CRT Labs Gift Guide 2016, Day Three

This week, we’ve been looking at our favorite tech gifts, with guides for devices for gifts under $100 and from $100-199. Today, we’re going to round out the guides with gifts for when you feel like splurging, with price points above $200. Just like with our other guides, we recommend you search your favorite online (and offline) stores, because these devices often go on sale around the holidays.


  1. Ecobee 3 Starter Bundle, $313. We’ve featured the Ecobee 3 smart thermostat in both our Thermostat Tearsheet and first episode of CRTv, with good reason – it’s one of our favorite smart thermostats. It’s got a large, easy-to-read screen, works with a variety of hubs and voice-assistants, and looks great on your wall. But our favorite feature is the Lil’ Bee room sensors, which allow you to extend the sensing capabilities of your thermostat beyond just the room in which the thermostat is installed. This means the Ecobee can sense when you’re in a room away from the thermostat, and adjust your heating/cooling needs to bring comfort to that room. For $313, you get the Ecobee and 3 Lil’ Bees.
  2. Netatmo Presence, $299. Netatmo is another one of our favorite companies, with a great lineup of security, air quality, and weather smart devices. We love the Presence, an outdoor security camera, which is simple to install, includes free video storage (in a variety of methods), and an great app for viewing footage. It can identify if a person, animal, or car is detected, as well as reports in real time so you know what’s going on outside your property, all the time.
  3. SmartThings Home Monitoring Kit, $249. The SmartThings Home Monitoring Kit is a great start for simple sensing within your home. It comes with a SmartThings hub (which can control more than just SmartThings devices), two multipurpose sensors for doors/cabinets, a motion sensor, and an outlet. You don’t have to just monitor with these sensors – you can use them to trigger lights (such as turning on a bedroom light when the bedroom door is opened), arm and disarm security, and more. SmartThings works with Alexa and Google Home, making these voice assistants compatible with any device that works connects to the SmartThings hub.

Smart Homes & REALTORS – What do you know?

Smart Home Survey Featured Image

We’re really excited to write today about our new survey, which highlights the emerging technology needs of our membership and our work. We’re kicking things off with our first survey for CRT Labs: the  Smart Homes &REALTORS® Survey. This is an insightful look into what our members and their clients know about smart home technology and where we can help you learn and grow your business in the smart home space.

Member Interest in Smart Home Tech

One of the most exciting things we see in the survey is the amount of interest members have in smart devices and how they can use them in their business. Based on our data, it is not just new and young agents who are interested in this technology, but more seasoned members of the REALTOR® population. A prime example of this is seen in this question about interest in an NAR Smart Home Certification.

A percentage based bar graph gauging interest of NAR members in an NAR smart home certification. 42% of those surveyed are interested, 22% are not interested and 36% don't know if they are interested.

What we note is that almost half of those surveyed were interested in a certification program. The characteristics of those interested in a certification are surprising to me in a good way. Looking at the median experience, hours of work, and age, we see that members working full-time and near the overall median member age of 54 are interested in this type of certification; this type of certification appears valuable to industry veterans.

When we move to the second tier of characteristics and break down interest by years of experience, we see that over half of those who say they are interested in a certification had more than 16 years of experience. We also see that members aged 55 and up are very interested in this type of certification.

Currently, NAR does not offer such a certification or designation – but, if you are interested in gaining some knowledge on smart home tech and energy efficiency (and I suggest you consider it because younger buyers are very interested in these features), NAR does have the GREEN designation, with a section on smart home technology and advantages to clients with respect to energy efficiency as part of this designation. Also, if you are interested in getting a better handle on the terms and concepts behind smart home technology, check out our smart home glossary and our internet of things FAQ.

Client Interest in Smart Home Tech

One of the big reasons for NAR members to understand this technology is because your clients will be interested in what these devices can offer them.

Client Interest by Type

These responses are insightful, and confirm that security and privacy are top priorities for clients. Concerns around these two topics have been evident for a while and have become hot topics since the Mirai attacks. Start with our Smart Home Checklist (11 downloads) to help clients with these concerns. What is surprising to me is that comfort remains in the middle of the pack as far as importance of functionality goes. That’s typically been a big selling point for these devices. If you look at the “Very Important” slice by itself, you get the top 5 in this order:

  • Security 51%
  • Privacy 45%
  • Cost Savings 44%
  • Energy Savings 42%
  • Comfort 38%

When you combine the “Very Important” numbers with the “Somewhat Important” column, the functions shift:

  • Security 81%
  • Energy Savings 78%
  • Cost Savings 77%
  • Privacy 75%
  • Comfort 71%

Energy Savings and Privacy swap places. I’m not declaring anything definitive here, just highlighting an unexpected shift. Privacy moves down the list and Energy Savings rise. It’s not a huge difference between that and Cost Savings, but could be an indicator of future importance for these areas. We’ll be keeping an eye on this.

