A smart thermostat is near the top of many shopping lists of ‘must have’ Internet of Things (IoT) devices for the connected home. They look cool on the wall and help us to be energy-efficient in our homes (which in turn saves us money). They bring convenience to the way we control our environment and fit into the way we manage our lives today, learning our temperature preferences, using motion sensors to detect our presence, and using our smartphone’s location services to know exactly where we are. Continuously. Yes, your smart thermostat probably knows more about you than your best friend does.
As the number of smart thermostats in use goes up, so too does the importance of safeguarding our data and our connected homes.
The smart thermostat goes mainstream
In a short space of time, smart thermostats have become more widely adopted. According to Berg Insight, the M2M/IoT market research provider, in 2016 2.3 million homes in Europe and 7.8 million in North America had smart thermostats. This is forecast to rise rapidly in the coming years to reach 34.7 million and 43.4 million respectively in 2021. It would seem that the devices’ benefits are starting to strike a chord with consumers; so much so that over half (54%) of respondents in the UK strongly agreed or agreed that they would like to be able to control their heating remotely in a Deloitte survey.
A smart thermostat offers all the advantages of a traditional programmable thermostat without most of the programming hassles – and with the added bonus of remote smartphone access. The user may establish basic settings but then, over time, the device can learn the user’s habits and preferred temperature settings so that the house is warm (or cool) when they get home from work. And with easy smartphone access, users can double check that the house is indeed the correct temperature while they are away.
Smart home security
So far, so comfortable, but with that comfort comes some risks. The fact that the smart thermostat knows when the user is home or away is a security issue in itself. It probably knows a lot more too, such as how many people are home and the name and passwords of the home WiFi network; even the precise location of the house.
Unfortunately, we’ve already seen smart devices being hacked and used as a weapon of mass disruption: by combining thousands of devices together, a botnet army succeeded in knocking major sites offline with a Distributed Denial of Service (DDoS) attack, disrupting internet access for millions. It’s only a matter of time before smart thermostats are directly targeted, not just as a platform from which to launch attacks, but for the valuable data on their user’s physical presence. With smart thermostats, it is an open question just how secure or encrypted the data is as it travels between company servers and the home. Is the data stored on the device itself encrypted? Does the device manufacturer keep the data to itself or could it resell it to other companies?
Secure as well as smart?
In 2015, a worrying 44% of 1549 surveyed members from the European Information Systems Audit and Control Association considered it very likely that researchers could hack a thermostat and use this vulnerability to access home data via the WiFi network. What’s more, 39% thought this scenario was somewhat likely.
How right these experts were. In 2016, white hat hackers from Pen Test Partners did indeed hack a smart thermostat, and inserted a warning screen that threatened to shut down the entire system unless a ransom payment was made.
Other researchers have shown how a thermostat can be hacked while booting up. The hacker did require half a minute physically with the thermostat to add malicious firmware and reset the device, but once they were in they could access not only the device system but other smart devices in the network system too.
Securing the IoT
A smart thermostat and its online support crew knows a lot about the user – perhaps too much. The potential for hacking incidents to occur underlines the importance of security for all connected devices.
While individual device-level security remains a priority, security at the gateway (the router) offers a particularly convenient option. It places no demand on the consumer for IT skills, requires no additional hardware or expertise and is implemented by the internet service provider or router manufacturer, securing the smart home against privacy invasion, smart device hijacking and misuse of private data. Router manufacturers and ISPs can ease the pressure on end-users by bolstering their own security offering in this way and, at the same time secure themselves a competitive advantage in the race to keep customers safe online.