Homeowner Taylor Fornell was distraught when a stranger remotely took over her security system shortly after she moved into her Stony Plain, Alberta home.
As reported by CBC Go Public, the stranger contacted Fornell informing her of his ability to control the security system. He demonstrated the claim by disarming the system, unlocking doors and windows, and telling her that he could track her departures and arrivals via an app. Although frightened, Fornell was ultimately fortunate that the stranger, Rob Hall, was the former resident of the house who wanted to alert her to the situation.
Hall had contacted security provider Vivint to cancel his service weeks before Fornell moved in, but no action was taken. Security and privacy experts say that such weak cancellation policies are intended to increase profits by making it more likely that the new resident will continue service, and that they come at the expense of consumer privacy and safety. However, Vivint contends that it requires 30 days to cancel so customers can find another provider or move out of the house or continue to protect a vacant property during a sale.
In the case of Hall’s contract, Vivint said that no move-out date had been discussed when he had originally notified them to cancel the service. After demonstrating to Fornell that he could access her system, he was then told by the company that he would have to wait a few more days before being cut off, leaving him incredulous at the policy. Vivint stated that access could be cut off immediately if necessary.
Three other residents shared similar experiences with Go Public regarding their issues with Vivint security systems.
"Our company policy is to confirm this timing but that step was overlooked in the cases you have shared … We have reviewed our process to ensure these situations are handled per our policies moving forward," spokesperson Liz Tanner told Go Public in an email.
The Whole World Could Be Watching
Problematic cancellation policies are just the tip of the IoT security pitfall iceberg. These devices are increasingly used in people’s homes as well as in medicine and other crucial industries and have demonstrated their vulnerabilities in recent years. CBC Marketplace had aired a segment in which reporters visited private homes of families who had purchased security systems to inform them that live-streamed footage from their homes was being posted online for anyone to view. In some instances, families experienced the horror of hackers taking control of baby monitors in the middle of the night, turning the heat up to less than comfortable temperatures, and other breaches of privacy.
The underlying issue in many of these cases were security cameras and other IoT devices that rely on default passwords or lack passwords completely. CBC Marketplace estimated that there were about 100 million IoT devices connected to the internet in Canadian homes vulnerable to security breaches. White-hat hackers—trained individuals who can expose security issues before criminals find them—have been able to hack devices such as Nest cameras that have a reputation for being more secure. Experts encourage consumers to change passwords on new IoT devices, have a different password for each account, and choose strong passwords that are long or contain multiple phrases.
Beyond what steps everyday consumers can take to protect themselves, manufacturers of IoT devices play a major role in security. One simple way that companies can help protect the safety of their customers is by providing two-factor authentication for each device. Some companies are taking extra steps to ensure that the latest security features are baked into devices at the time of manufacture. As the rise of cybercrime necessitates more stringent safeguards, third-party organizations such as Underwriters Laboratories have stepped in to provide security credentialing for consumer IoT products.