For us, another interesting function-related finding was that Air Quality rated low. My personal opinion is that this will shift in the coming years as more devices and projects become available and consumers are more aware of the impact that air quality has on comfort and energy efficiency. This is a vertical we are going after with our Rosetta Home and PiAQ projects. Air quality will be key in the function of a smart home. We envision a home that reacts and self-regulates to keep you comfortable and safe. These metrics from air quality will inform decisions made by your house.

What You Can Do

So what can you take from this report and use in your business today? Well, a lot! First, the most surprising graph to me:


According to this, only 2% of you have given a smart home device as a closing gift. Most likely there are a few reasons for this:

  • Not understanding what’s on market
  • Cost
  • Concerns around privacy and security

Definitely start thinking about the potential of these devices, which are available at a variety of price points, as gifts. First, you can consult our gift guides here:

You can also look at our thermostat tear sheet for more options. Giving these devices as closing gifts are a way to keep the conversation going after closing. These devices last beyond a bottle of champagne and have the potential to offer improved living for homeowners. There is an opportunity for marketing yourself in a much different way.

In Closing

I wanted to close by saying that there is a lot for us here to work with to offer opportunities for you to help clients navigate the emerging smart home space. Smart home tech is here to stay for these reasons:

  1. Devices are becoming cheaper and more feature-rich.
  2. Security for these devices is becoming more important.
  3. Other verticals (utilities and insurance among them) are paying attention and penetrating the market with offerings.

Knowing what you’re interested in, combined with the ever-changing tech world, helps us at CRT Labs with our primary goals: to educate, innovate, and advocate for the future of technology and real estate.

CRT Labs Gift Guide 2016, Day Two

Yesterday, we took a look at some tech gifts under $100 to give this holiday season. Today, we’re going to recommend some of our favorite devices priced from $100-199. As always, we recommend looking towards your favorite shopping destinations to find the best prices, especially during the sales-filled holiday season.


  1. Nanoleaf Aurora Smart Panel Kit, $199.99. Coming in at just $200 are these awesome LED panels. We’ve recommended a few smart bulbs in the past; what makes these unique is that they are designed to be a centerpiece, not just hidden under a lampshade. You configure them by snapping them to each other, and they’re easily reconfigurable by just moving them around. They’re controlled by an app or Siri, and also includes a regular controller for guests (or tech-averse) people to use. Soon they’ll also have support for Alexa and IFTTT.
  2. Google Home, $129. Google Home is a voice assistant, like the Amazon Echo, that integrates seamlessly with other Google products and services. You can play your Google Play Music through the included speaker, ask it to cast from YouTube to your Chromecast, control your lights, and more. While currently not as robust as the Alexa system, Google will be adding more support for devices over time. We love how the Google Home’s speaker sounds compared to the Echo, and we’re impressed that it can have contextual conversations. For example, you can ask “Hey Google, do the Blackhawks play today?” and then, after receiving that response, ask “Hey Google, what’s their record?” You can check out a demo of this on our Google Home Facebook Live Office Hours.
  3. Logitech Pop Switch Starter Kit, $99.99. Alright, so this is a penny under our $100 suggested retail price, but the Pop Switch is a really cool new smart home controller from Logitech. It’s a zero-UI interface, meaning there’s no screen – it’s a large button that allows you to control a large variety of smart devices (including Hue bulbs, the SmartThings hub, and Sonos speakers) with just a tap. And who doesn’t like popping bubble wrap? The Starter Kit comes with 2 Pop Switches and a bridge to control them.

CRT Labs Gift Guide 2016, Day One

Our annual gift guide is back, and today we’ll be looking at four of our favorite tech gifts for under $100. We’ll also be putting out guides for gifts between $100-199, and for over $200. We’re featuring a lot of great devices to get your smart homes started. Note that we’re using the suggested retail prices; you can search the Internet for better deals, especially during the holidays. It’s also good to note that some smart devices, like thermostats, might also be eligible for rebates through your utility or insurance companies – check their websites for more information.


