For new smart-home gadgets, the spectre of insecurity looms

Amongst technology experts, it's often said that the internet of things is a security nightmare.

The term is commonly used to refer to the myriad connected devices that are increasingly making their way into in our homes — from Wi-Fi-capable dishwashers to vacuum cleaners, light bulbs and more. 

Within each product is basically a tiny, low-powered computer. But unlike a laptop or smartphone, many of these devices have been found to be notoriously insecure.

In the past few months alone, hackers infected thousands of vulnerable internet-connected cameras, routers and related devices, and used their combined power to launch crippling cyberattacks on popular internet websites.

Researchers, meanwhile, have found flaws in popular internet-connected light bulbs — bugs that have since been patched — and even suggested a well-crafted virus could spread from bulb to bulb.

The security of these devices, this is what's going to make the smart home happen or not.- Romain Paoli, head of product at Netatmo

And, of course, there is the ever-present fear that connected, smart-home devices — especially ones capable of recording audio, video, and other personal information — could be used to spy on their owners. (It certainly doesn't help that voice recordings from Amazon's personal assistant, Alexa, are being used in court as evidence for the first time.)

"The security of these devices, this is what's going to make the smart home happen or not," said Romain Paoli, head of product at Netatmo, a maker of connected home security cameras, thermostats and smoke alarms. "We're not happy to see competitors fail, because it hurts us too."

Addressing security issues

CBC News interviewed representatives for Netatmo and a handful of companies with connected smart-home devices earlier this week, at a preview event for the Consumer Electronics Show (CES 2017) in Las Vegas that officially opens today. All are keenly aware of recent threats facing their competitors' products and the industry at large.

Naturally, they all praised the security of their devices — and frankly, it would be weird if they didn't — but at the same time, admitted that no piece of technology can ever be completely secure.

"We're trying to sell this thing to every homeowner in America," said Bryan E. Mitchell, a public relations manager for air conditioner company Carrier, which also has a new line of connected smart-home products. "So we have to go to the homeowner and say, 'Hey listen, we live in a vulnerable world, we're going to do all we can.'"

Carrier, alongside Netatmo, Moen and Somfy, say they've enlisted third-party companies to conduct regular audits of their hardware and software — something that security experts typically consider good practice. This means reviewing codes for bugs, and attempting to find vulnerabilities in devices much as an actual attacker would, in a process called penetration testing.

Each company also boasted of using end-to-end encryption to protect data travelling to and from their products, and the importance of having strong password requirements that are less likely to be easily cracked or guessed.

Mitchell went so far as to claim that Carrier relies on "the same folks that are testing our systems to make sure the fighter jets and space suit technology is safe." (Carrier is owned by United Technologies, a manufacturer of aircraft engines and aerospace equipment for military applications commercial aerospace, defence and building industries.)

Step in the right direction?

Moen, more commonly known for kitchen and bathroom fixtures, unveiled a connected shower system that can be controlled from a phone. Though some of the software and intellectual property was developed in house, the company turned to a third-party hardware company called Grid Connect to put it all together.

"This is Moen's first smart-home product, so we're not going to just jump in and do it ourselves with no experience. We want to make sure it's done well," said a spokesperson.

All of these efforts certainly sound like a step in the right direction for a product category that hasn't had the best security track record of late. But whether the industry as a whole is moving in this direction likely won't be obvious for quite some time. A thermostat or dishwasher isn't something that gets replaced often, and even with software updates, insecure products already in the market will undoubtedly remain in use for years.

At the same time, the sheer number of connected devices coming online means it may prove impossible to adequately secure them all.

And as with any technology claiming top-of-the line security practices, in the absence of an independent third party to verify such claims, you only have companies' word that they're telling the truth.

A good place to start: don't trust anyone that claims their products are 100 per cent secure.

"If they do," said Jean-Sébastien Prunet, marketing director for Somfy, which introduced a new home security camera, "it's a lie."