July 29, 2014
‘Smart’ Homes Can Have Stupid Features
"Connected homes" allow for, say, remote control of lights but can undercut improvements in alarms and leave openings for hacker vandals.
Do people want faster response by the police to a burglar alarm, or do they want lights they can control remotely? That is a core question that the alarm industry faces as it undergoes seismic changes. Does the alarm industry sell security, including fast response by police, or does it sell the “connected” home?
Many are leaning toward an emphasis on the connected home. That’s why Google bought Nest, known for its smart thermostats, for $3.2 billion in early 2014 and then announced recently that Nest would buy Dropcam for $555 million. Dropcam uses small cameras to provide security services, though not as the alarm industry is doing. The alarm industry connects cameras to a central station, where feeds are monitored and police notified if there is a break-in. Dropcam uses motion sensors to alert the user to any possible problems; the user then checks the video feed from his phone or computer and, if necessary, contacts the authorities for help.
Whether the alarm industry chooses to emphasize fast police response or follows Google and tries to offer broad home automation solutions, there will be broad ripple effects, including for insurers.
From a risk-management perspective, there are two issues. The first is whether the home automation improves police response and reduces losses. Ultimately, however, the second issue is even more crucial: Do the new home automation services actually introduce new risks and enable high-dollar losses through remote vandalism, including frozen pipes and catastrophic water damage?
Concerning the first issue: At a time when declining budgets are forcing police to reduce the number of officers responding to property crimes, home automation has hijacked a large slice of the alarm industry and is minimizing police response. Catching burglars and reducing property crime has become secondary to lifestyle convenience features and home automation revenue streams.
Increasingly, alarm/security is proposed as just one more feature in home automation. But the new offerings generally use legacy alarm solutions, which have a false alarm rate of 98%. As a result, these alarms are only assigned a priority 3 by law enforcement, so police response is slow, if it happens at all. By contrast, new alarms – based on monitored video feeds, and with break-ins verified — are treated like a crime in progress, a priority 1. Responding officers run hot because they expect to make an arrest.
In an effort to confuse the issue and continue to sell legacy alarms, home automation suppliers sell the ability of the homeowner to remotely view cameras in the home as “video verification.” This claim is exploiting a naïve consumer. Home automation cameras are not monitored by the central station, and they do not provide faster police response. Remote viewing by the owner ends up being a glorified nanny cam.
Unfortunately for insurers, home automation has become the primary message of some of the historical burglar alarm companies, which have reengineered their companies. Security companies are now chasing smartphone thermostats and Wi-Fi-based lighting instead of focus on delivering police response to an alarm.
A joint study by the San Bernardino, CA, sheriff and police departments in 2011 found that the arrest rate for a traditional burglar alarm was only 0.08%. A five-year study completed by Pharmacists Mutual in 2013 found that, when police response was less than five minutes, the officers made arrests 21% of the time. This means that the likelihood of an arrest for monitored, video-verified alarms and priority police response is more than 250 times better.
Video-verified alarm systems monitored by a professional central station represent real loss control tforthe insurer. Video-verified alarms reduce claims. Monitored video alarms actually mitigate losses by delivering faster police response to an actual incident. Police make arrests and prevent the loss itself.
Concerning the second risk-management issue: Home automation introduces new threats for the insurer – catastrophic claims caused by remote vandalism. Imagine the damage to a Minnesota home whose furnace was turned off by malicious hackers while the owners were on a winter vacation. The costs for bursting water pipes and flooding the property for days would make most burglary claims seem paltry in comparison.
The problem is that home automation and the connected home create risks that have not been adequately identified and considered by insurers. Much has been written regarding identity or data theft caused by hackers exploiting weak computer networks for passwords and credit card info. The financial losses from this type of crime have had little impact on traditional property/casualty insurers, but home automation changes the risk exposure because now remote vandals can invade the network and take over the infrastructure and appliances of a homeowner to maximize damage without ever setting foot on the property. Home automation devices become a Trojan horse for vandals, and the more devices are connected, the larger the risk as each device introduces another potential hole.
The press is finally beginning to educate readers about the issue. A July 30, 2014, article in Computerworld headlined “Home Automation Systems Rife with Holes” explains, “A variety of network-controlled home automation devices lack basic security controls, making it possible for attackers to access their sensitive functions, often from the Internet, according to researchers from security firm Trustwave. Some of these devices are used to control door locks, surveillance cameras, alarm systems, lights and other sensitive systems.” Security Today published an article on July 16, 2014, about how hacked light bulbs can reveal a homeowner’s Wi-Fi password and actually give the hackers control over the home automation system itself. This excerpt describes the problem:
“It’s all the new craze: the connected or smart home, where at the touch of a button on your smartphone you can dim your living room lights, close the garage…. But, with sophisticated technology comes risk if you aren’t vigilant in applying the latest security updates to your smart home. In fact, the latest risk involves LED light bulbs that can be hacked to change the lighting and reveal the homeowner’s Wi-Fi Internet password.”
The entire home automation system is only as secure as its weakest link or device – devices that need to be kept updated with security patches as flaws are discovered. Unfortunately, many of these connected home devices are static and not even capable of being updated with new software patches. The connected home is now the Wild West of home security, and property/casualty insurers are likely going to be the ones left paying the bill.
The bottom line is that the home automation industry introduces threats that run counter to the risk mitigation insurers have traditionally found by using discounts to promote monitored alarm systems. In analyzing these risks, David Bryan, Trustwave researcher, states, “Anybody could have turned off my lights, turned on and off my thermostat, changed settings or [done] all sorts of things that I would expect to require some sort of authorization.” The proliferation of devices, protocols, apps and portals mean that the problem is getting more complex instead of calming down.
It is time for insurance companies to review their “alarm discount” and make sure that the discount encourages behavior that actually reduces claims. The alarm industry is promoting home automation to the consumer, but the features and benefits don’t actually reduce risk. Underwriters can reduce risk and minimize losses by encouraging their policy holders to install monitored, video-verified alarm systems that deliver faster police response. Any insurance policy that offers discounts for home automation systems is encouraging new and unexplored risks posed by remote vandalism, and possibly worse.