  1. Jackery Bolt, $69.99. Chosen by the Wirecutter as their favorite USB battery pack, the Bolt is a great choice for on-the-go charging for your phone. It features both microUSB and Lightning cords, and the cords are attached so you don’t even have to worry about carrying both the battery pack and the cord. It charges quickly and is small and lightweight.
  2. Google Chromecast, $35. The Chromecast is a streaming media player for your TV. There are several competitors in the streaming device space, and we like the Chromecast for its ease-of-use, compatibility with almost any phone or computer, and for its integration with the new Google Home (a product we’ll feature in the $100-199 guide). It’s small enough to tuck behind your TV, and it’s portable so that you can bring it with you to use for presentations on any TV with an HDMI port. We use one in the lab all the time to cast from YouTube and Google Slideshow from our laptops.
  3. Amazon Echo Dot, $49.99. We recommended the Amazon Echo last year in our $100-199 guide, and we love its little sister the Dot. The Dot is a voice assistant powered by Amazon’s Alexa. To bring the size and cost down, Amazon has taken out the large speaker from the Echo, but if you want better quality sound, you can hook up any bluetooth speaker to the Dot. Alexa is learning new things all the time, both with more product support (such as a variety of lights, thermostats, and more) as well as a robust set of skills (voice controls).
  4. Philips Hue White Starter Kit, $69.99. Another recommended product from last year was the Philips Hue starter kit, which retails for around $200. If you want to start switching to smart lighting for less, and don’t need colored bulbs, this $70 kit is an great start. The kit comes with 2 bulbs and the Hue hub, and is compatible with any Hue bulb (there are even some third party bulbs that will work with Hue – check for a “Friends of Hue” sticker on those bulbs). The Hue system works with all the major smart home hubs like Wink and SmartThings, as well as with Amazon Alexa, Google Home, and Apple HomeKit.

A Look Back…Our Predictions about the Wink Hub

CRT Labs has come a long way in a year, and the lab is always excited to look ahead at future technologies and what they’ll mean for the real estate industry. However, it’s also important to look back at some old posts and see how our technology predictions panned out. In this post, I’ll be examining an old Bits & Bytes post about the Wink Hub from June 2014. In that post, Chad took a look at one of the early smart home hubs, the Wink Hub, and mused on the future of the smart home (including a couple guesses about Apple and Google’s smart home offerings).

The Wink Hub in our Chicago lab

The Wink Hub in our Chicago lab

First, let’s take a look at the past two years of smart home development and the Wink Hub itself. In 2014, the Wink Hub was a new device, created in collaboration with corporations like GE and Honeywell, by a startup called Quirky in New York City. The Wink Hub was a huge step forward for smart home technologies – large companies, already with their toes in the IoT waters, were beginning to think about interoperability and the lifespan of their devices. Quirky was a successful incubator that looked at thousands of ideas a month from inventors, carefully curating their offerings and facilitating the research, development, and production of dozens of products. The Wink was their first major foray into the IoT marketplace, a hub that promised the beginning of the easily automated smart home.

Did the Wink live up to that promise? Well, in 2015, Quirky filed for bankruptcy, which for some seemed like it would signal the end for the smart home hub technology. But Flex, a manufacturing company, bought Wink from Quirky, and Wink soldiered on. As of April 2016, Wink has 1.3 million devices on its network, with 20,000 more coming online each week. That bodes well for the technology, and Wink combining multiple standards into their device (in a world that still hasn’t standardized protocols) means that there will likely be an interest, at least in the near future, for people who want to centralize their smart home devices without feeling encumbered by the restrictions of only working within one company’s ecosystem.

We’ve seen a couple hubs come and go (and I’ll talk more about that in upcoming post), but Wink and Samsung’s SmartThings seem to be in it for the long haul. So that leaves us with the question – what about the future of companies like Apple, Amazon, and Google, who have recently extended their offerings to include voice assistants that can act as smart home hubs?

In his post, Chad mused that if these companies getting into the smart home – and smart home hub – game, would that mean that the Wink (and others like it) would become obsolete? I think instead of watching the hubs get pushed out of the market, the Big Three are embracing what hubs bring to the table. Google Home came to market with support for SmartThings; Apple’s HomeKit currently integrates with the Insteon Hub; and Alexa works with not only those hubs, but the Wink as well. Device manufacturers are creating their offerings for all the major hubs, and while there still isn’t a central standard protocol yet, it’s clear that the manufacturers are interested in allowing their devices to be part of these types of networks in order to get their products in the hands of more consumers.

