A Rant about Smart Home Security Usability

(written by Lena Krächan & Tobias Schneider)

Introduction

Living in today’s age of mobility and internet of things, residents of modern houses can easily interact with their smart homes. A smart home system is the thing to have. You can dim the lights, regulate the temperature, automatically open windows and doors and manage and manipulate even more things and devices.
At the moment there is a huge interest in the area of smart home systems. Many different providers offer systems and protocols.
Therefore, it is not that simple to find the perfect solution for your own house. First of all, all systems differ from each other. Hence, you need to know what kind of services you want to have. Secondly, security always plays a critical role. Are there any benefits or drawbacks when using a certain system?

The central point of all smart home systems is their base, the so called “hub”. A hub is a distributor, collecting data and communication streams in order to administer them to the corresponding devices. Everything happens in a closed network. The hub is for managing the data traffic. Having integrated a hub in a smart home system gives the user a certain feeling of comfort. The hub is used to facilitate a central control with a decentral app. Hence, the users can communicate with the system over their smartphone or tablet, wherever they are. The control is directed over the hub component.

As one can see, the hub is the keypoint of a smart home system. Thus, in this article we would like to investigate the hub concerning security and usability. In this context, security does not refer to the network and or hub security but the security concerning updates and the usability of the users. What they can and have to do to keep their system up to date and how user friendly it is. Furthermore, it has to be noted that our research was solely done online since none of the smart home systems were at our disposal.

The Automatic-Update-Paradigm

Updates are important, we all know that. However, the average user is not a system administrator and tends to update rarely. Let’s use automatic updates then, right? Well, it is not that simple.

At first, it may sound like a great approach to install updates for the user automatically. The system is always up to speed, delivering the best user experience possible to the user. Reversely, this means that the end user does not have to worry about security, nor anything else, and might even get new features. However, this follows the assumption that all upgrades are desirable and that the newest version is always better and more secure than its predecessor. The past has shown that they are not.
A few months ago an automatic update from Adobe deleted user files and a forced upgrade from Windows 10 created a boot loop. Automatic updates are great, as long as they work, but as soon as something goes wrong they can have serious consequences. This can be taken even further when we start to talk about responsible system maintenance. Automatically installing a bunch of updates can lead to broken dependencies and other problems. However, the average user just wants their system to work, especially with Windows basically threatening their life when they turn off automatic updates (little exaggeration here). So what should we do?

A hybrid approach could be a mitigation to the problem. Security updates would be installed automatically in the background, while other updates could be manually approved by the user. This still does not solve the problems of updates being broken or dangerous or conflicting with other dependencies, but decreases them. Furthermore, we would leave more control to the user and at the same time protect them from security threats. This would provide the average user with a working system and somewhat follows the “if it ain’t broke, don’t fix it” mentality, which might be the best approach for many users.

In a perfect world, every user handles their updates manually and has the knowledge of a system administrator. However, at the end of the day, people just want their systems to work. Not updating at all will create a security risk at some point, stopping the system to work eventually. Yet, installing every update automatically could lead to the same result. Introducing a hybrid approach of automatic security updates and otherwise manual updates could mitigate the problematic a bit.

The Smart-Home-Provider-Saturation

Before we can look at the hub-security of different smart home systems, we first have to find out how many are out there. And there are a lot. For the purpose of this post we narrowed down the (in our opinion) biggest ones out there: Qivicon, Insteon, RWE SmartHome and Samsung SmartThings. If you do not agree with our choice, keep in mind that we are located in Germany. If you have information about different smart home systems from your country, don’t hesitate to post them in the comment section. Our main focus will be on usability and the differentiation between crucial security and optional feature updates.

Qivicon

Qivicon is the smart home system of the Deutsche Telekom. It supports a large group of devices from different manufacturers. Their update policy seems to be automatic or manual. Users reported automatic updates of their home base, whereas others stated that their smartphone application informed them about a new update. There were some contradictions regarding their update information, as well. Users were claiming that the information management about new updates is poorly and changelogs cannot be found. On the other hand Qivicon states that they inform their users through the application that updates are available. No classification between security and feature updates seems to be made.

