Do Connected-Devices Have an Expiration Date?

What is a professional do to once one realizes that a manufacturer will no longer support any firmware update for a Wi-Fi access point they installed years before? What are our responsibilities, if not to inform our clients that– even if the gears seem to work perfectly– there might be a potential security issue?

This is a fundamental question all Home Technology Professionals should ask themselves as well as a discussing it with their clients even before talking about watts, pixels, and inches. The good part of putting this out on the table right at the beginning is that it will naturally and decidedly introduces the concept of yearly scheduled “maintenance” visits to keep the system working and “as safe as possible”.

The purpose of this article is not meant to be apocalyptic and terrify both professional and end-users. It is also not meant to encourage anyone to take this opportunity to milk clients by suggesting services that are superfluous at best. The point is this–to highlight the fact that we are obviously under attack and vulnerable. We can no longer ignore that any one of the connected-devices in a home could be hacked and turned into an entry point in order to completely control a house.

Some fail to realize the purpose of a residential network has dramatically evolved at over the years. What was once a single PC connected via Ethernet to a modem, has essentially become the backbone of a home and whose responsibility is to connect us with virtually everything that rules our lives.
Connected objects are not just funny gadgets anymore: People now rely on them to turn on and off lights, water the garden, open and close doors, check if the kids are safe at home, help elderly people to stay at home, be connected with friends and family, for health services…the list goes on and on.

Therefore, the consequences of an intrusion in such a connected house can be devastating as you can literally knock someone into the dark and turn on the air conditioner until it freezes. A new challenge comes with this: How does a professional warn a client without discouraging or scaring them off? If we fail to clearly explain, though, then is it not akin to a dealer selling a car without warning the first-time buyer of the need to change the brakes after a certain millage?

To be crystal clear: each time a professional installs any connected-device (Wi-Fi access point, a home automation controller, a Blu-Ray player…etc.) on a local network–even if it is via Ethernet– it creates a security breach. It’s a little time bomb and, one day or another, a virus or a worm could attack it. In a perfect world, professionals will always have a document for the client to acknowledge that they explained the dangers of connected-devices and the client can sign a discharge-of-responsibility if they do not want any kind of support from the installer in the future. In reality, however, doing this could be an awkward conversation for a professional, especially since we cannot really find any backing from the industry. We live in a manufacturer’s fairy tale where in order not to frighten everyone, they sell items with a minimum of information provided. These buyers are people that could care less about upgrades/updates just as long as everything is working. In a perfect world, it would be clearly posted on every connected device to check the manufacturer website every 3 months if there is a new firmware available.

Here are some thoughts for an open discussion:
– No system is 100% secure! Therefore, we are responsible for what we install and have a duty to do all that is technically possible to keep our clients safe.
– The standardization of the protocols and procedures used (Z-Wave, Zigbee, IP, etc.) would drastically help this industry with security and much more.
– The use of a remote supervision system that reads firmware version is a great help as professionals have the ability to check remotely and even set up notifications when upgrades are available.
– When a firmware upgrade has just been released, how quickly is a professional with a maintenance contract supposed to act in response to their client? 1 hour? 24 hours? 1 week? Only a judge will decide the day it is taken to court.
– What do we do for some products like a TV for example? There is no way for the client to change it until it is dead. Manufacturers will not support it after 2 years max (if we are lucky) and a TV can last 8 years. Do we have to force manufacturers to support devices 5 years? 10 years?
– The obvious way to hack a house is via Wi-Fi, therefore, we should always install the latest products and with a maintenance plan to keep it up to date. We also need to consider it as something consumable so we can change it as often as necessary.
– Even if Wi-Fi seems to be the obvious way to hack a house, 90% of potential attacks will come from Internet itself. It could be through an attachment on an email, or a rotten program you downloaded, or from a direct attack of your modem. A real firewall updated regularly could be a good solution, especially if you have teenagers that spend their lives on the web.
– If we are forced to change every connected product every 5 years for example, what will be the ecological impact and who should pay for this?

In this endless game of good vs. evil, more than ever we need to be prepared for this battle and have a plan to counterstrike. Discussions like the ones mentioned previously, will more than likely reach your clients. If they are not adequately informed by you–the professional with your duty of guidance–you may well lose your client’s trust as well as business.

Remember: when it comes to the security and privacy of people, there are no important or less important clients. ALL deserve the same level of information and treatment.