Wink just announced an upgrade for their hub – the Wink Hub 2.0 began shipping late last month. Does this mean the company has legs? I don’t know if we can ever be confident in predictions in such a rapidly changing marketplace, but I do think it’s easy to see that, for now, hubs have a major place in unifying the internet of things and allowing consumers a wider variety of options when it comes to customizing their own smart home.

Facebook Live Office Hours: Welcome to Annual!

This weekend, we attended the REALTORS® Conference and Expo in Orlando. Last week, we gave you previews of all the exciting things we were going to be up to during the convention, and one of those things was our first on-location Facebook Live Office Hours. We gave a quick tour of the booth just minutes before the expo opened, giving our Facebook viewers a first look at the booth before anyone else could see it. Check it out below.

We’ll be settling back into Chicago over the next few days, and we’re looking forward to exploring a whole host of opportunities that came up during the conference. We met so many great people, and got to share all the work we’re doing with a lot of awesome industry folks. Some of our next few posts on the blog will be a chronicle of the time we spent in Florida, so make sure to check back in to get a recap of our time both on and off the expo floor. And don’t forget, if you like our Facebook page, you’ll always be notified first when we go live during Office Hours (Fridays at 1PM Central), and you’ll be able to ask questions live! We’ll see you next time.

CRT Labs at the REALTORS® Conference and Expo 2016

The past couple of weeks have been a whirlwind as we shifted gears to get ready for the REALTORS® Conference and Expo in Orlando, FL. The whole gang is heading down to Florida to show off who we are and what we do, and we wanted to put our schedule up on the blog so you won’t miss a thing.


Speaking Events: We’ll kick off Friday with Chad speaking at the Property Management Forum from 10:30AM-12PM (all times Eastern) in the Orange County Convention Center West, Room W312 A. The forum will be discussing market segments and niches. On Saturday, Chad will speak to the Commercial Leadership Forum from 9-11AM in Orange County Convention Center West, Room W 206 A-C. Also on Saturday, Joe will be running the Emerging Business Technology Forum, where agents and brokers will talk about digital strategies. We’ll also be doing presentations in the Commercial Marketplace on Saturday, Sunday, and Monday; look for Chris from 11-11:30AM Saturday, Dave from 11:30AM-12PM Sunday, and Joe from 11-11:30AM Monday to talk about how the Internet of Things can work for commercial real estate.


Facebook LiveWe’ll be going live from the expo floor Friday at our usual time to host our office hours from our booth. To watch live, check out our Facebook Page at 2PM; if you give a like on the page, you’ll be notified when we go live (this week and every other week). We’ll be showing off our booth, which is part of the REALTOR® Pavilion.


Booth #208: Our booth at the expo is our place to shine. We’re bring a bunch of smart home devices to demo, like the latest thermostats, locks, and cameras. We’re also going to be showing off some of our in-house projects, including our Rosetta Home software, Indoor Environment Quality sensors, a prototype for an app based on our Smart Home Checklist, and more. On top of all that, we’ll be raffling off 5 Amazon Echo Dots – you won’t want to miss out on that! We’ll also have a ton of stickers and buttons to give away, so make sure to come by this weekend to check it all out.

Green Pavilion: We’re proud to host coffee artist Michael Breach to the Green Pavilion on Sunday from 1-5PM. He’ll be making amazing latte art and whipping up delicious pick-me-ups (while supplies last). I’m hoping he’ll make me a Hamilton-ccino, personally.

A ton is going on in Florida this weekend – we hope to see you all there!

Facebook Live Office Hours: Annual Preview 2016

This week on our Facebook Live Office Hours, the team talks to you about our plans for the NAR Annual Convention, happening in Orlando next week.

Next week, we’ll post an itinerary about where you can find us during the convention and expo, including the talks we will be giving.

As always, liking us on our Facebook Page will notify you when we go live every Friday at 1PM Central.

The Insecurity of Things: Part 3 – A Manufactured Problem

An image of draftsmen at desks working on technical drawings

Back to the drawing boards.

NOTE: This is part 3 in a series about the recent DDoS attacks using Internet of Things enabled devices. We look at where manufacturers are culpable in this latest attack.

