Taking a hard look at the security of household IoT devices — yes, even the smart vacuum
My partner loves smart devices, a.k.a. the Internet of Things, a.k.a. IoT. When we first moved in together, it actually made me laugh how excited he’d get about each new gadget. But it also made me kind of uncomfortable, because I had a vague idea that maybe privacy and security weren’t so great with all of these things. Isn’t Google Home kind of…freaky?
But when I realized that this was basically his version of nesting, I put my concerns aside and decided to just feel good about the fact that he wanted to build a comfortable home with me. I mean, I buy throw pillows and comfy blankets; he buys IoT devices.
Fast forward a few years and I’m the lead writer at Avast. And in my first month, I started looking around and thinking: How secure are these devices, actually? Am I a total hypocrite if I’m on here preaching to everyone about staying safe and caring about privacy when I don’t even really know what’s in my own home?
The short answer? Yes. I am a hypocrite. And so, to rectify that fact, I decided to do a full audit of the IoT devices in my home. (My partner’s response: “Does that mean you’re going to touch everything? Ugh.”)
What’s here? What are the inherent security risks? How might these devices be collecting data and compromising my privacy? And how can I reduce the harm of those things, while still benefiting from the undeniable convenience of IoT?
Here’s what I found.
First step: Catalogue all of the IoT devices we currently have in the house. I found eight.
Second step: Research all of the potential security risks of those IoT devices.
My partner bought a massive Vizio smart TV before we even had a couch. I’m not joking — I came home to this behemoth perched my otherwise empty living room. And while smart TVs make a lot of sense for Millennials like us (they’re basically big computer monitors that allow us to stream stuff), they come with a lot of privacy risks.
Basically, our smart TV has been spying on us. Smart TVs use something called “automatic content recognition" (ACR) to keep track of what’s showing on your screen. They then send that information back to a massive database and use it to "support services and to help marketers deliver more relevant advertising.” In other words, it’s a massive treasure trove of data.
On the security side of things, that data is stored in an unencrypted form, which makes it vulnerable to theft. And some older models also have cameras and mics, which provide a pathway into your home for hackers and the government. Not ideal.
Sonos is pretty good when it comes to privacy and security, minus some gaps in 2017 that left a “small fraction” open to hackers who might want to prank strangers with weird sounds. So that’s good, but we have Google Assistant installed on our Sonos One speakers.
That means that while the speakers themselves are pretty secure, it’s important to remember that Google is recording and storing everything we say to the device. They even sometimes “accidentally” record without the trigger word, so keep that in mind. Finally, unless you personally change your privacy settings, Google can and does use information gathered by Assistant to target ads.
I love our Nest thermostat. It’s probably my second favorite smart device, after the robot mop. In addition to helping me be environmentally friendly by doing stuff like turning off when it senses we’re not home, it also aids me in my laziness when I don’t want to get off the couch to adjust the temperature.
But! But, but, but — they’re still owned by Google. And, as we know, Google’s not so great when it comes to privacy, because our data is quite literally their business. So while they do say that they don’t sell data (and they let you review and delete it if you want), I’m always a little bit skeptical of Google having even more information on me. Don’t they have enough?
Speaking of Google having all of the information on me, we also have a Google Nest Hub in the kitchen. TBH, I’m not entirely sure what purpose this serves. I guess we could look at recipes on it, but I always find that easier to do on my computer. And with the Sonos speaker sitting right next to it on the counter, it’s not acting as our Google Home access point any more. I used to have photos playing on it, but they seem to have gone away.
Anyway, this bad boy has a microphone for Google Assistant, so all the stuff I said about Assistant above applies here, too. The version we have doesn’t have a camera, so no worries about cybercriminals spying on us.
I will confess: I absolutely love my robot mop. We got it along with a robot vacuum when we got our kitty and while we basically don’t use the vacuum anymore, the mop is essential for both keeping down dander and keeping the massive wood floor of our apartment clean. (Because you know I was definitely not going to do it.) I also love its smart features, like knowing when there are stairs and working around obstacles like the rugs or the kitchen table.
(and confirmed by Mozilla’s Privacy Not Included guide), they don’t sell any data and it’s just used to help the robot clean my house. (There was a bad publicity moment back in 2017 when it was revealed that they were thinking about selling Roomba user data but they backtracked on that “promise.”) You can also apparently choose not to let it send data back to iRobot and have them delete all of your data if you want.
Of all the devices we have, this one gives me the most pause. Our Roborock S6 is created by a Chinese company, Xiaomi, that doesn’t have a great track record on privacy or security. Their encryption isn’t great and, at least with the Roborock S55, “during the cleaning process, data constantly flows to the Chinese manufacturer,” according to AV-Test. That information includes names and passwords for the Wi-Fi networks it connects to as well as the maps it creates for cleaning. I couldn’t find a similar analysis of the S6, but I definitely don’t love that. It kind of seems like my gut icky feelings about this one were on point.
We have two Google Chromecasts, one upstairs and one down. And it’s another super convenient tool! But, like all the other Google devices, it’s not great on privacy. However, like all Google products, it does allow users to choose to lock down the info Google collects. But did we do that? A good question which I will answer next week.
And last but not least, we have a Eufy Smart Scale. (This is perhaps my least favorite smart device, if only because it read me for filth when I weighed myself after six months of pandemic.) The smart scale is connected to the Eufy app, which uses encryption to transmit the data via Bluetooth. They don’t sell data and users can request that it’s deleted, which is great because this is very personal information.
Okay, so now we know what’s lurking in my home. But how can I protect myself, my partner and my home from virtual intruders and invasive data collection? Tune in next week to find out what happens when I try to secure all of the IoT devices in my apartment. Spoiler alert: I’m probably going to break something.
In order to protect our loved ones and our communities during the holiday season, we've put together a list of seven creative and heartfelt tips on how to host a virtual holiday this year.
This week's Privacy Refresh is all about Instagram. Here are a batch of daily tricks to protect your privacy while using this popular platform.
Reviewing Tanya Janca's "Alice and Bob Learn Application Security", which is both a crash course in app security for newbies as well as a refresher for those that have been doing the job for a few years.