What a security expert thought of a few new smart-home devices at CES 2018

Rob Pegoraro
·Contributing Editor

To judge from the cornucopia of connected household devices on display at CES 2018, there is no product that manufacturers deem unworthy of being graced with a processor, a cloud service, and a companion app.

Whether these Internet-of-Things gadgets are worth your money is another matter. They may not deliver sufficient convenience, they may be too tricky to set up and use, and they may open your personal data or even your home up to hackers.

That last part should be the most important aspect of any “IoT” purchase decision. But as I found out when walking past the connected-home exhibits with a cybersecurity professional, it may also be the hardest bit to investigate.

To sleep, perchance is to get hacked

My first stop was at the Sleepace exhibit. This Shenzhen, China-based firm aims to optimize your shut-eye by tracking both your sleep patterns and your nighttime environment with various sensors that include a “smart mattress” pad.

The resulting data may not make an attractive target for a hacker, but Bryson Bort, co-founder of Arlington, Va., cybersecurity firms Grimm and Scythe, pointed out a risk that became reality last year, when millions of connected cameras were remotely taken over and used to launch denial-of-service attacks.

“The challenge with embedded systems, as we saw with the Mirai attacks, is that we have all this computational power that can be misused,” said Bort, who spoke on a CES 2018 panel about security.

But when we asked what sort of security testing Sleepace ran, sales manager Emily He said “That is a good question.”

Sleepace’s privacy-policy page only says “we have put in place suitable physical, electronic and managerial procedures to safeguard and secure the information we collect online.” It may not be fair to expect an IoT startup to provide the same wealth of detail about its security measures as Apple (AAPL) or Google (GOOG, GOOGL), but this level of vagueness isn’t a good sign.

Neighborly security

Our next visit on the floor of the Las Vegas Convention Center was a corner booth for Vivint. The Provo, Utah smart-home firm’s exhibit featured an upcoming, free app called Streety that lets neighbors share video from their security cameras.

The idea here is to enable the same kind of information sharing that already happens on neighborhood mailing lists — if a package vanishes from your front porch, you would use Streety to see if any neighbors’ cameras caught the thief.

We got some detail about such workings of the app such as its encryption of shared video streams to prevent snooping. But the Streety developers we talked to couldn’t answer more in-depth queries like whether the company self-professed adoption of industry best practices extended to things like hiring “red-team” hackers to break into its app.

“We got the security brush-off again,” summed up Bort. The most common reason this happens at marketing-oriented events like CES: The people who do know the answers don’t attend the event. “They don’t bring the security team.”

(Hopefully, the security team actually exists.)

Made in the shade

Our third stop was ShadeCraft, developer of a solar-powered umbrella called Sunflower, which tracks the sun and doubles as a smart-home hub. The umbrella includes a security camera, a Wi-Fi hotspot, a Bluetooth speaker, and an array of environmental sensors.

Adding all those functions doesn’t make the Sunflower cheap (it’s available for pre-order Jan. 15 for $5,220, after which the price jumps to $8,700) but does give this Pasadena, Calif.-based firm more things to secure.

“This is an over-engineered solution,” said Bort, noting the vast amount of data a Sunflower could wind up collecting.

But ShadeCraft Chief Operating Officer Sarahgrace Kelly couldn’t provide any details on the company’s approach to security beyond noting that its cloud services run on Zively, an IoT-optimized platform run by LogMeIn (LOGM).

ShadeCraft’s site was no more informative: A search for “security” yielded only a link to a third-party blog post.

Down the toilet

We wrapped up this IoT tour with a visit to Kohler’s exhibit and the assortment of connected bathroom hardware that included a smart toilet, the $7,500 Numi.

Setting aside the real-world utility of a toilet with a touchscreen remote, this thing appears well secured out of the box simply because it doesn’t connect to the internet. Without that, its “attack surface” — the components that could in theory be attacked remotely — is limited to the Bluetooth connection used to stream music from nearby devices.

But other items in the new Kohler Konnect lineup, such as a $999 smart mirror that incorporates Amazon’s (AMZN) Alexa personal assistant, do connect to the internet. And once again, the company didn’t have much to say about its approach to security beyond noting that its cloud services run on Microsoft’s (MSFT) platform.

That’s a good start, Bort said, but not a guarantee of protection.

“Microsoft, Google, Amazon, those folks are really good at what they do,” he said. But the security of an app on those cloud services depends on choices made by the company running an app — and the recent rash of databases getting left open on cloud storage platforms provides more than enough evidence that their choices aren’t always smart.

More from Rob:

Email Rob at rob@robpegoraro.com; follow him on Twitter at @robpegoraro.