The Insecurity of Things:
Part 1Look into the MiraiAn overview of what happened
Part 2Wagging the DogWhat Mirai is really about – security and secure passwords
Part 3 – A Manufactured Problem – The ‘root’ of this lies with the manufacturers – Here’s what they’re doing, and what they need to do

This is the final piece in my three-part series about the Internet of Things and the DDoS attacks that have taken place in the last month. I’ve saved this post for last because I feel it’s the most essential. As I’d said in my last piece, we, as users, need to create secure passwords and credentials for all aspects of our online life. I focused on what consumers can do to improve their security, but it doesn’t stop with them. We need to hold manufacturers to account.  Manufacturers have the biggest responsibility in this.

In the attack on Dyn, a majority of the devices used could be sourced back to one manufacturer, Hangzhou Xiongmai Technology Co Ltd. They make parts for cameras, DVRs and storage devices. You’ve may not have heard of them because they ‘white-label‘ a lot of their products. They also make components used in products and some of those components were open to attack. The reason I’m distinguishing here is I want to make clear that your devices are only as secure as your weakest piece. I should make it clear that Xiongmai has issued a recall for some of their devices, but this is complicated by the fact that, as a company who white-labels, you may have one of the devices and may not know it. 

In order to provide perspective, let me cover some of the problems these manufacturers have.

Security Issues

In my second piece of this series, I covered what consumers can do with passwords. I called that piece ‘Wagging the Dog’ because, to me, IoT is the dog and credentials are the tail. Now, I aimed that piece at users and talked about what they could do to improve their security. I want to be clear, however, that for these DDoS attacks, a lot of the blame goes on the manufacturers. The devices in question had default or easy to guess credentials that users of the devices COULDN’T change if they wanted to. You might have seen the list compiled by Brian Krebs below:

List of devices attacked in Mirai botnet attack with default usernames and passwords.

From Brian Krebs’ follow up piece on the Mirai DDoS attack.

This list is compiled from the source code for Mirai, the software used to attack devices. It’s pretty shocking to me to see some of the passwords and accounts listed here, honestly. For those who may not be familiar with servers and deeper computer usage terminology, let me say to you that seeing the user ‘root’ on so many of these is scary. Root is the main user of a system. It’s superadmin with all permissions. That means that anyone with those credentials can do whatever they want to that device.  But that’s not all, you’re note that at least one of these devices just required the username of ‘root’ and NO password.

The one that really got me though is Xerox. For almost all of their printers, the default user is ‘admin’ and the password is ‘1111’. I decided to see if I could find these listed in documentation on their site. I wanted to see if it would be hard for me to get this information. Unfortunately, it wasn’t. Here’s what I did:

  1. I searched from my search engine ‘Logging in as system administrator on your Xerox printer’.
  2. I found the first unpaid result to be the link very similar to the link listed above.
  3. When I got to the page, this is what I found:
    Text from Xerox's website telling you how to access system admin's password and username.
  4. I clicked on the support page link and searched for a model number.
  5. I clicked on a link to a pdf for the model in question.
  6. I searched the term ‘password’.
  7. I found the username and password for the copier. Here’s a screenshot:
Xerox default username and password found on their site.

PDF containing this information was easy to find using a model number and searching the PDF for the word ‘password’.

Okay. That was way too easy. Now, I’m not divulging any secret here or hacking any system to get this information. Xerox is only an example of the problem. Their devices weren’t named in the Mirai attacks, BUT their credentials were found in the source code. I’m taking information you could get by reading an article, performing a search and voila! What can Xerox do about this? There are several things:

  1. Don’t use admin/1111 as the default credentials. Give each new customer a randomly generated way of authenticating.
  2. Password protect any system administrator documents on their website. Require a ‘customer id’ number along with credentials.
  3. Remove the display of ANY credentials from PDFs. Instead, put a ‘customer support’ number there, where a person has to call in to get credentials or have a remote authentication mechanism as part of the customer support.

So, I know what you’re thinking. Why doesn’t the user of this printer just change the password? In fact, in the screenshot from Xerox’s site, they encourage users to do that. That can be easier said than done. That password is required in multiple places for support and maintenance. Also, changing the password can be an onerous task. The keyboards on copiers and printers are not the friendliest to use, so creating a more complicated password can be time consuming and having to reenter it all the time could be a nuisance. I will say, though, end user, you should think hard about this. How often do you need to access admin for your system? What constraints does it put on you to change that password? My answer is, do it. Don’t think about it, just do it.

