Research by application security company Veracode has warned that a coming together of the cloud, the Internet of Things (IoT) and an increasing number of connected devices will present the very real threat of offline and cyber criminality.
The IoT is usually described in glowing terms and is seen as vital by the UK government, but Veracode said that the technology is far from risk-free and that the US Federal Trade Commission shares its concerns.
The firm explained that the IoT could let criminals listen in to homes through connected microphones and use the collected information for blackmail or harassment, for example.
A Veracode IoT security research study (PDF) looked at the rise of connected devices and services and the current security landscape.
The researchers chose six currently available options to study, including garage door system MyQ Garage, the SmartThings Hub, the voice controlled Ubi home automation system, and the Wink Relay combined device and automation system.
Devices used in the study were purchased in December last year and were up to date in terms of firmware as of mid-to-late January 2015.
Veracode said that it did not look to penetrate the cloud services and software involved, but to discover information about the security of the communication between the devices and the cloud.
Tests included a check to see whether secure communications like SSL and TLS are allowed or used, whether any associated certificates are current and in place and whether any encryption is present. Systems were also assessed for password security.
In terms of connections between users and the cloud, cryptography is required across all the systems tested with the exception of Ubi. In fact, the systems performed well in each category except in their rules about choosing a strong password. The SmartThings Hub was credited with honours in this area.
Veracode said that failing to insist on encryption can create a number of attack opportunities, including the ability to insert spyware.
The firm also studied communications with the cloud services to which the devices are connected. Lax policies here could pave the way for man-in-the-middle attacks and throw communications wide open.
"If the device fails to encrypt communications with its control services, an attacker with the ability to passively monitor the traffic would gain access to all sensitive data sent by the device as well as any authentication credentials or session tokens," Veracode said.
"Without adequate protection against man-in-the-middle attacks, an attacker with the ability to intercept and forward traffic between the device and its service could receive and modify traffic sent in both directions."
Veracode has predicted the sort of incidents that people might face, including a loss of control over their home. Attackers could take control of heating or lighting systems or open doors enabling access to a property.
Gartner predicts that there will be 26 billion connected IoT devices in use by 2020 and that there are around five billion in use today.
Veracode said that attacks are likely to continue unless changes are made. "It's hard to not be excited about what the IoT has enabled and will bring in the future, although that doesn't mean cyber security should be sacrificed in the process," said Brandon Creighton, Veracode security research architect.
"We need to look at the IoT holistically to ensure that the devices, as well as their web and mobile applications and back-end cloud services, are built securely from their inception.
"Security should not be treated as an afterthought or add-on, or we risk putting our personal information in jeopardy or even opening the door to physical harm."
However, some of the firms whose products were highlighted in the study have taken issue with the results.
Chamberlain, the company behind the MyQ Internet Gateway, told V3 that the Veracode study is based on devices running firmware that is already out of date. But the firm concedes that the advice on securing networks is sound.
"Chamberlain has reviewed the Veracode study and confirms that the MyQ product test is out of date, as the Chamberlain Group continually reviews and makes improvements to its product security," the company said in a statement.
"Additionally, we disagree with some of the findings in the report and will work with Veracode to share our concerns.
"Chamberlain takes the safety and security of the smart home very seriously. Our continuous security updates and processes include using industry standard encryption, applying the latest security techniques, and periodic security testing with respected outside services.
"This study is a good reminder to homeowners to keep their networks secure by using strong passwords and security settings."
Wink, which makes the Relay device used in the study, told V3 that it too had updated its firmware and that this was available to customers.
The firm runs a bug bounty programme, and said that it demands strong standards internally and would like to see the same from the industry.
"The industry needs to step up to the challenge and address security and privacy concerns head on. At Wink, security is a top priority," said Wink head of security Brian Knopf.
"We work with internal and external security experts to ensure that security standards are exceeded, and regularly have our products tested and audited by third-party security researchers. Transparency is key.
"Beyond Wink, we believe that the establishment of an industry-wide rating system for IoT devices would greatly benefit consumers by helping them understand and evaluate which manufacturers take security and privacy seriously."
V3 is waiting for responses from the other companies.
The new processors support Intel's Optane memory acceleration technology
Blockchain's killer app is bitcoin, the rest is mostly 'pure marketing', says MaidSafe's David Irvine
Blockchains are not suited to many of the data security purposes being put forward for them
Applications from some member states were down more than 40 per cent
A new RSA report urges coders to sign a 'Hippocratic Oath' before embarking on AI programmes.