our data and our connected homes.
In a short space of time, smart thermostats have become more widely adopted. According to Berg Insight, the M2M/IoT market research provider, in 2016 2.3 million homes in Europe and 7.8 million in North America had smart thermostats. This is forecast to rise rapidly in the coming years to reach 34.7 million and 43.4 million respectively in 2021. It would seem that the devices’ benefits are starting to strike a chord with consumers; so much so that over half (54%) of respondents in the UK strongly agreed or agreed that they would like to be able to control their heating remotely in a Deloitte survey.
A smart thermostat offers all the advantages of a traditional programmable thermostat without most of the programming hassles – and with the added bonus of remote smartphone access. The user may establish basic settings but then, over time, the device can learn the user’s habits and preferred temperature settings so that the house is warm (or cool) when they get home from work. And with easy smartphone access, users can double check that the house is indeed the correct temperature while they are away.
So far, so comfortable, but with that comfort comes some risks. The fact that the smart thermostat knows when the user is home or away is a security issue in itself. It probably knows a lot more too, such as how many people are home and the name and passwords of the home WiFi network; even the precise location of the house.
Unfortunately, we’ve already seen smart devices being hacked and used as a weapon of mass disruption: by combining thousands of devices together, a botnet army succeeded in knocking major sites offline with a Distributed Denial of Service (DDoS) attack, disrupting internet access for millions. It’s only a matter of time before smart thermostats are directly targeted, not just as a platform from which to launch attacks, but for the valuable data on their user’s physical presence. With smart thermostats, it is an open question just how secure or encrypted the data is as it travels between company servers and the home. Is the data stored on the device itself encrypted? Does the device manufacturer keep the data to itself or could it resell it to other companies?
In 2015, a worrying 44% of 1549 surveyed members from the European Information Systems Audit and Control Association considered it very likely that researchers could hack a thermostat and use this vulnerability to access home data via the WiFi network. What’s more, 39% thought this scenario was somewhat likely.
How right these experts were. In 2016, white hat hackers from Pen Test Partners did indeed hack a smart thermostat, and inserted a warning screen that threatened to shut down the entire system unless a ransom payment was made.
Other researchers have shown how a thermostat can be hacked while booting up. The hacker did require half a minute physically with the thermostat to add malicious firmware and reset the device, but once they were in they could access not only the device system but other smart devices in the network system too.
A smart thermostat and its online support crew knows a lot about the user – perhaps too much. The potential for hacking incidents to occur underlines the importance of security for all connected devices.
While individual device-level security remains a priority, security at the gateway (the router) offers a particularly convenient option. It places no demand on the consumer for IT skills, requires no additional hardware or expertise and is implemented by the internet service provider or router manufacturer, securing the smart home against privacy invasion, smart device hijacking and misuse of private data. Router manufacturers and ISPs can ease the pressure on end-users by bolstering their own security offering in this way and, at the same time secure themselves a competitive advantage in the race to keep customers safe online.
Read our white paper on how you can help secure the connected home