So, it appears to me that admin/1111 is used for convenience of systems support. This lies at the manufacturer’s door. To me, this type of thing is essential to customer care. Build security into your device and work to educate them as to why this is essential to their business. As a non-user of a product, it should not be this easy for me to get this information. Period.

So, now that we’ve looked at passwords, let’s move on to hardware.

Hardware Issues

Security expert Bruce Schneier first called out the issues with hardware in his excellent piece from 2014. In fact, this was the piece that inspired me to push CRT into the IoT space. He helped me see that we need to protect our members and their clients as these devices were ramping up for the home. He literally ‘peels back the onion’ on the hardware and software and all the challenges wrought. Briefly, I’ll try to paint a picture of the challenge using Schneier’s paints. In order to make an internet-enabled device, you have to pull together a number of smaller components.

As the product manufacturer, it’s most likely you don’t make those components because they require specialized equipment and knowledge. They are also relatively cheap, so, economically, it’s better to buy than build. When you put these components together from various manufacturers, you now have a mash-up of pieces. Some of these pieces are essentially mini-computers and have software running on them. Now, each one of these components with firmware or running some low-level software are a risk because, as we know from owning computers for the last 40 years, software has bugs. Once a vulnerability is discovered in the software on these components, you now have a chink in the armor. The question then becomes, how does one get an update for the firmware for a component in a device you bought and expect to just work? It’s not easy. Does the component manufacturer step up and release the patch? Does the manufacturer then deploy the patch? How does a user of the hardware know when there’s a needed critical patch? Why not just release an update over the air?

Manufacturers need to have a plan on how to work with components companies to deliver better, more secure products. I do understand this is much easier said than done. But, we need to get there. Getting a product to market before anyone else does shouldn’t happen unless you’ve considered all the issues and what you can do to fix them. One company I want to highlight as doing very well at the Internet of Things is Canary. They make a security camera for the home. We’ve been in contact with them several times and have talked about these issues and how they’re approaching them. Out of all the companies we’ve met, Canary strikes me as taking these issues the most seriously.

First, they take their devices to a hacker conference called Defcon every year. They want to see if they can be hacked so they can fix any problems before they make a large impact. We’ve spoken to several people there who’ve said that they work really hard to make sure this device is secure because it’s gathering sensitive data. It’s a video camera in your home. They want to make sure it’s as secure as can be.

Second, look at the security measures they are taking, including hardware encryption:
Security items for the Canary smart camera. Includes: dedicated encryption chip, AES 256-bit data encryption, encrypted cloud storage, secure web transfer (SSL/TLS)
What that tells you is that they’ve looked at the potential vulnerabilities in their device and are making sure they are covered. More like this, please.

Apple’s Homekit is another example of taking encryption seriously. People get upset with Apple because of their ‘walled garden’ approach to their systems, but there is a method to their madness. In order for your device to become a Homekit certified device, you need to have one of their encrypted chips in the device. You also need to use some ‘bleeding-edge’ security protocols for connecting to their system. Now, we’ve spoken to several manufacturers who’ve said it’s a pretty intense process, both in time and resources. Mirai highlights the need for these measures.

The answer to making other companies follow suit really comes down to putting pressure on the manufacturers and their suppliers. Do we ask the government to intervene? Do we wait for hardware manufacturers to take action like Canary and Apple? The way we see it, there needs to be a way to either certify or validate these devices. At NAR, we are investigating how we could be a part of something like this. We’ve had conversations with companies like Underwriters Laboratories (UL, LLC) and Trusource Labs, public-interest groups like The Online Trust Alliance, Future of Privacy Forum, and Center for Democracy & Technology and some vendors, about how to proceed. We are actively working on setting up a certification/validation type system. We feel like we can help be a part of the solution as we have no economic interest in these devices, yet have interest in the best possible experience in owning or living in a home. As more of these devices are released, more issues will arise. We want to mitigate as many as possible, so a standardization of this process can help to clean this up.

