My thoughts on the marriage of home security and home automation

(Originally written and posted May 10 2011)

Security is important. In fact, it is vital. It is how we protect our families, it is how we protect our possessions, it is how we protect our identities. Security is something that we need to take seriously, especially in the world of online banking and social networking. Most of us are aware that nothing we do online should be considered private, but does home security fall into a hackable domain? Have we come to the point where our new LED or plasma TVs can be ripped off our wall by a cyber attack initiated from another city?

Unfortunately, this may be the case. This past weekend, a salesman came by trying to sell us a home security and home automation system. I won’t discuss his mannerisms in this article since it doesn’t contribute to my main point, but after our first couple encounters, he probably shouldn’t have returned the third time. I also won’t bother naming the company he represented. His system included (not limited to) items such as a two-way speaker with a cellular connection, a key fob that allows the door to be unlocked and the system disarmed without a key, video cameras which allows both you and the security company to look in on various rooms in the house from a remote location, and a Smartphone app that allows you to unlock your doors and disarm your security system remotely (for example if you are at work and want to let someone into your house).

Don’t get me wrong, I think the progression of technology is great. I love gadgets, and I’ve often thought about putting in a home automation system that I would likely plan and develop myself if I ever got around to it. But there are situations where being an early adopter of a technology, even though it might offer an appealing luxury, can actually have the complete opposite result than what was intended.

This salesman was talking about how great it would be to be able to look in on your home while on the road, using the cameras, just to be sure that everything is okay. Sure, this would be great! I would love to be able to look in on my house using cameras that I have configured and secured myself, but I would not want to have anyone else, including the security company, to have this ability.

He assured me that they (the company) were not able to use the cameras, or listen in on what was happening in the house, unless the alarm was triggered. However, when I asked him if their inability to do so was due to a company policy, or an actual systematically imposed restriction, he wasn’t able to give an answer. I then asked him if he was familiar with the privacy lawsuit that Aaron’s, the rent-to-own chain, was facing right now. He wasn’t. So I explained to him that Aaron’s was installing spyware on laptops that were going out their doors, which allowed them to disable the machines if their clients failed to pay for them. This in itself isn’t a bad thing, but this software also included a key logger, as well as the ability to control the computer’s built-in webcam. This all came to light after a manager showed up at one of the customer’s home (who apparently paid off the computer, but Aaron’s incorrectly processed the final payment, sending it to the repo department) with a picture of the owner using the laptop, taken from the built-in webcam. The owner rightfully pressed charges, claiming that his daughter uses the computer to check her grades in the morning before having a shower, and that their son often runs through the room after getting out of the bath, and there was a chance those moments were caught as well. This lawsuit will likely go class action. After explaining this situation to the salesman, all he said was “well ... that’s illegal.” Of course it is. So is speeding. So is parking your car on the sidewalk, and I’m pretty sure that’s your car on the sidewalk across the street. And of course, if no one did anything illegal, I wouldn’t need a security system in my house...

He then went on to talk about how he had an iPhone app that allows you to unlock your doors for someone when you are away from home. He was obviously very excited about it and asked if I had a Smartphone. I said I did, and after explaining to him that Android actually does have an app store outside of Amazon, I told him that having a Smartphone app that allows a security system to be disabled and doors unlocked remotely changes "home security" into "home insecurity".

At this point he got defensive, and picked up that I likely knew something about online security.

“I assure you we have people like yourself working for us...” he started to say.

To which I replied, “there are people just like us working for Sony as well.”

There was no rebuttal.

Now I know that Sony was an extreme case. Sony’s Playstation and Qriocity online services have been down for nearly 3 weeks now, as they struggle to rebuild their security from scratch after one of the largest security breaches in history. In their situation, they were running an unpatched instance of Apache server, which had known security holes, and they were not running a much needed firewall. This made the access of their network by a hacker very easy. Once their network was penetrated, it was discovered that there was very little encryption on Sony’s users’ personal data. And even data that was encrypted, now that the hackers potentially have this information stored locally, they can easily run their own unthrottled script that can work until they find the keys necessary to decrypt all of that information back into plain text.

Again, the Sony situation is an extreme. However, this is how it relates: Taking a home security system and putting it on the internet for no reason is exactly the same as taking a server with loads of confidential information and putting it on the internet for no reason. Offline, you have to physically walk up to the box to break into it. Online, you can potentially break into it from anywhere in the world. In the case of the house, you could sit in a car down the street and work. Once you have the system compromised, and the doors unlocked, you can then get out of your car and casually walk right into the house. Why would anyone who actually cared about security want to put themselves at risk of something like this? It adds another unnecessary point of failure.

The salesman then, as a last resort, made an analogy about his system being "Windows 7", and all other security systems being "Windows 95". I told him that this was actually a good analogy, because once again, people who were concerned about security in a Windows environment would NOT be using Windows 7, but instead would likely still be using Windows XP. Windows 7, being a new system, is far more exploitable. Windows XP has had 10 years to mature to the point where it is now very solid, tested, and proven.

If security is your main concern, it is very rare that being an early adopter of a technology will pay off.

The salesman also tried to connect with me by telling me about all of my neighbours that I probably have coffee with, including their names, who were getting this system installed. I stopped short of telling him that he was spreading around a shopping list to a tech savvy thief that may be living in this area. I stopped short because, you know, “that’s illegal.”

What do you guys think? If a system like this was presented to you, would you be willing to compromise your security to get the latest gadgets? Or are you like me and believe that home security and home automation systems should be isolated from each other?

- Mark Bass