Staff Spotlight: NIST Usable Cybersecurity Security and Privacy of Smart Home Devices

In March, we highlighted the work that NIST conducts in usable cybersecurity technology and protection against phishing scams by sharing thoughts from Kristen Greene, a NIST cognitive scientist. Greene provided excellent tips to help full-time telework employees understand and recognize potential phishing scams. In our second blog post in this series, Susanne Furman, also a NIST cognitive scientist, offers her expertise regarding the security and privacy of smart home devices.

This year, consumers will spend more than $40 billion in the smart home device market (connected doorbells, vacuums, refrigerators, Internet of Things products like Google Home or Amazon Echo speakers), and nearly half of all U.S. households will have a smart home device by 2023. As smart home devices become ubiquitous in our society, Furman and other NIST researchers are confronting how well they protect individuals’ privacy and security. We asked Furman several questions about her important research and findings on this topic.

What’s your background, and how did you come to be at NIST working on usable security projects?

I completed a Ph.D. in Human Factors and Applied Cognition from George Mason University, and have worked for both the private and public sectors. At General Electric and IBM I worked on creating user experiences for software and large mainframes, but I decided to switch to the federal government because of the job security. I was hired by the Department of Health and Human Services (HHS) in a usability engineering position and worked on usability.gov. I then came to NIST to work with old friends and acquaintances, who had been telling me throughout the years about their amazing research projects. So, I thought NIST was a great fit and much needed change.

I am a cognitive scientist here at NIST, researching usable privacy and security in technology. Too often, the end user is excluded from technology design and blamed when security is breached. NIST’s goal and my research focus has been to understand the perceptions and behaviors of end users interacting with various technologies — from fingerprint devices to smart homes — and how to improve that experience.

Can you tell us about your research into smart home device security and privacy?          

In 2012, we conducted a study looking at user perceptions of online behaviors by asking them questions about their online activity (banking, bill paying, shopping, etc.) and the level of privacy and security they felt engaging in these activities. The findings showed that these participants wanted the online entity to keep their information secured and private but had no idea how to find out if the company or organization was doing exactly that.

Another study in 2014 into usable privacy research had us look at participants’ use of their Facebook credentials to authenticate to a third party (i.e., The New York Times). We wrote code that intercepted the Facebook message that informs the user that they are going to share the private information with the third party and replaced it with one of three conditions: no notice; a list stating that their hometown, address, email, birthday and pictures would be shared but not displaying that information; and a list sharing their actual information (their hometown name, their physical address, email, etc.,) on screen. We found that the longer the individuals took looking at the message, the less likely they were to share that information with even a reputable site like The New York Times.

In both studies, participants would disclose personal information based on a cost-benefit trade-off. If they really wanted the app or the device or to be able to complete tasks online, they would perform a cost-benefit and try to decide what the risks were to their privacy.

These studies have led us to our current focus on smart home devices and technologies. “Smart” devices like our TVs, doorbells that send video directly to our phones, apps that let us control our lights, laundry machines, thermostats, and countless other home products —  are being used by consumers who may not fully understand how these technologies impact their privacy and device security. We recently completed 40 in-depth interviews of smart home device consumers asking them:

• why they purchased the device,
• who they thought was responsible for the privacy of the information the devices collected,
• the security of that information, and
• what, if any, remediation the consumer took to protect the privacy of their information and device security.

Why should industry/consumers be concerned about security and privacy of the smart home devices they put on the market?

Smart home devices perform different functions than our online devices, as we typically aren’t using a smart refrigerator to pay bills or a smart thermostat to send emails. A computer can simply be turned off or disconnected from Wi-Fi, but for smart home devices to work as designed, they must always be connected to the internet. This results in new avenues of potential exposure to cybersecurity issues for consumers.

Responses from the study participants showed that they did not know what types of information were being reported to the company from the smart home device, and evoked great concern about data breaches or the potential hacking of the smart home device. For instance, hacked data from a smart vacuum could show when the vacuum was in use and where it operated within the house. Those small pieces of information could be pieced together by a criminal to know when you are not home and break in. We also heard that families having very personal conversations would unplug and move their Google or Amazon smart speaker out of the room so that the speakers couldn’t listen in on their conversation.

These examples are scary but underscore why smart home device manufacturers need to give more options to consumers to protect their information and secure their devices, as described in NISTIR 8259, "Foundational Cybersecurity Activities for IoT Device Manufacturers. These usable cybersecurity issues require the smart home manufacturers to develop a new area of expertise they didn’t need in the past.

What should consumers look for when deciding on how protective/secure their smart home device is?

Currently, consumers have very few options to determine the privacy and security levels of their devices. Users must make the tradeoff of obtaining the device’s benefits while not always knowing how their data is being used or accessed. They buy the device and agree to the never-ending user agreement that, way down in the text, may state the manufacturers’ intentions for the data collected by the device. Too often, I have heard the adage that the user is the weakest link. However, nothing they could do or could have done would have protected them against the huge breaches in security that puts their financial information at risk.

Consumers can do searches online for testing results and reviews with government and non-profit consumer safety organizations that may help them find out more about the privacy and security of devices. Because of the newness of smart home devices, there are no government or industry requirements for a base level of privacy and security. At NIST, we are starting to look at the idea of putting privacy and security labels on the devices that would help consumers make a better decision on which device to purchase (like ULC and nutrition labels). Hopefully, consumers can help drive the manufacturers to give better privacy and security options, as that is one of the fastest ways to enact change when it comes to the marketplace and industry.

What is your favorite thing about working at NIST?

I have been at NIST for 10 years and previously, I hadn’t stayed at a job for more than 5 years. That should tell you a lot about the people I work with and the many different projects I work on. I get to work with some of the most brilliant people in the federal government doing research that is a lot of fun with new technologies that most people never get to see. I’ll be at this job until I retire.

To learn more about NIST’s research into usable cybersecurity for smart home devices, visit this link.