But we have the problem now. What can we do in the meantime? To start, the US-CERT (United States Computer Emergency Readiness Team) provides a list of ways to mitigate and prevent these takeovers of IoT devices. At NAR, we worked with the Online Trust Alliance and issued a statement that 100% of IoT vulnerabilities are preventable in recent attacks. In fact, we released this a few weeks before the Mirai attacks. There are a number of simple steps manufacturers can take to improve their hardware security. What I recommend you do as a user of these technologies, before you buy any product, do a search of the product name along with the phrases ‘security issues’ or ‘hacked’. Search devices you have now in the home as well. Update software regularly. Also, keep following us. We are here for our members. So, if you’ve made it through the three pieces I wrote…what thoughts do you have? Share in the comments below.


Image from New Old Stock. Original source for the image here.

The Insecurity of Things: Part 2 – Wagging the Dog

A man is sternly lifting his index finger next to a Scottie dog that is looking away.

Sit, Ubu, Sit…(ruff)…good dog.

NOTE: This is part 3 in a series about the recent DDoS attacks using Internet of Things enabled devices. We look at where manufacturers are culpable in this latest attack.

The Insecurity of Things:
Part 1Look into the MiraiAn overview of what happened
Part 2 – Wagging the Dog – What Mirai is really about – security and secure passwords
Part 3A Manufactured ProblemThe ‘root’ of this lies with the manufacturers – Here’s what they’re doing, and what they need to do

Yesterday, I wrote in part one about the DDoS attacks that we’ve experienced in the last month and what went down to make them happen. In part two, I want to expound on one of the ways we can work to mitigate and or prevent this from happening again: secure passwords and better security.

I subtitled this ‘wagging the dog’ because I feel that’s what’s been happening in the media. They are focused on the result and not the problem.  A lot of the titles included phrases like ‘IoT botnet’, ‘Mirai uses IoT to attack’, and the like, putting the focus on the types of devices used, rather than how Mirai gained access. This is about security and proper password and credential management. Period. In the third paragraph of a post on a site called Threat Post, they say how it happened (emphasis mine):

Mirai’s purpose is to continuously scan the public Internet for IoT devices and tries to access them using known default or weak credentials before exploiting and forcing devices to join botnets used in DDoS attacks.

‘Known default or weak credentials’. That was the big contributor to this attack. IoT is the tail. Credentials are the dog. Passwords and usernames were easily guessable. If you’re using one of these 25 common passwords or equivalents, this could have happened to you. Brian Krebs wrote an article after he was attacked about the devices that were identified in the source code of Mirai, the botnet. Here is an image from that article showing the 68 devices, and their credentials:

List of devices attacked in Mirai botnet attack with default usernames and passwords.

From Brian Krebs’ follow up piece on the Mirai DDoS attack.

IoT is the tail.
Credentials are the dog.

It starts with a mind shift. We’ve been thinking about Internet of Things devices as devices that we can access from our phones and control and get data from. Maybe that mindset is the problem. Before, when using my coffee maker, I didn’t have to have a password. So, here’s how I would encourage you to think about Internet of Things and smart home devices: Think of them as physical applications, equivalent to your app for banking or your app for your email, that need the same level of security. Rather than these physical apps being on a computer or phone, they have a real world presence that needs security. This is the most prominent example of our physical and virtual worlds co-mingling. You lock your door with a unique key, why wouldn’t you lock each device with a unique password? In part three, I’ll address what vendors need to do about their default passwords, but today I’ll take a look at what we can do once we own these devices.

What can we do about this?

You’ll note from the list the onus is on the users and manufacturers of these devices. Simply put, when installing a new IoT device, NEVER use the default password and username for it. Using simple passwords like ‘password’ or ‘1234’ are bad ideas when you’re using them for your online accounts, but even worse when you use them for internet-enabled devices like cameras and DVRs. First and foremost for your devices, make strong passwords and change default usernames. Most consumer grade devices have graphical user interfaces for you to work with and change your credentials. In fact, should a REALTOR sell a home with smart devices in it, they should work with the new homeowner to reset ALL of those devices.  At CRT Labs, we worked with the Online Trust Alliance to produce a smart home checklist last year. Use this as a way to ensure you are securing these smart devices.

Stronger, better passwords

TLDR; Chris and I spoke about this in our office hours a couple of weeks back. You can take some time to watch that video here (go ahead, I’ll wait):

What is that? Your kid's birthday and pet's name for your bank password?? Why don't you just hand me your wallet and get out of my way!!!!

“What IS that?? Your kid’s birthday and pet’s name for your bank password?? Why don’t you just hand me your wallet and get out of my way!!!!” (Image found here.)

