Hacking the smart home is too easy. That's the stark warning from security experts on both sides of the Atlantic. And while there are some mistakes individual consumers have made, it seems most of the faults lie at the door of the smart home service providers.
It's not just a case of some joker turning the lights off or the heating on. The threats are potentially malicious. Hacking into a weak IoT smart home device, or into the web service that manages it, could give the hacker a customer's WiFi log-in and password. That could provide access to their PC and smartphone, to every incoming and outgoing email, and to online bank accounts and credit card details.
A hacker might open a smart doorlock to rob a house physically while clearing out a bank account remotely and opening up fake accounts using stolen ID.
They might also use ransomware to demand cash to stop hassling a compromised system's owner. They might threaten to -- or actually -- start fires or disable other devices.
They might even try to blackmail a smart home occupier having found content on a computer hard drive or having filmed the home owner using the home's own security cameras.
Attacking the customer is not all. There are already reports that hacked IoT devices have been used to send thousands of web enquiries to targeted servers as part of massive distributed denial of service (DDoS) attacks. Unwittingly, smart homes could kill off websites and web services the smart home owners want to use.
And what if the hacker corrupts the data being collected from the smart homes, altering the measurements and timings recorded, for example? That would turn the database of information that was going to be relied upon into useless drivel. The data that could have been lucratively sold to partner firms would be worthless.
"Smart home hacking up to now has been done by researchers. If it is happening in the wild, it is not yet being reported," says Steve Christiaens, security analyst at consultancy Bishop Fox.
Tony Gambacorta, head of operations for Synack Red Team, says: "You have all the problems you would have in any gold rush market. The real risk is many of these companies that are rushing in have never run a cloud infrastructure before. It is how the devices connect to the cloud and how the data is stored that creates the most risk."
And when their susceptibilities are shown to them, some smart home providers prefer to shoot the messenger. Ken Munro, of penetration testing firm Pen Test Partners, is one such hacker. He says: "If a security researcher makes contact, listen to them and react -- all they really want is some thanks, but more importantly that you roll out a fix."
Munro gives an example of a smart doorbell that now checks for, and installs, the latest firmware every time someone rings the doorbell.
The speed with which firms try to get products to market and the desire to undercut the prices of leading brand names by using outsourced production have meant security has been overlooked. But it shouldn't be.
Dimitrios Pavlakis, digital security industry analyst with technology market researcher ABI Research, says priorities have to change. "Equipment makers need to put security and consumer data privacy at the top of their to-do list and not just issue firmware updates to late-fix issues that shouldn't have been there in the first place," he says.
And the general call among the experts is for industry-agreed international standards -- possibly through standards bodies such as the BSI and CE in Europe. Most also demand regulation to enforce the use of those standards to protect consumers.
"The brand name manufacturers might take on the standards but the 'me-too' and the 'knock-off' firms won't," says Munro.
Professor David Rogers, who runs his own consultancy, Copper Horse, but is a board member of the IoT Security Foundation, says many of the chipsets available today are not good enough to provide the security needed. He says companies such as Trustonic are starting to bring out chipsets that will make security easier to embed.
The experts have differing views of whether existing IoT protocols and technologies, such as Zigbee, Z-wave, Bluetooth LE and others, are better or worse than each other. Even where security options exist, many point out that the security elements are not implemented in many smart home devices, partly to make it easier for the consumer.
"Smart home providers need to make it easier for the consumer to be safe by holding their hand, educating them about why they have to change their usernames and passwords and forcing them to do it," says Christiaens.
Home routers are partly to blame, as they do not allow for more complex settings. Consumers should, the experts say, have smart home devices on a separate network to the adult's computers, separate again for games machines and children's devices, all with different usernames and passwords, so that hacking into one network does not give access to all.
The consensus is that smart home hacking is going to become a major headache. As one expert says: "We haven't seen the half of this yet."