Realtors, OTA Publish Provisioning Checklist for Smart Homes

The National Association of Realtors and the tech industry group the Online Trust Alliance have a checklist for provisioning smart homes.
The National Association of Realtors and the tech industry group the Online Trust Alliance have a checklist for provisioning smart homes. (Photo courtesy of Target Corp.)

In-brief: smart homes aren’t just sold – they must also be ‘de-provisioned’ by the seller and ‘re-provisioned’ by the buyer. The National Association of Realtors and the Online Trust Alliance have a new checklist for doing so.

Home buyers have learned to expect the house they purchase to be empty and “broom clean” when they move in. But in an age of smart homes, stepping into a new residence involves much more than taking possession of the keys and making sure the previous owner hasn’t left any packing crates behind.

Indeed, smart homes aren’t just sold – they must also be ‘de-provisioned’ by the seller and ‘re-provisioned’ by the buyer, a process through which the prior owners transfer access of critical household systems to the property’s new owners, while simultaneously expunging their own (sensitive) data from those systems.

[Read more coverage of security issues related to the Internet of Things]

But how? Just in time, The National Association of Realtors (NAR) and the Online Trust Association (OTA) have published a guide for would be home buyers to make sure they stay on top of the smart home provisioning and de-provisioning challenge.  The organizations released the “Smart Home Checklist” (PDF) on Wednesday.

“As smart technology becomes more prevalent in our homes, it’s important that we all take precautions to protect our data and privacy,” said NAR President Chris Polychron in a statement. “The Online Trust Alliance’s Smart Home Checklist takes a common-sense approach to protecting sensitive information and offers sound advice for anyone who uses smart technology in their day-to-day lives.”

The Online Trust Alliance is an industry group that represents some of the largest technology and retail firms in the U.S. including Microsoft, Symantec, Target, home security firm ADT and TRUSTe. The group has made protecting privacy on the Internet of Things a key issue, releasing draft Internet of Things Trust Framework in August. Those guidelines are intended to establish basic standards for security and privacy and sustainability – meaning support over the lifecycle of a product – that makers of smart products would have to adhere to.

Craig Spiezle, Executive Director and President of OTA, has long identified smart home security as a priority. In a conversation with Security Ledger in August, Spiezle related an anecdote about buying a “smart” home, only to realize that key features – like a gate and garage door opener with wi-fi connectivity were not being actively managed by the vendor who supplied them. He blogged about some of the same issues again here.

“Although we enjoy the benefits of a connected lifestyle, we must not lose sight of the risks a smart home may pose to our privacy and physical safety,” Spiezle said in a statement on Wednesday. “As evidenced by some privacy practices and recent vulnerabilities with smart cars, TVs and baby monitors, consumers need to be aware of and manage smart devices in their homes.”

The joint NRA and OTA checklist provides recommendations on steps to take when buying a smart home, including things such as obtaining an “inventory and documentation of all connected devices” in the home including modems, gateways, hubs, wireless access points, locks to access gates, garages and doors, thermostats, HVAC systems and smart lighting networks. New owners should also review the privacy and data sharing settings of those devices and change them to suit their needs.

All smart home devices should then be re-registered with the new owners with updated contact information to make sure that firmware updates and other notifications go to the right individuals.

Unsupported devices or features should be disabled whenever possible and the new owners should review remote access settings on their devices to make sure that the previous owners or other outsiders aren’t able to get remote access to smart home infrastructure.

Finally, the new owners should update firmware on any devices where updates are available and change the system passwords needed to access those devices. Where possible, create totally new administrator user names and passwords to replace those used by the prior owners.

“Following these recommendations will help consumers better protect their privacy and identity and prevent their personal data from falling into the hands of cybercriminals and being sold to the highest bidder,” the groups said in a statement.

The provisioning and de-provisioning problem isn’t unique to smart homes. Passenger data being captured and stored on connected vehicles is a problem in both the rental market and the secondary car sales market.  Consumer advocates including the Federal Trade Commission and Consumer Reports have both warned about the dangers of privacy violations stemming from smart home technologies including connected television sets and appliances.