easier for hackers to invade our privacy, control our devices and even get inside our homes.
We've dreamed of being able to remote-control all the stuff in our homes for awhile now. Remember The Clapper? It was a plug-in sound detector that promised users the luxury of being able to, "Turn on a light as you enter the room!" or "Turn off the TV without getting up!"
The Clapper never fully caught on, though it got a lot of applause.
But in the past few years, the dream it embodied has quickly become a reality. Now that almost anything can be connected to the Internet, savvy homeowners can set up their lights, air conditioning and sundry other appliances to be controlled remotely and centrally, often right on their smartphones.
"I'm a geek. I like playing with things," said IT professional Joel Griffin Dodd. He's about to move his family of three to a new house in El Cajon and he's planning to outfit their home with all kinds of smart technology. He's doing it for fun, but also to save money.
"If I can reduce our home energy bills and make things a bit more convenient, then great, let's give it a go," Dodd said, envisioning a home that's intuitive, more user-friendly and smarter.
The trouble is, smarter doesn't always mean safer.
"More things are coming online, but people are understanding less and less about the technology behind these devices," said John Matherly, a San Diego programmer well aware of just how unsafe this emerging "Internet of Things" can be.
While studying at Mesa College and later at UC San Diego, Matherly spent his free time building a search engine called Shodan. It's not your typical Google copycat. Google searches through all the websites on the Internet to find the information you're looking for, but the Internet isn't just a collection of websites. It's also a collection of things.
These days, that includes things like thermostats, refrigerators, light bulbs, garage doors, sprinklers, front door locks, baby monitors, traffic lights, fancy Japanese toilets, construction vehicles, glucose meters, TVs.
"Almost everything nowadays that you have in your house" can be connected to the Internet, says Matherly. "Except for furniture."
That's what Shodan searches for: physical stuff. If it's connected to the Internet, Shodan finds it, and it finds out how secure those things are.
Shodan users have found some pretty shocking things. Perhaps the most alarming discovery was the operating system for an entire hydroelectric plant in France. If that had fallen into the wrong hands, it could've been manipulated to crash the local power grid or flood a small town.
"Shodan has been called the scariest search engine on the Internet," Matherly said with a hint of pride. "And I can understand why they think that."
Lucky for us, Shodan is overseen by a good guy. Matherly uses it to warn people about insecure devices, not to exploit them, but when Matherly took me on a spin through Shodan, I must admit I was a little freaked out.
"Let's say you want to find some home automation devices," he proposed, pulling up Shodan and typing "Insteon" into the search bar.
I ask Matherly what Insteon does.
"Everything in your house, you can connect to the Insteon Hub," he explains. "And the Insteon Hub lets you manage all of them."
It's basically the command and control center of a house. And Matherly just located one in Oceanside, completely unprotected and publicly accessible on the Internet. He clicks on it, never asked to enter a username or password. Then, we see a screen full of buttons with labels like "lights" and "garage door."
"Here you have sprinklers—back, side, front," he said. "You could turn them on and off."
Wait. You mean you could?
"This is a live house," Matherly said, anticipating my question.
I go ahead and ask anyway. "Like, if you clicked 'on' right now, their back sprinklers would turn on?"
"Yes," Matherly confirmed. "It's completely nuts. I never in my wildest dreams imagined that when I created Shodan, I'd find people's houses on the Internet. And you can control things."
So what does Matherly think should be done to keep homes like this secure?
"Insteon probably should do a better job communicating to the end users that, 'Yes, this is cool, but make sure you do it in a safe way.'"
But Joe Dada, CEO of Insteon, said, "We typically don't force our users to any level of security."
Dada says it's mostly the older Insteon products that have security issues. Newer Hubs require a username and password.
Either way, he said it's the customer's responsibility to keep their own homes safe.
"You know, the Internet is a dangerous thing," Dada said. He uses Insteon in his own homes. He even remotely turned the air conditioning on before heading out to meet me at his Newport Beach home.
"We all need to be careful, whether it's what we're doing on our time off and putting on Facebook, or if it's the password to your WiFi network," he said.
One reason manufacturers often don't make their products as secure as possible is because people like Joel Griffin Dodd, the home automation enthusiast in El Cajon, don't ask for it. He said he's tech-literate enough to know how to keep his home safe. Security just isn't a huge selling point for him.
"It really isn't something that I lie awake at night worrying about," Dodd said. "There's always a risk, and hackers are definitely the risk du jour."
Dada said that if consumers start demanding better security, Insteon would happily give it to them.