I saw this meme on Facebook: “I work in IT, which is the reason our house has mechanical locks, mechanical windows, routers using OpenWRT, no smart home crap, no Alexa, and no Internet-connected thermostats.” It’s a catchy meme, but it got me to wondering about the reality of smart home “dangers” it seems to describe.
The basic idea behind this meme is that you shouldn’t trust software. You can’t trust a digital lock not to let the wrong people into your house. You can’t trust the software that runs in your home router, unless you can see the source code for it, like the OpenWRT software. And you certainly can’t trust the software in any smart home devices, always-listening digital assistants like Alexa, or thermostats that connect to the Internet. America has trust issues at many levels—not entirely without reason—and software, which is nigh well magic in most people’s eyes, is an easy target.
I’m not sure why the meme calls out “mechanical windows.” I’m unaware of any windows that aren’t mechanical (except for Microsoft Windows). But clearly, a software-enabled window would be A Very Bad Thing as well. God forbid it connects to the internet!
My home has an Echo Dot (an Alexa device), a Honeywell thermostat (with an app for my phone), and a General electric oven (also with an app). I have old-fashioned doors and windows, though. I have an Xfinity router (who knows what’s inside?) as well as an eero mesh network to cover the house with Wi-Fi. Oh, and there’s an Apple TV box for streaming. Given the meme above, you’d think I’d be terrified.
The reason I don’t worry about it much is that these smart devices are on a different network than our phones and laptops. There are lots of ways to accomplish this, but in our case, the Xfinity router provides one wireless network, and the eero mesh provides another. They both use the same Xfinity internet connection to talk to the outside world, but they don’t talk to each other. Separate networks is the way that real “IT workers” address the issue of security.
It’s true that my Xfinity router is a potential point of failure. It *could* be running malicious code, and there is a new strain of malware that attacks home Wi-Fi routers from D-Link, NetGear and others called BotenaGo. (For details, visit tinyurl.com/BotenaGo). But frankly, there’s little I can do about the firmware in my router, unless I go (as the meme suggests) the OpenWRT route, which isn’t an option for those without IT support staff.
When it comes to network security, the best approach is to place separate needs for security on separate networks. This even applies to providing guest access to the internet at your home or business. Many home routers offer a “guest network” as a built-in feature.
If you’re interested in trying out a digital lock, Level (level.co) makes both a smart deadbolt ($199) and a smart lock ($249, or $329 for one with touch access). They’re attractive, and basically a drop-in replacement for a standard lockset. The bolt of a Level lock is operated by a small battery-powered gearbox (with a standard key provided, in case the battery dies). The lock relies on Bluetooth wireless connectivity to interact with your phone. As you approach the door with your phone, the door unlocks automatically. Aside from the convenience of being able to ditch your keys, though, smart locks are an expensive alternative.
As with any wireless technology, hacking is a risk and these locks are no exception. The standard rules apply: install them correctly, keep their software up-to-date, and keep your passwords safe. Given that, a smart lock is no more hackable than your phone or your router.
Can software be trusted? Software is created by humans, and is thus subject to errors in its design and creation (bugs). And because software is ubiquitous, it’s also an attractive place for bad actors to act badly (malware). These problems have been around as long as software itself. The better question is, can you trust the people who make the software?
For example, Apple recently released AirTags, a relatively inexpensive little disc that you can track using your iPhone (four for $99). Intended for keeping track of keys, wallets, and other things we misplace, it turns out that bad actors use them to track people surreptitiously. But Apple modified its software to let you know about AirTags that aren’t yours that stay near you over time. That gives me greater confidence that I can trust Apple’s software.
“Trust, but verify” is a Russian proverb that the late President Ronald Reagan frequently repeated when talking about treaty compliance. Unfortunately, most of us must rely on others to verify that the software we use is trustworthy. For the most part, that means buying from reputable providers who keep their software and devices updated, take security seriously, and whose interests are aligned with your own.