Okay, before we get started on this, I want you to think about me as a password personal trainer. The equivalent Jillian Michaels preferably. I will push hard on this. I’m going to ask things of you that you know you should be doing, but haven’t because ‘it’s not easy’ or ‘it’s hard to remember’. Listen, the Internet of Things is coming and you need to get in this habit because there will be BILLIONS of these devices in about 4 years time. Anytime you use an insecure password, you are not just exposing your information, but potentially, personal information about your clients. How many documents, contracts, or pieces of personal information of your clients do you have in your email? You need to think of your passwords as you do your keys or keys to a home you’re showing. You don’t just hand those out willy nilly or make them flat because ‘getting the notches cut means I have to go to the hardware shop and I only like the way that Eddie cuts the keys but Eddie only works on Thursdays’…do you? If you do hand them out, can I have a key? Sorry, got a bit side tracked. So, what do you do to protect yourself? Here is what you do.

Stronger passwords. Period.

Rather than using personally identifiable information, make your passwords tough. I mean really tough. So tough, you have to change how you think about passwords to remember them. Let me give you some easier to remember examples, followed by harder to remember examples.

So, here is how I like to think about my ‘easier’ passwords. I will take either a song, poem, book or other source material and I’ll look for a line or two that I can remember or memorize. Then what I’ll do is condense that to some letters, numbers and punctuation or symbols to make a password. Let me give you an example. Robert Frost is a poet we all know. The Road Not Taken seems like a good teaching poem for this. Here are the first couple of lines from that poem (please don’t use these two lines to make your password now):

Two roads diverged in a yellow wood,
And sorry I could not travel both

Okay, so, here is what I would do with this:


So, to show you how I put this together, I’ve taken the line of poetry and added highlighting to show what my thoughts were:

Two 2 roads diverged in a yellow wood,
And sorry I could not travel both *1920

You’ll note that I changed the word ‘Two’ to ‘2’ and used the whole word of yellow. I did these to mix it up a bit. The *1920 is also there to add some complexity. The year 1920 was the year this poem was published. I added the asterisk to put another character in there. Please note, this is a minimum I would do for a password. I’m using it for demonstration. The next section will show you how to generate and store more complex passwords using a service.

Get a Password Manager

One of our big recommendations are password managers. Password managers are applications that you use to store your credentials for your different applications. You have 1 master password (and you don’t want to forget it because if you do, you essentially are locked out of your password manager and can’t get back in. You can use the technique above to generate that password.). That password is used to unlock your vault of passwords and other sensitive information. Many of these apps make it extremely easy for you to add passwords from all of your accounts.  I use one called 1Password. You can find many that were recommended and reviewed by PCMag this year at this link. And guess what, you may have to spend some money. 🙂

Many password managers offer a password generator as part of the software. Here is a password that 1Password generated for me (I’m not using it anywhere):

Here is an image of that password being generated:


To the left, don’t use those. To the right, use that..

You’ll note from my password manager, I can change the number of characters, symbols and numbers and I can also see how strong the password is. My password manager has a browser plugin that makes it easier for me to use these devices on the web. Look at the list provided by PCMag and you can see if there’s one that meets your needs.

By the way, I want to be clear that the responsibility for password security isn’t JUST on you. If you have a bank or service provider that has limits on what you can enter as a password (example, no symbols, or all upper case or no upper case), don’t worry about changing your password. Worry about changing that bank or service provider.

Two-Factor Authentication

Finally, the next step in securing your devices is two-factor authentication. We will dive more into this in a later post, but this is a start. To see if your applications (banks, Dropbox, Google) support 2-factor authentication, you can use this link and search for a specific program. This is where you take something you know (a password) and something you have (a phone) to gain access to applications. In order to do this, you can download apps for your phone, like Google Authenticator. After you’ve set up 2-factor authentication, here’s how it works:

  1. You login to the site with your username and password (what you know in the 2-factor auth scenario).
  2. The site prompts you to enter a number (typically a 6 digit number) that you will receive either via email or sms or other means.
  3. Your device (what you have in the 2-factor auth scenario) receives the number from the company. (
  4. You enter said number and submit.
  5. You now have access to your account.

That extra step of having the device and a method for creating a ‘token’ as it were is important. It makes it harder for the baddies to get in. Definitely use it. We’ll need it when we get this Internet of Things thing figured out. Tune in tomorrow to see what we have to say about Internet of Things vendors and what they need to do to make their sites secure. Thanks for reading. Now drop and give me 20 burpees!!