In the last article, we discussed Lighting and light automation products for the smart home. While there are many other things in that category we could discuss, I will leave my remarks and observations to the units that I have the most experience with and not yet delve out into other comfort and atmosphere products, and I will switch my attention now to security and the many aspects of security in the smart home.
For this tour of my thought process, I will not start at what I got first, or even what worked best for me, but instead, take you on a tour of the home from the outside in, and the first stop on that tour is smart locks for my doors.
I don’t have any. There are no web-enabled smart locking technologies that control access or entry to my home. Period. If you have read my other pieces, or know me at all, you have heard me say “Security should be Physical First” and I feel the same about my door locks. While I am aware of and have tested and even installed several different kinds of smart door locks, I have not been comfortable with them in my own home, protecting my own family. Because of this, I don’t, and will never recommend them to others, friends or clients, either. Security should be physical first. I have seen every type of smart lock fail to bar entry in some way physically. Let me explain. First and most importantly, web-enabled smart locks can be hacked. I know that sounds like something out of a sci-fi movie, but it is true, and most of the time, the “hack” isn’t even software related. It is simply a less scrupulous persons ability to leverage some feature or function of the well designed and well-intentioned lock. For example, the original smart locks required some form of Bluetooth or NFC connection to authenticate and open. By simply stealing, or replicating that authenticated signal, these devices where able to be subverted. This is basically the modern equivalent to driving down the street with a garage door opener, randomly pushing the button and noting which garage doors opened for you as you drove. Then as our technology got better, and spoofing the reader was less easy and more secure, criminals started just stealing your virtual key the way they would your other old physical key. You have a speedpass style activator that had an RF strip in it, they simply steal the whole dongle. Link it to a ring, they steel the ring, link to a watch, they take that instead. Criminals are often not the smartest people in the world, but they often are the most resourceful and when an entire company of programmers design a way to make the software safe, the criminal will instead attack the hardware. This is really no different than the problem of smart locks on the doors in every hotel in the world, and all of us learning that with a simple DIY USB key, everyone and anyone can just walk right past all that military-grade encryption and software. Millions of dollars in exceptional programming was thwarted by a USB stick, a simple firmware hack, and the use of the factory programming port built into every unit.
(for more information and to see that I am not wrong or crazy, look at this Forbes article from last January. [https://www.forbes.com/sites/leemathews/2017/01/30/hackers-lock-down-hotel-rooms-in-a-new-twist-on-ransom-attacks/])
Next, as we made these devices still more hardy, hardened them to physical intrusion and attack, we learned that other convenience features added to the lock opened up other, brilliant and simple ways to walk past it. For example, when the best smart lock manufacturers in the business started hearing for the demands for virtual assistants to access and operate the locks, they implemented those features into the products. Criminals quickly realized that with no preplanning, no key, no device, no attack really, they could simply yell outside the door “Alexa unlock my front door” loud enough for one of the smart assistants inside the house to hear and unlock the door for you. Upon realizing this, these companies and Amazon went back to the drawing board and changed it to require a pin. (”Alexa, unlock my door” can now be used to unlock August, Schlage, and Yale Assure smart locks. However, users of these locks will need to say a unique PIN before Alexa will unlock the door.) I pulled this from the ad copy page from the web of the company listed here as the most secure smart lock. Because this change was broadcast and advertised, the criminals looking to subvert this new added security measure merely drop a small voice recorder anywhere out of sight near the door and are quickly able to hear the owner recite that pin, thus again giving the criminal easy instant access to the location. (Again, Forbes had the best coverage of this at the time with their article [https://www.forbes.com/sites/aarontilley/2017/02/16/amazon-alexa-can-now-unlock-your-front-door/#8c8424775f1b])
Soon, most users of these devices find it easier just to punch numbers into a keypad, or put a key in the lock and turn, making all this technology, not only a new attack surface but also a waste of time and money. I am sure that at some time in the future, these companies will find a better, more efficient and more secure way to do this authentication, and when they do, I will be there to test it out as this is definitely something I am interested in having, but at this time, it doesn’t have my trust or support.
