Home automation systems are becoming smarter and more connected with the launch of every new product and platform. As more of our homes come online, our day-to-day routines become more convenient and more efficient. They also, however, become more accessible to others.

Figure 1: As more of our homes come online, they become more accessible to others.

While there are clear benefits to automating the home, it’s important that users become aware of what they might be giving up in return. And what is being given up is data.

People know that their data is valuable, but it can be valuable to different groups for wildly different reasons, ranging from the slightly unnerving, to the creepy, to the downright dangerous.

For example, a home automation platform that knows which household member is at home at any given time may offer convenience by adjusting temperature and lighting to that person’s preferences, but for the platform supplier, the value of this data could be in knowing that now is the perfect time to display certain highly targeted and individualized advertisements on your connected smart TV.

The precedent already exists. Over 10 years ago telecom companies were reportedly selling home internet usage data (indicating when people were at home) to telemarketing companies so that they could call potential customers during the times people would be there to pick up the phone. Now think about how much simpler and more highly targeted a fully connected home could make it for companies trying to sell you things.

Samsung recently admitted that its smart TVs would record your living room chatter. Creepier still, the company’s small print says that its Smart TV's voice recognition system will not only capture your private conversations, but also pass them on to third parties. In its defense, Samsung says it takes consumer privacy “very seriously” and notes that all its Smart TVs employ “industry-standard security safeguards and practices, including data encryption, to secure consumers' personal information and prevent unauthorized collection or use."

At the extreme, and illegal, side of the equation, automated systems that know when a person or family is home can also be hacked or used by burglars targeting a home or neighborhood.

“Each smart device we add to a home is equivalent to adding another door or window. Without the proper embedded security within the device, the lock is nonexistent,” says Dip Patel, co-founder of Ecovent. Patel has been leading the call that smart home automation devices are lacking in security features and leave homeowners open to attacks on their home networks and devices.

“It's so easy to connect things to the internet these days, but the harsh reality is that smart devices can be dumb when it comes to security,” he adds. “Anyone with a little more-than-basic understanding of computers can gain access to a home network and any devices connected to it.”

Figure 2: "Smart devices can be dumb when it comes to security."

Patel points to a recent Symantec survey of home automated systems like smart thermostats, locks, light bulbs, smoke detectors, energy management devices, and hubs, noting that the results were “sobering.” An in-depth study on attacking network-connected embedded devices and the likelihood of home invasion as a result can be found here.

Security on most of the devices was found not only to be severely lacking, but was sometimes completely nonexistent. Case in point, Symantec found that one in five devices did not encrypt communications and many did not lock out attackers after multiple password attempts.

Zach Feldman, chief academic officer and co-founder of the New York Code and Design Academy, says he personally uses a lot of home automation products in his apartment. Feldman claims that while most of the ones he’s used are secured “decently well” with OAuth2 authentication to access control points, and that “usually” all inbound and outbound traffic is encrypted with SSL, “programming novices trying to have fun with their devices and publishing their code online do risk publishing API keys and other sensitive authentication data. If the wrong key is pushed out, some funny and occasionally messed-up things might happen.”

Feldman goes on to explain that if someone were to find his Nest API key, they could “pretty much bake me or freeze me out of my apartment,” and the only way to stop them would be to revoke/change the key, though it would require a certain level of awareness and technical ability.

Feldman’s hypothetical is not entirely hypothetical. A recent Reddit user famously boasted about how he got revenge on a cheating ex by taking control of her home thermostat, jacking up temperatures while his ex and her current lover were away and lowering it again once they returned home, to hike up their electricity bill.

While temperature hacking may be seen as annoying but mostly harmless, Feldman says the home automation device he’s most worried about being hacked is his August smart lock, an IoT enabled padlock. “It's one thing to come home to your apartment being too hot or too cold but a whole different ballgame to find your home broken into by hackers with the right API key!” he says, adding that his advice to people who want to hack their home automation components is to “make sure to use environment variables to store sensitive credentials rather than hard-coding them into your in-progress software.”

That’s all well and good for the technically savvy, but what about those with little technical knowledge who have simply been persuaded to buy the latest and greatest connected gizmo that purportedly increases the safety of their homes and loved ones?

Lisa Hoffman of HTE (Home Technology Experts) agrees, noting that the biggest issue really occurs with DIY home automation, people installing a camera or lock and forgetting about it. “Even though the manufacturer is sending them emails warning about issues, telling them to install updates, they are busy and don't apply them. If they had a huge hole in a fence or no locks on their doors, they would fix it, but because they can't physically see the security breach, they ignore it until it's too late.”

Perhaps the most terrifying tale of home automation gone wrong is that of a couple in Cincinnati whose baby-monitoring camera had been hacked and was being controlled by a virtual intruder.