April 2, 2019
Smart Home Devices: the Security Risks
by Tom Hammond
Smart devices often represent the most vulnerable point on any given network, exposing customers and insurers alike to potential risks.
Smart devices have become a popular topic in the P&C insurance world. Tools like smart thermostats, smoke detectors and water sensors offer the potential to halt property damage before it starts, protecting insurance customers from injury, property loss or both. Yet these devices come with risks.
Smart devices often represent the most vulnerable point on any given network, exposing customers and insurers alike to potential risks. Insurance companies that understand these risks are better-poised to protect both customers and themselves.
The Rising Trend of Smart Device Use
Smart home devices were a wildly popular gift during the 2018 holiday season. Amazon broke records for sales of its Echo and Alexa devices, Voicebot’s Bret Kinsella says. Sales of smart sensors, security systems, wearable devices and smart toys were also strong.
Currently, the most common smart devices used in private homes are televisions and digital set-top boxes, says Gartner research director Peter Middleton. Initially more popular among businesses, tools like smart electric meters and security cameras are becoming more popular among homeowners.
As more people use smart devices, insuring these devices becomes more important. Even Amazon has announced an interest in offering homeowners insurance to complement its smart devices like Alexa speakers and Ring Alarm systems, says Julie Jacobson at CEPro.
Growing Security Concerns for the Internet of Things
As reports of data theft, hacking and other malfeasance reach the news, concerns about security and privacy in the smart device realm grow. For instance, a distributed denial of service (DDoS) attack in 2016 incapacitated websites for internet users across the East Coast of the U.S. The attack was launched from an army of smart devices conscripted by malware, says Lisa R. Lifshitz, who works in internet law and cybersecurity. In this attack, many of the device’s owners didn’t even know they were involved.
These events have raised concerns about device security among both government regulators and private device owners. Insurers seeking to offer smart devices to customers can play a role, as well.
See also: Smart Home = Smart Insurer!
Laws and Regulations Address Smart Device Security
Most laws and regulations to address smart device security are still in their infancy. Although the U.K. introduced guidelines for improving IoT security in 2018, the guidelines remain voluntary. This means that not all manufacturers will adhere to them, says Rory Cellan-Jones, a technology correspondent for the BBC.
In September 2018, California became the first U.S. state to pass a law addressing smart device security. The bill sets minimum security requirements for smart device manufacturers selling their devices in California. It takes effect Jan. 1, 2020.
Rather than listing specific requirements, the California law sets a standard for determining whether security is reasonable. For instance, the security features must be appropriate to the device’s nature and function. They must also be designed to protect the device and its information from unauthorized access, modification or other forms of tampering, say Jennifer R. Martin and Kyle Kessler at Orrick.
Customer Interest in Security Has Increased
As smart devices become more popular, so do demands for greater security and privacy regulations. A 2018 study by Market Strategies International found that people who use smart devices at home or at work are twice as likely to believe that governments should regulate the devices.
“We believe that these workers have already seen the massive potential of the IoT and recognize that the risks – data security, privacy and environmental – are very real,” explains Erin Leedy, a senior vice president at Market Strategies. With a sense of both the potential and the risks, smart device users become more interested in stronger regulations to protect privacy.
A 2017 study by digital platform security firm Irdeto polled 7,882 smart device users in six different countries worldwide. Researchers found that 90% of those polled believe that smart devices need built-in security. Yet, respondents also said they too had a role to play in keeping themselves secure: 56% said that users and manufacturers share responsibility to prevent their devices from being hacked, security director Mark Hearn says.
Consumers understand that their devices can pose risks, and they’re willing to join the fight to protect their privacy and data security. Insurance companies can help them do so by providing the information they need to make smart decisions with smart devices.
Who Controls Your Customers’ Devices?
When today’s smart home devices were designed, the main goal was to simplify tasks and make life more efficient. Security took a backseat to functionality, Fortinet’s Steve Mulhearn says. To function well, smart home devices must integrate seamlessly with other devices — meaning they’re often the weakest security point on a network.
Hackers have noticed these weaknesses and are taking advantage of them. In August 2018, the Federal Bureau of Investigation issued a public service announcement warning that IoT devices could be hacked, conscripting them into malicious or illegal online activities.
“Everything from routers and NAS devices to DVRs, Raspberry Pis and even smart garage door openers could be at risk,” says Phil Muncaster at Infosecurity Magazine. While some devices are at higher risk than others, no smart device is totally safe from attempts to use it for ills like click fraud, spam emailing and botnet attacks.
Helping Customers Understand and Address Smart Device Risks
Most smart device users want to play a role in preventing privacy and security breaches. Yet, they don’t always know how to participate effectively.
Helpnet Security managing editor Zeljka Zorz recommends that homeowners adopt smart devices only after asking and answering two questions:
- Will the device improve the quality of my life/fill a need I have?
- Am I satisfied with the level of security and privacy the manufacturer provides users?
Insurers seeking to incorporate smart devices into their business and their customers’ lives can help by providing answers to both questions.
As Steve Touhill explains on the Resonate blog, demonstrating the usefulness of smart devices can help insurers attract new customers. Smart device owners are 42% more likely to change insurance companies in the coming year. They’re also more open to embracing insurers that offer smart device discounts or support.
Insurers can help customers protect themselves by providing information on privacy and security issues. Options include comparisons of security options for various devices, information on changing usernames and passwords, how-to guides for installing regular updates and checklists for spotting signs of cyber tampering.
When presented as best practices for using smart home devices, these steps can help homeowners and insurers address security risks without raising undue alarm.
Property and casualty insurers that encourage smart device use play an important role in influencing how customers use their devices. While this relationship can be beneficial for both insurers and customers, insurers that enter it face further privacy and security complications.
Protecting Customer Privacy
Insurance companies will need to consider how to protect customer privacy while still gathering relevant data from smart home devices.
This is because smart devices offer the potential to provide more data to insurance companies, changing everything from policy recommendations to underwriting accuracy, Mobiquity’s Sydney Fenkell says.
See also: How Smart Is a ‘Smart’ Home, Really?
Gathering this data requires insurance companies to be smart about protecting the privacy of customers and the security of the information received.
“It is not a matter of if but when these systems will be compromised, and the consequences could be much more severe than lost Social Security numbers,” says Dimitri Stiliadis, chief technology officer at Aporeto.
Moreover, P&C insurers will also need to protect their internal networks when communication with these devices presents a weak point.
Being Smart About Smart Device Data Use
The use of smart device data was recently brought to light by an announcement from the insurance company John Hancock. It made public the company’s intention to incorporate information from fitness wearables like the Garmin or FitBit into calculations of life insurance premiums.
This raised a number of concerns with customers, says Chris Boyd, a MalwareBytes senior threat researcher who goes by the pseudonym paperghost. Boyd notes that these devices often have weak security, which means that a user’s personal data could be altered — affecting insurance premiums.
Similar concerns arise for users seeking to link smart devices with their auto, homeowners or renters insurance. A hacked or malfunctioning device that reports multiple loss events, or that fails to report events that did happen, could affect customers’ insurance rates. Unless, however, human intervention in the system verified the event.
For insurers, one of the best early principles to adopt may be one of transparency, says Chris Middleton at Internet of Business. When consumers know what information their smart home device collects and transmits, and under what security protocols or safeguards, they are better-equipped to understand and use the device in a way that benefits both their interests and those of their insurer.