"We've seen the trend this year, the connected home is blowing up," Moore said in an email. "At CES, nearly every device was networked. At this rate, it's only a matter of time until there is a major widespread breach or hack of personal data involving one or more IoT devices. Consumers are already hesitant but willing to take a leap of faith. So what happens when this breach occurs? It's about to make worldwide headlines and to be taken out of context. One could imagine that the IoT industry's sales and trust will be significantly impacted."
The long game: Accessing your router
Some of the concerns in Synack's are somewhat bit overblown. One device was dinged for being susceptible to a supply-chain attack, where somewhere between the assembly line and a retail shelf, a ne'er do well could intercept and physically tamper with the device, installing malware or altering the firmware before it reaches the end user.
There's also bit in the report about Wi-Fi jamming; but when we asked Moore if that's truly a concern for seemingly benign devices like smart thermostats, he said for those types of products, worst case scenario is "temporary loss of remote functionality."
At the same time, security shortfalls in these devices still pose a risk. Let's say you're not concerned if someone hacks into your thermostat and changes the temperature. It's annoying, maybe even costly if you're away on vacation when it happens and aren't monitoring things, but you'll survive. The smart thermostat, however, isn't the real target. It's merely a stepping stone to your router.
In a follow-up blog post, Synack lays out a scenario where a hacker could upload custom firmware into a compromised consumer device, effectively turning it into a remote login platform. Now the bad guy can penetrate your home network, where it's easier to gain control of your router. Once he does that, you're in for a very bad day because he can monitor your online behavior and collect personal information, such as bank logins and email communications.
What can you do?
We asked Moore if consumers should avoid today's crop of connected-home appliances and home-automation controllers. For the most part, he said, such an extreme measure isn't necessary.
"It really depends on the consumer and their concerns. In general, I would say, no, go out there and get the newest, latest, greatest tech," Moore said. "Just be aware of the security implications and hold manufacturers to high standards. For less tech-savvy consumers that are concerned with security, purchase well-reviewed and -secured devices with a reputation for ease of use (such as Nest). There is always a risk in adopting new technology, but the benefits often outweigh it."
Sign up for CIO Asia eNewsletters.