Ever since the first “vision” meeting I attended at the Department of Energy in 2003 about the technologically advanced electric power grid of the future, digital network security in a smart grid has been a paramount concern. Much of the concern emphasizes hardening the electrical and communication networks against nefarious attempts to access control rooms or substations. Less attention goes to the security of the home automation system itself.
Here’s why privacy and security issues matter so much in customer-facing smart grid products and services: how likely is it that someone can hack into your home energy management system? The resourceful technology and privacy journalist Kashmir Hill gained access to eight homes, merely by doing an Internet search to see if any homes had their devices set to be discoverable by a search engine:
Googling a very simple phrase led me to a list of “smart homes” that had done something rather stupid. The homes all have an automation system from Insteon that allows remote control of their lights, hot tubs, fans, televisions, water pumps, garage doors, cameras, and other devices, so that their owners can turn these things on and off with a smartphone app or via the Web. The dumb thing? Their systems had been made crawl-able by search engines – meaning they show up in search results — and due to Insteon not requiring user names and passwords by default in a now-discontinued product, I was able to click on the links, giving me the ability to turn these people’s homes into haunted houses, energy-consumption nightmares, or even robbery targets. Opening a garage door could make a house ripe for actual physical intrusion.
In this instance, early adopters of a now-discontinued home automation system had not changed their default settings to implement security protocols. They had not followed the simple security protocols that we have become habituated to in our home wireless networks, which most of us now routinely know to secure with a password at least. This security hurdle doesn’t seem very high, and it shouldn’t be; securing a home automation system separately with a username/password login is not difficult, and can be made less difficult for the technologically challenged through helpful customer service.
She goes on in the story to relate her interactions with some of the people whose houses she was able to access, as well as her discussion with people at Insteon:
Insteon chief information officer Mike Nunes says the systems that I’m seeing online are from a product discontinued in the last year. He blamed user error for the appearance in search results, saying the older product was not originally intended for remote access, and to set this up required some savvy on the users’ part. The devices had come with an instruction manual telling users how to put the devices online which strongly advised them to add a username and password to the system. (But, really, who reads instruction manuals closely?)
“This would require the user to have chosen to publish a link (IP address) to the Internet AND for them to have not set a username and password,” says Nunes. I told Nunes that requiring a username/password by default is good security-by-design to protect people from making a mistake like this. “It did not require it by default, but it supported it and encouraged it,” he replied.
One of the interesting aspects of her story (and you get a much deeper sense of it reading the whole article) is the extent to which these early adopters/automation hobbyists identified some but not all of the potential security holes in the home automation system. These are eager, knowledgeable consumers, and even they did not realize that some ports on the router were left open and thus made the system discoverable externally.
I think she’s right that for such technologies in such sensitive applications as home automation, default username/password authentication is good design. This is an application in which I think the behavioral economics arguments about setting defaults to overcome inertia bias are valid.
Insteon has since changed their default settings to require username/password authentication on the automation system separate from the home wireless network authentication, and the rest of the article describes some other companies that are working to close security holes in their home automation systems.
As we extend the smart grid into our home and the “Internet of things” becomes more deeply embedded in our lives, being aware of the value of securing our privacy and reducing the risk of unauthorized access to our homes and the devices and appliances in them becomes more important. The digital rules we apply to our financial transactions should guide our privacy and security awareness and decision in our home network too. That way we can enjoy the benefits of home automation and transactive energy that Hill lays out in her article while minimizing the risk of unauthorized access to our homes and our information.