Works of Smarts: How Hackable Are In-Home IoT Systems?

Although many consumers don’t know it, individuals can be just as susceptible to cyberattacks as businesses—especially if they’re affluent.

In addition to making more attractive targets for cybercriminals, who stand to gain more from a wealthy individual than an average one, high net-worth individuals have another risk factor that makes them particularly vulnerable to attack: They like their tech toys.

“High net-worth individuals tend to be early adopters of technology, so they’re the ones that are bringing smart devices into their homes,” explains Christie Alderman, vice president, client product and service manager at Chubb. “That’s something you have to coach customers about—the need for balancing the wonderful aspects of home automation against privacy and the vulnerability of those devices.”

And although cyber “doesn’t get the publicity it should or the attention it should on the personal lines side, I think the Internet of Things [IoT] explosion is going to bring that to a forefront,” says Eric Cernak, vice president for reinsurer Munich Re America. “People have kind of settled into a routine when it comes to their own personal technology security because it’s been beaten into everybody’s head—‘Just run an antivirus on your desktop and you’ll be safe.’ This is going to open up a whole new world of attack surfaces and attack vectors for the bad guys.”

How They Do It

In order to pinpoint cyber vulnerabilities in personal lines, “you have to think like a criminal,” Cernak says. “There’s a whole host of things people can do.”

Smart home devices may include everything from televisions and DVRs to climate control devices and surveillance systems—“pretty much anything that has web connection, which is a lot,” Alderman says. “You have things like ovens and refrigerators, where you could look at the inside of it from your cell phone. More and more, household appliances are becoming internet connected.”

That’s all it takes to be vulnerable to hackers, who can use a piece of computer code that searches for any internet-connected device that still operates on default settings. “Since most of those devices have an IP address, that address may not be secure, or it may have standard passwords that are easy to crack,” Alderman explains. “Most people aren’t changing those default passwords, so the hackers can access those passwords pretty easily.”

Jessica Groopman, independent industry analyst and IoT adviser, calls it a “brute force” tactic: The algorithms target devices that have a reputation for either low security or easy patching—“which is most IoT devices,” she points out, citing a recent HP study which found that some 70% of IoT devices have up to 25 vulnerabilities each. “Hackers are basically running for factory passwords like ‘1111’, ‘1234’, ‘password’, ‘admin’, because many people don’t change those” upon purchasing a new device.

Or criminals might search for firmware that has gone out of date and no longer supports the latest security features and upgrades, Groopman says: “From there, they penetrate the device and infect it with a malware, and that directs them back to a central control system where a hacker, maybe a group of hackers, can direct the attack.”

The most susceptible technologies are those that have enough processing power to not only support malware installation, but also communicate back, Groopman says. “That’s not really going to be your lightbulbs—that’s going to be more your video cameras, maybe your VOiP phones, connected printers, things that are a little bit more robust in terms of processing power.”

But “the reality is everything is hackable now,” says Julie Conroy, research director at Aite Group. “These are organized crime rings that are behind this, and unlike most businesses, they don’t have to make a business case to advance and innovate and justify the technology they’re using. The bad guys usually find the holes first, because they can just try and try and try. If they try 100,000 times and get lucky once, that’s a great day for them. Smart home providers and everybody protecting all the sensitive data—they have to be perfect 100% of the time.”

Why You Should Worry

Most experts agree that when it comes to cyber exposure, not all devices are created equal. “I don’t think you can group all smart home devices in the same category, because each represents a different potential attack vector,” Conroy says. “If you look at this ecosystem of smart home devices, you have to really ask yourself, ‘What can the criminals do?’”

Here are three ways hackers can exploit smart home technology:

1) Invading privacy. This issue is particularly concerning for high net-worth individuals who have more to lose if their secrets get out. “With smart TVs and other devices that sit on your desk—those things are listening all the time for a key word, so they’re picking up everything that’s being said,” Cernak points out. “What level of trust is being deployed there with that manufacturer? What else are they hearing and what else are they seeing?”

Many wealthy insureds may have surveillance systems and camera feeds which “somebody could be tapping into,” Conroy says. “That security data could be used for so many different purposes, like social engineering”—an attack vector that usually involves tricking people into breaking normal security procedures. “We really need to think about each of these connected devices individually in terms of the potential points of compromise and exposure each one represents.”

2) Tracking your movements. With connected lights or thermostats, “if you could get to that data, it might not be an invasion of privacy,” Cernak says. “But I bet it could give me a pretty good profile of when you’re home and when you’re not.”

If it’s worth someone’s time—“and when you’re talking about high net-worth people, it probably becomes worth the time,” Cernak says—a hacker could easily build “a pretty comprehensive dossier on someone,” opening up what Groopman calls a classic in-home security risk.

Consider a hacker who moves laterally, following an individual’s movements on social media and timing phishing attacks just right. They could feasibly hack into the smart device hub and capture an owner’s credentials.

“Now they not only know of your comings and goings, but they can actually control that stuff,” Cernak says. “They can unlock your front door, they can turn up your heat, they can turn down your heat. I haven’t seen any documented cases of this, but I’m waiting for the day when someone will make ransomware for your connected thermostat and say on a cold January day, ‘If you want your heat back, pay me a bitcoin.’”

3) Gaining access. “If you’re entrusting your data to a [device] provider, it’s just another end point where your personal data is exposed,” Conroy points out. “It’s actually somewhat similar to doing business with a new e-commerce merchant.”

And most smart devices have a lot of computing power—“especially when you string them together,” says Conroy, who cites the Mirai attack last fall that brought down Twitter and several other prominent websites. “The cause of that was a bot net that was stringing together cameras. It infected them with malware and then leveraged their computing power to unleash this massive denial of service attack.”

“That’s one impact where consumers are basically being used as agents,” Groopman agrees. “It doesn’t necessarily have a personal data impact, or maybe that’s not the use case for the hack. The hackers might not be interested in personal data—they might have access to it, but in that case, the impact was much broader.”

There’s a lot to worry about, but don’t take it too far, Alderman warns. “I don’t want to be entirely negative,” she says. “There are some great things about IoT—there are devices that are detecting fires and helping save lives, there are devices that can detect if a leak has started in the house and stop the leak before it becomes a major loss for the client, and obviously telematics just make the house a lot easier to manage.”

But “we’re just seeing the tip of the iceberg on these kinds of attacks,” she adds. “Right now, hackers are focused on mass-distributed denial of service attacks, but I would not be surprised if we see more individually targeted attacks for people with high profiles because there’s not a lot of protection around it. It’s a nuanced conversation about weighing the pros and cons. You just have to think about how you protect yourself.”

What should you tell your high net-worth personal lines clients so that they are better equipped to do that? Keep an eye on IAmagazine.com and upcoming editions of the Markets Pulse e-newsletter to find out.

Jacquelyn Connelly is IA senior editor.