Heating app highlights insecurities

Posted On 17 Sep 2015
Comment: Off

Worried elderly man looking at his smart phoneAs the security industry has experienced huge app development over the last few years what can we learn from the recent news that the British Gas app is in hot water?

The Which? probe into smart thermostat systems revealed that the Hive app was sending data that included what times heating was set to go on and off, along with labels such as ‘awake’ and ‘away’, unencrypted – so someone who had tapped into the homeowner’s wi-fi would be able to see what was sent.

Described by certain media outlets as a ‘burglar’s dream’ that could tell criminals the best time to break in, the Hive Active Heating app is intended to allow customers to heat their homes remotely and programme a schedule for when to turn the heating on and off. However the lack of encryption means that hackers could access the information and make their own judgements on the most likely time for an uninterrupted spot of burglary.

British Gas has now agreed to start encrypting the data, in a bid to reassure customers that their personal information will remain safe.

The problem is that British Gas assumed that people would be utilising the encryption that comes with most wi-fi routers, but as we know members of the public don’t always do what they should. Encryption and passwords are part of the router set-up procedure, one protects the data you are sending and the other stops the unwanted hijacking of your internet service.

Hive told Which? that while it did not believe there were security risks, it has now encrypted this information. It acknowledged it wasn’t best practice to expect people to have encrypted wi-fi. As a result of these findings, British Gas said it had immediately changed its app to make it more secure.

A spokesman said: ‘We’re constantly changing and updating the app in response to customer feedback. Some of the information about your heating schedule wasn’t encrypted, but it has been encrypted now.’

She claimed that only a hacker who was ‘super technologically literate’ would have been able to access any data sent by the Hive app. Which? also found that Nest was sending out data on user’s postcodes without encrypting it, despite claiming that the information was secure.

All of which follows on from many discussions you hear going on in the security industry as to the safety and security of the ‘Internet of Things’ or IoT as this type of technology is called. Especially pertinent today as so many company have come to the conclusion that they must have an app (everybody’s got an app, haven’t they?) irrespective of what their company function or product portfolio is.

The latest estimates indicate (as of July 2015) there are 1.6million apps for Android users and 1.5million for Apple devices. A lot of people are producing apps!

We’ve recently experienced a similar rush to meet a perceived market demand for smart technology as we had in the 90s when it was suddenly decreed that everybody absolutely must have a website. This dash toward online content resulted in the mass creation of web content that quite often missed the mark and, while it gave the company the chance to boast “yes we have a website”, this networked marvel of marketing was no more than the company brochure or catalogue listing in electronic format.

It has taken about twenty years for the widespread Internet to reach the state it is in today and there cannot be many, if any, sites that have remained unchanged from day one. This is something that app developers, manufacturers and vendors need to keep in mind, especially those in the security industry. Early apps were again, often no more than automatic links to company brochures or catalogues and it has only been in the last few years, as the take-up of smartphones has wiped out just about all other forms of mobile phones that the app has developed sufficiently so that we can see where the future for this tool might go.

The app is a business boon for installers. It’s great to be able to offer customers something on top of just the hardware and it can also lead to recurring revenue further on in the contract period. What you don’t need to be doing is fitting something that is inadvertently putting customers and your future business at risk with an unsafe feature or service.

For more security business news see The Paper at www.thepaper.uk.com