To judge from the cornucopia of connected household devices on display at CES 2018, there is no product that manufacturers deem unworthy of being graced with a processor, a cloud service, and a companion app.
Whether these Internet-of-Things gadgets are worth your money is another matter. They may not deliver sufficient convenience, they may be too tricky to set up and use, and they may open your personal data or even your home up to hackers.
That last part should be the most important aspect of any “IoT” purchase decision. But as I found out when walking past the connected-home exhibits with a cybersecurity professional, it may also be the hardest bit to investigate.
To sleep, perchance is to get hacked
My first stop was at the Sleepace exhibit. This Shenzhen, China-based firm aims to optimize your shut-eye by tracking both your sleep patterns and your nighttime environment with various sensors that include a “smart mattress” pad.
The resulting data may not make an attractive target for a hacker, but Bryson Bort, co-founder of Arlington, Va., cybersecurity firms Grimm and Scythe, pointed out a risk that became reality last year, when millions of connected cameras were remotely taken over and used to launch denial-of-service attacks.
“The challenge with embedded systems, as we saw with the Mirai attacks, is that we have all this computational power that can be misused,” said Bort, who spoke on a CES 2018 panel about security.
But when we asked what sort of security testing Sleepace ran, sales manager Emily He said “That is a good question.”
Sleepace’s privacy-policy page only says “we have put in place suitable physical, electronic and managerial procedures to safeguard and secure the information we collect online.” It may not be fair to expect an IoT startup to provide the same wealth of detail about its security measures as Apple (AAPL) or Google (GOOG, GOOGL), but this level of vagueness isn’t a good sign.
Neighborly security
Our next visit on the floor of the Las Vegas Convention Center was a corner booth for Vivint. The Provo, Utah smart-home firm’s exhibit featured an upcoming, free app called Streety that lets neighbors share video from their security cameras.
The idea here is to enable the same kind of information sharing that already happens on neighborhood mailing lists — if a package vanishes from your front porch, you would use Streety to see if any neighbors’ cameras caught the thief.
We got some detail about such workings of the app such as its encryption of shared video streams to prevent snooping. But the Streety developers we talked to couldn’t answer more in-depth queries like whether the company self-professed adoption of industry best practices extended to things like hiring “red-team” hackers to break into its app.