You’re on the way into work, but you’re feeling groggy — not enough sleep lately. You decide to buy a new, “smart” bed that connects to the internet and measures the quality of your sleep through metrics such as your heart rate and breathing rate and how much you toss and turn.
But while those features might be nifty, they may also be the thing that ultimately keeps you up at night.
That’s because that internet-connected bed offers a pathway into your home network for cyber attackers, and potentially provides a glimpse at data as personal as your sleeping patterns, says San Antonio Express News.
This isn’t a science-fiction fantasy about the emerging “internet of things” and proliferating smart home technology — a person in San Antonio recently had their online home network accessed by a hacker via their Sleep Number smart bed, according to Chris Edelen, president of Sterling Home Technologies, which designs and installs smart home automation systems.
“We always hear about data breaches of companies, and we don’t hear about breaches of homeowners — but they’re happening every day,” Edelen said. “(Smart home security) is becoming a bigger and bigger issue.”
The internet of things is made up of all the internet-connect devices you may have in your home. That could range from smart lawn sprinklers and thermostats to a security system, gaming system or a robotic vacuum, among many other devices.
The problem? The conveniences — the ability to turn on the air conditioning at your home from your phone while you’re leaving work, or the ability to see real-time video of your home from a security camera — all introduce additional devices that can be used to digitally enter your home network, steal your data and potentially spy on you.
“Many of those (devices), they represent a pathway into the home that didn’t exist before. And so I think most consumers don’t weigh the risk and reward,” said John Dickson, a principal at the cybersecurity firm Denim Group.
Smart home technology use has grown rapidly this decade, while functionality and affordability have both improved in recent years.
The number of IoT-connected devices is expected to reach 43 billion in 2023, triple the number from 2018. And today nearly a quarter of all businesses use some form of IoT technology, up from 13 percent five years ago, according to consulting firm McKinsey & Company.
Proponents of the technology tout its ability to enhance a house or apartment’s “livability”, and generally make life at home more convenient.
“We hear from clients all the time that overall it helps them really enjoy their home more than they would without the technology,” Edelen said. “It’s a real convenience, in many ways.”
The technology can make homes more energy efficient by automating thermostat use, controlling lighting and closely measuring energy consumption — all generating savings for homeowners.
But the combination of poor cybersecurity practices by the average consumer and minimal built-in IoT device security can make for an alarming combination.
A study published this month by two other UTSA cybersecurity researchers found vulnerabilities in internet-connected light bulbs, a seemingly benign appliance and the most widely used form of smart home technology.
“Modern internet-enabled smart lights promise energy efficiency and many additional capabilities over traditional lamps,” the study reads. “However, these connected lights also create a new attack surface, which can be maliciously used to violate users’ privacy and security.”
Edelen said about 87 percent of clients he’s worked with install some smart lighting control — and that number is growing. Edelen’s company has seen business in their home automation services increase by about 20 percent this year compared to last year, he said.
Cybersecurity experts said users should ask themselves how necessary some functionalities of devices are — do you really need your phone to tell you how many eggs are in your refrigerator? — and should call for greater scrutiny of IoT security from policymakers.
“The societal problem we have is there’s more demand for products than there is for security,” John Dickson, a principal at the cybersecurity firm Denim Group, said. “Until consumers push for more security and ask elected officials to push for that in the form of regulations, it’ll still be up to the manufacturers, and that’s the case right now.”