I had no idea when I got the initial email about my apartment going “smart” how much my life would change in the course of a month. At the time I was speaking in front of a room of cybersecurity journalists, and it was all I could do to keep my cool and quickly blast off an appalled (and probably less than tactful) tweet. Only a few weeks later, my situation has changed everything.
I have (in no particular order):
- Disassembled several absurdly expensive locks in my bathroom. With drills, and without.
- Took days off work to tear into a residential IoT system (a slight departure from my usual IIoT and ICS work).
- Delved into tenancy law and tenancy privacy precedent.
- Spent way too much time reading into the history and politics of “smart” rental markets.
- Recruited a small platoon of absolutely amazing security experts and locksmithing experts to assist me with a frantic effort under the gun to fully reverse engineer several of the systems on the market. I wasn’t wrong. POCs have been created. I’m incredibly grateful.
- Found a realtor, applied for a mortgage, and started house-hunting.
- Had meaningful conversations about cybersecurity and planning with four “smart-apartment” vendors. They actually listened and genuinely seem to care. They’re hiring. If you want to be on the front lines of this, let me know and I’ll get you in touch with firms who need red team and blue team talent, now!
- Met three cybersecurity people leasing from the same management company as me, and teamed up with them to do awesome research I hope we can speak about, someday. I’m sad they still feel they’re being forced out of their homes.
- Turned down about 10 interviews with major news outlets, per responsible disclosure.
- Appeared on NBC news talking about (general) smart home security.
- Was recruited to speak on this story at one of the biggest multifamily technology conferences in the United States, MTEC.
- Sent a certified letter to my property management company signed by 6 experts, (with less response than that which I received from the vendors themselves). We’ll hope for the best.
- Been informed I’ve practically halted an deployment, and that liability analysis is being done across the multifamily rental industry, and that the industry is widely glad I was there. I’m glad I was there too, but I suppose I wish it had come with a rent credit or a large bottle of gin. 😉
Phew! What an adventure.
What can I say after all of that, within the context of my original blog?
Firstly, I’m tentatively quite impressed by the reaction by the smart apartment vendor market, and the property management technology market. Their response was quick, courteous, and engaged. That’s incredibly rare in the security disclosure space. They genuinely seem to care about security and liability – some even seem to have privacy concerns. However, they need money and demand from an extremely competitive and rushed sales market to build things securely. I was also stunned at the positive and supportive messages I got from MTEC contributors and organizers.
I’m less enthused about the (lack of) reaction from my own property management firm – but I’m not sure if that’s a technical, financial, or legal quagmire. I’m truly sorry to have caused them difficulties, but I was provably correct in my concerns. Regardless, I’m politely packing my life up as quickly as possible after a fairly pleasant and incident-free decade renting at their properties. I’ll be relieved to have my own place.
As a parable, I knew something was wrong the moment I read the subject on the very first email because I work in Industrial Control System security, specifically critical infrastructure like power plants, and water treatment. What is happening in the multifamily market right now happened a decade to two decades ago in the ICS space – people chose to connect things to the internet for convenience and cost-savings without anybody there to say “stop” in terms of future liability and security risk. My professional life now is essentially triaging, mitigating, and repairing the damage done by this as systems fall out of support and become vulnerable and exposed. It’s not cheap or easy.
I’ll do the immediate speaking circuit in this, but I’ve done about all I can as an individual. I can’t be the only torch-bearer on this cause. In the IT space, products can be secure, cheap, or quick to deploy. Maybe two, not all three. The demand for these products is currently “quick” and “cheap”. If tenants are happy with that, that is absolutely what they will get en masse. If consumers clearly demand secure (and private), the companies that develop and sell smart apartment systems largely have the capacity and interest to make them so. I highly recommend you read my original blog and give it some serious thought. Not everybody has the choice to rent or not rent. In a few years this will be the status quo – as I previously said, let’s do it right the first time.
Finally, up to this point – responsible and courteous disclosure has worked. I’ve engaged and industry that genuinely is trying to improve (at the very least, from a liability perspective). There’s a lot of negativity in the infosec space about trying to get big concepts about risk and privacy into other verticals, and this was definitely an exception. I couldn’t be happier about that. This is so incredibly important for how US citizens live in the future.
Where this story goes next, however, remains to be seen. My chapter is done.