Insteon

Insteon’s smart home system only supports devices of their own brand. Third party gadgets can not be used with the system.
Contradictions are found, looking at their update policy. One support page from 6/5/2015 states that the firmware update 1009 was installed automatically, whereas another one from 8/6/2015 states that the firmware needs to be updated manually. Looking at the necessary steps for updating, one is presented with a poor usability. Following the menu structure Configure → Edit Devices → Hub → Check for Updates reveals if new updates are available. It is very difficult to hide such an important feature even better. No information could be found if the app informs the user via push or in-app notifications about new updates. Furthermore, no classification between security or feature updates seems to be made. If an update is not installed automatically, one can claim that the average user will not install an update by themselves, especially since they are not informed that they have to look for one.

RWE SmartHome

RWE Smarthome supports, additionally to their own devices, a few third party ones like Samsung Smartcam, Netam Weather Station or Entr Doorlock. However, the amount of external devices is rather limited.
RWE SmartHome informs the user within the web backend about new updates. They then have to be installed manually. No information could be found whether the mobile applications inform the user about updates as well. Looking at usability, one needs the user to login into the backend to find out that new updates are available. For average users this could rarely be the case. Furthermore, no classification between security or feature updates is made.

Samsung SmartThings

Samsung SmartThings is pretty similar to RWE SmartHome when it comes to supporting third party devices. As of now it is only available in the US. Looking at their update policy one can see that they only provide automatic updates. However, according to a statement they are potentially planning for manual updates. One nice thing to mention about Samsung’s update policy is their update information mail that is sent to the user 24h before the update is happening. Like with the other smart home providers, no classification between security and feature updates could be found.

Provider Conclusion

The four providers offer a mixture of automatic- or manual-only updates or both. Most of them seem to have a poor information management regarding new updates. Users were complaining about the lack of changelogs and the in general bad communication. Furthermore, the update topic has not been communicated by any manufacturer on their website. Information about said topic were well hidden on subpages of subpages.
Regarding usability, a mostly poor picture is drawn. Most providers do not seem to inform users properly. Insteon for example made it especially hard to find information about a new update in their app, as mentioned earlier. A common update-theme could not be found, as well. Some providers use email notifications, others their backend and yet others use their app or no notification at all.

The Security-Usability-Proposal

So what should they do? Well, as mentioned earlier, the average user is not a system administrator. However, that does not mean that they should be treated as “stupid” by withholding information from them, for example changelogs. They should much rather be given an easy and understandable way of how and why to upgrade their system. So first of all: information management! Samsung does a decent job at it by sending out an email 24 hours before the update. Whereas others just deploy an automatic update or hide the information about new updates within confusing menu structures. Sending out an email or a push notification on a smartphone would be a first step towards better communication. On top of that the notification should explain to the user why a new update is available, what it does and what the benefits are.
However, this still does not solve the problem of automatic updates. As discussed earlier, automatic updates can cause a lot of harm. Yet, relying on the user to manually update might be a problem as well. But, this could be reduced by increasing the information management, explaining the user why they should update their system.
As proposed earlier, one could automatically install security updates, whereas feature update installations would be left to the user. Which brings us to the next flaw: according to our online research, none of the providers differentiated between security and feature updates. According to our thesis this increases the risk of faulty updates if they are deployed automatically. We would recommend a separation between crucial and optional updates to increase the system security while leaving the installation of feature updates to the user.

Conclusion

As of now (May 2016) smart home systems lack a lot of usability and transparency regarding the hub and its security. Updates are installed automatically or manually, some providers inform users about updates, some don not and some just hide the information. Despite the fact that many providers are still trying to do their own thing and do not support third party hardware, they all seem to lack basic understanding of usability, and even user experience. Users get patronized by automatic updates without changelogs or not informed about manual updates they should install.
So far, the security usability of smart homes for the user is bad. Following the approach of automatic security and manual feature updates could mitigate the current problematic and increase the usability for the users. Smart home providers need to understand that their users want the system to work and typically have no interest in mastering the technology behind it. However, it is a thin line. Users should neither have to worry about their systems’ security nor their systems’ operability. If one is dismissive against the auto-manual update approach stated earlier, providers could also take it one step further and implement a first-start wizard that asks users about their preferred update-strategy and guides inexperienced users through the setup process.
Yet, all of this does not solve the biggest problem around so far: every provider does their own thing. Too many technology platforms or protocols are around and no standard can be found so far. Rather than simplifying the use of smart homes for the user the manufacturers are engaged in a battle of protocols and “standards”.

The following scientific questions could be derived from that:

Is a seperation between security and feature updates reasonable or does it not change the outcome?
How do you get the user to install feature updates at all, if they are manual?
Could it be an advantage to develop a general smart home update guideline or should every manufacturer follow their own theorem?

Sources