I, after seeing how people were using, (or not using) their smart lock, decided to forgo the added issues and expense and went with a simple Schlage lock with a basic electronic keypad. It has no real features and requires everyone to punch in a numerical code to gain access. I was able to set several PINs, one for my wife and I, one for all my kids, knowing that I would change it every so often, and one that is a burner to give to anyone outside the home that may need entry. Programming a new code is simple takes about two min, and that is all. When I feel like the kids have shared the PIN with too many people, I change it. If I have to give out the burner code to someone fixing my dryer, I take a few moments the next day and change it. No internet, no Alexa, no firmware, no data port, just a very simple lock that everyone can use with or without a key if they have a code. Also, because of little exploits like the one discussed here, I actually have NO always-on virtual assistants listening in my home. I use Siri on my watch and phone, and that is done by my own physical interaction, thus stopping any unauthorized use most of the time, but that is a discussion for a different article. So there you have it; in the category of Smart Locks, I use none. I instead rely on physical security.
Next, let’s talk about my security cameras. For these, I choose Ring. I have tested a lot of different web and IP cameras, I have installed them for others, and I have used them myself in the past. What it boils down to for me is that Ring is just the best, cheapest cost-per-use, with the most straightforward install and the best simple interface. I got interested in Ring back when they were a startup, and was surprised when Amazon bought them earlier this year. I was happy for the Ring team and for the product, but not thrilled for myself and my household by the purchase. I love my Ring kit. I have doorbells, floodlights and a porch light, all with motion sensing, all with the Ring video camera, all hooked to the Ring web service. It is simple, and it has never failed yet. Now that Ring is an Amazon company, I will be monitoring their EULA very carefully to see how much of my private data will be accessible to Amazon, but since all these units face outwards from my home, I am marginally more comfortable allowing them to remain.
For the record, I personally do NOT trust Amazon, Google, or Microsoft to be a benevolent actor in the IoT space, their past transgressions are proof enough to me that they will sell anything for a buck, and I will be very selective of how much of ME they can sell. However, I do need the security, and the remote doorbell is a brilliant addition to my home so as long as I can continue to limit how much and what data they glean from me, I will allow them to operate inside my safe space. On that note, I want to make clear that for the same reasons I that I don’t use the IoT door locks on my house, I also do not use any inward facing cameras, and I limit what recording devices my family use also. At the moment I allow Microsoft to operate 2 Kinect sensors inside my home, and my family uses Siri on our mobile devices. All our laptops have cameras and mics, but I also run wire shark on my network so that I can monitor outbound traffic and see if and when devices from inside my home are broadcasting without being personally queued. Also regarding the larger players in this space, like Google and Microsoft, at this point, they have been hasty to turn devices off and end support without options or even much notice, so again, no matter how good the Google Home and Nest Camera are, I will not spend a dime on them until Google starts to prove as a rule that it values the products it takes to market enough to not cancel or tank them on a whim. Until that time, I will limit the devices in this space that I allow, I will strictly control what they have access to, and I will tend to choose them from companies that I feel exhibit some amount of decorum and restraint in the intrusion of personal privacy areas.
The last two services that I feel are critical parts of IoT home security and surveillance, are the call in service for alerts and lighting for entry and access. Again, I spoke at length in part one about lighting options, but for entry/access lighting, where it is a part of security and not a comfort feature, I just trust the Ring to handle it. I have several of the Ring Floodlight Cams, and my porch lights are Ring Spotlight Cams. I have them set to come on with motion, and since I am in town and have a sidewalk several feet from my back door, I utilize the alert zone drawing feature which in a nutshell allowed me to open the app, and by drawing lines around the sidewalks in the photos, tell my lights/cams to ignore that area. Now people walking past don’t turn the light on, but as soon as they step up on my porch, the lights/cams instantly come to life. The cameras are watching all the time, and because of that, I never miss an alert event. As for the call out service, where my house is, it is not at all convenient to have the police summoned every time a neighbor stops to put a shovel back in my garage. Therefore I just rely on the mobile alerts feature in the ring app. If ever there is a need for police, I will just call them myself, from anywhere in the world. I am aware that this probably sounded like an ad for Ring, and man do I wish it was, I could use the extra cash. However, this is my own opinion. Amazon and Ring have not paid for this, not solicited this, and do not endorse this review. The thoughts and ideas presented to you here are solely my own and are based on my real personal experience using products both in my own home and with clients.
In the next article, we will discuss other IoT comfort, convenience, and accessory items ranging from smoke and moisture detectors to power monitors, thermostats, and home speaker systems.