With Roomba's new data mapping feature flooding the news, it's worth discussing the implications of the growing smart home ecosystem and its effect on real estate and new homeownership. When a consumer purchases a previously owned home, they are not thinking about the potential security vulnerabilities, privacy implications and consequences of having a third party or hacker take control of the IoT devices that are quickly becoming standard in the modern household. 

Putting the slew of potential data security threats of IoT devices aside, prospective homebuyers are not always thinking about putting in place written contracts containing warranties and indemnities in the event a previous owner retains control of the IoT device in the home. Plus, IoT devices are not regularly patched or updated against malware, if such patches are available at all. Even if they were available, the new homeowner may not know to make those updates. To pile on, typically, the original owner of the IoT device is still registered as the owner after a sale, complicating an already potentially dicey situation.

A 2016 survey from the National Association of Realtors indicates that only 15 percent of clients asked about whether homes contained smart appliances and IoT devices, and more than half the potential homebuyers were unfamiliar with the concept of IoT and how they work. Many realtors are also unfamiliar with IoT technology and privacy and security by design concepts. 

Consumers tend to demand maximum features and functionality from product manufacturers, while also wanting to pay the cheapest price for the devices. Such devices are often built by offshore companies, which may not have the expertise to make their devices secure. Given this, it is unlikely that the manufacturer will pay much attention to the need for issuing regular malware updates and patches for IoT devices, and it will be even less likely to develop effective ways to deliver such updates and patches to the device. Luckily, the Federal Trade Commission has recognized one potentially helpful tool in locating IoT security vulnerabilities. 

Selling houses that contain connected devices and smart appliances can also create unique security and privacy issues. Security cameras, landscape lighting, thermostats and lights can all retain the original owner’s data. Manufacturers are focused on getting their connected devices onto store shelves and into users’ homes without thinking through the need for privacy and security. There is very little awareness about what happens when the connected device is sold.

It’s worth noting, too, that planned product obsolescence is a potential vulnerability. The practice is nothing new and has existed in manufacturing for at least 70 years. The reason some companies embrace the concept is either as a marketing effort to try to migrate the customers to a newer product, or a deliberate design strategy that ensures the product will break and need replacing on a regular basis, ensuring product turnaround and regular profit streams. Anyone who is old enough to have bought home appliances 40 years ago can easily relate to this; modern appliances currently have approximately one-third of the useful life than they used to. Device manufacturers can also “brick” a device, a move that has potentially dire consequences for homeowners, especially after they have been trained to enjoy the convenience and added features of it.

IoT devices are marketed as enabling new solutions and features that did not exist previously and expand consumer freedom and convenience, but unfortunately, they often seem to limit consumer freedom instead. For example, many smart devices are Wi-Fi connected and enabled, which means that if there is an extended power outage or loss of internet connectivity — unless you have kept your non-smart appliances as a backup — you may not be able to enjoy your morning coffee, be able to lock your door manually, or set your thermostat in the “old-fashioned way.”

In short, some manufacturers advertise the features, benefits, ease of use and convenience of the ever-increasing “smart” features on new IoT devices, while rarely acknowledging the problems and downside arising from owning or reselling such products.

Perhaps there’s a void here that can be filled by privacy professionals, who can evangelize the importance of privacy by design, the ethical design and marketing of IoT devices, and the communications necessary to help ensure homeowners don’t become victims of an IoT hack. The end result could be a large swath of happy new homeowners. 

photo credit: ♡✌ Kᵉⁿ Lᵃⁿᵉ ✌♡ Real Estate Photography (109 Santee Street, Asheville NC) via photopin (license)

Realtor and new homeowner checklist for the smart home

  • Make sure to include any smart devices that will remain with the home after it is sold in a disclosure document as an addendum to the sales contract, such as modems, washers, dryers, dishwashers, garage door openers, gate entry systems, smoke and carbon monoxide detectors, sprinkler systems, door locks, lightbulbs, security cameras, thermostats, HVAC, energy systems, etc., along with any user manuals, vendor and manufacturer contact information, and demand to know who has access to the data on each such device using the “data management” settings on the device. If such devices are password protected, always ask for the password to be included in the disclosure document, along with the original manufacturer’s name, as you may need the manufacturer to reset the owner information on an app. 
  • Review the privacy policies and settings for all connected devices, applications, and services, the connected devices’ warranties and support and maintenance policies. If features or a connected device are no longer supported by a vendor, disable or remove the device.
  • Submit change of ownership and your contact information to manufacturers and service providers to ensure you receive security updates and privacy notices changes
  • Many connected devices require WiFi to work, but this is often one of the first things the seller removes when a house is shown and sold. This may prevent you from accessing the devices until you move in and install your own Home WiFi network. If this is the case, have the seller migrate the accounts of all those devices to a new email account, with the passwords used in all the accounts, to facilitate your task of updating and changing passwords, user names and account information as soon as possible upon taking possession of the home. 
  • Check manufacturers’ web sites to confirm that all connected IoT devices are patched with the latest software and firmware. Patching and updating is just as important on your connected devices as it is on your computer. 
  • Reset access and guest codes for home alarm systems, gates and garage door openers.
  • Review routers and devices to ensure they support the latest security protocols and standards, and disable or replace routers with older insecure protocols (for example, use WPA2 instead of WEP or WPA). You should create administrator accounts and user accounts if possible, each with its own distinct complex passwords. 
  • If possible, insert an indemnity provision in the sales contract allowing you to recover damages if you must replace the device and pay for an installer because the seller does not provide the correct information or refuses to cooperate.
  • Although it has been standard for many years for sellers to purchase an “appliance insurance policy” for the benefit of buyers in case any appliance stops working shortly after the home’s transfer of ownership, if possible, expand such an insurance policy to cover all connected devices in the home, and damages and installation costs stemming from the need to replace obsolete or unprotected IoT devices.
  • As part of a home inspection, you should hire an inspector who is knowledgeable about smart devices and security settings to check out each connected device in the home. Some “smart” devices are easy to spot, such as security cameras, refrigerators, washers and dryers, etc. – others such as “smart” lightbulbs, switches, and hot water dispensers are not, but they all collect and send your information and data to their respective manufacturers, and all pose security risks. 
  • If your Wi-Fi router allows creation of a separate “guest” network to keep visitors out of the secure home network, you should create a special guest network for the connected devices in the new home and keep them there, or if it doesn’t, you should purchase a new router, connect it to a separate computer, create a new email account and run the connected devices in the new home from this new system separate from your secure home network, as many devices will try to establish a “handshake” with the router to open up a connection so they can accept outside connections, which will expose your all your smart devices.
  • Turn off “Universal Plug and Play” on the router and IoT devices if possible to reduce exposure. Be careful when hooking up any connected device the first time – make sure that the computer is already set up with anti-malware, firewall and antivirus.
  • Make a habit of purchasing devices that will work without the cloud, if possible. Although admittedly convenient, IoT devices that run on a cloud are often less secure than those that can be controlled entirely within the home. Read the package to determine if internet access is necessary to make the device work, and if the only option is cloud.
  • Do not connect all your devices to the network unless it is necessary to do so.