Your landlord turns your apartment into a smart home. Now what? – CNET

Surveillance cameras watching family in binary code home

Not everyone wants a smart home. Those who have it forced on them don’t feel safe in their own residences.

Patric Sandri / Getty Images

Daniel Bishop remembers the day he stopped feeling safe in his own home.

In January, Bishop and his neighbors at an apartment complex in San Jose, California, got a message from their property manager.

Every apartment was going to become a smart home, with a connected lock, water sensors, a smart thermostat and a wireless control hub to manage it all. There was a meet-and-greet event five days later for tenants who had questions, and then about two weeks later, the homes were fully converted.

Bishop, like many of his neighbors, didn’t ask for this, and he didn’t have a say in the change. It was his landlord’s decision, and so on installation day, Feb. 1, he looked at his new smart lock and tried typing in the unlock code that was texted to him.

It didn’t work. For nearly an hour, the software entrepreneur worked with the property manager to open his smart lock. A maintenance worker finally fixed it by connecting the hub to Bishop’s personal home network without asking for his permission, which he took as a serious breach of privacy.

Bishop’s story underscores the growing — but awkward — embrace of smart-home technology. Filling your abode with a collection of internet-connected devices is a trend that’s sweeping across homes everywhere, even if it potentially creates security vulnerabilities. It’s also caught on with apartment landlords, who see smart-home technology as a way to attract more tenants and save money through monitoring of energy and water usage. But the aggressive embrace of innovation could leave tenants, who don’t have a say in the upgrades, steaming.

“My fiance saw me and said, ‘you look absolutely furious,’ and it’s because I am,” Bishop said. “You don’t have control in this situation, and it’s being thrust upon you.”

Smart-home gadgets can collect data on residents and sell it to advertisers. Then there are the hacks. But with regulations lagging behind deployments, often the only recourse tenants have for opting out of their new smart home is to move out.

“They suddenly have to choose between no home and a place where they perceive themselves to be spied on,” said Kathleen McGee, the former chief of the New York State Attorney General’s internet bureau.

Space invaders

Landlords are jumping on the smart-home bandwagon.

The market is expected to reach $53 billion by 2022, and a 2018 survey by Entrata, a real estate software management company, showed that a majority of renters wanted smart-home features over amenities like on-site child care.

Smart homes offer benefits to both landlords and tenants. Property managers can monitor activity reducing waste, while also charging higher rent, while tenants have a convenient way to get into their homes, control their lights and the room temperature. With landlords managing it, they don’t have to buy expensive internet-of-things devices on their own.

The boom in popularity is how SmartRent, a smart apartment company based out of Arizona, found itself in 20,000 homes over the last two years.

“This is the No. 1 amenity requested by residents,” said Lucas Haldeman, who founded SmartRent.

But not everyone is happy about their landlords shifting them into a smart home — like Bishop, who had privacy and security concerns with SmartRent.

For all the convenience that IoT devices provide, connected devices introduce new risks for hacks. Families were terrorized from a hacked Nest Cam blaring alarms, while a Nest thermostat was hijacked to thrust temperatures up to 90 degrees.

And while 1 in 4 households intend to buy a smart lock this year, security researchers have consistently found vulnerabilities with locks allowing possible intruders to break in.

That history of security issues for IoT devices has some of the more savvy tenants on alert, raising a worry they didn’t have about their homes before.

“When you take something as critical as access to people’s homes, and throw it on the internet, you raise the risk exponentially for people to get information about you,” Bishop said.

Home invasion of privacy

Andrew McPherran, a software engineer in Washington, had his home converted by SmartRent last November.

He took a closer look at the new devices installed in his home. It included a Yale smart lock and a ZipaMicro control hub, which connects to all the devices through a radio frequency called Z-Wave.

All communications between the hub and the local network was encrypted, but there were other issues, McPherran said.

For one, his property manager has two PIN codes for the lock, and he doesn’t know how it’s kept safe.

“There’s a lot of places in that chain where that data is being managed by third parties, and I don’t really know what they have in place to protect that,” McPherran said. “I’m more worried about where the data is going versus someone breaking into my home.”  

Haldeman said that SmartRent does not share data on tenants, and the data is wiped every 30 days. That’s not the case, however, for every company.

Smart-home companies like Zego, Stratis and Vivint boast more than 250,000 upgraded units, and their privacy policies give permission to use a tenant’s data for advertising and marketing.

Vivint Chief Technology Officer Jeremy Warren said in a statement that it allows customers to opt out of marketing.

Zego CEO Adam Blake said in a statement that the company was “committed to preserving the integrity of its relationships with residents.”

Stratis said it’s updating its privacy policy, and that it only uses data to market to potential customers.

In most states, landlords are required to give notice to tenants before entering your home. But with data collection, landlords have a constant virtual presence in these homes, said McGee, who now works as a technology counsel at the Lowenstein Sandler law firm.

“With this, landlords are, in theory, in your apartment every day collecting information,” she said.

Then there’s the risk of hacks. Andrew Tierney, a security researcher with Pen Test Partners, was able to completely take over 200 devices after hijacking a smart hub, allowing them to unlock doors and disable alarms.

“I’m very cynical that you can install that many smart locks and hubs and not end up with lots of problems,” Tierney said. “Having all of this stuff forced on you is concerning.”

Home insecurity

Haldeman said SmartRent takes its security seriously, with biannual penetration tests and three security engineers.

“If you look at all the wonderful benefits that the internet of things is bringing, I think we can balance that,” he said. “Everything we offer, I think is more secure than what was in place before.”

Some openings still slip through the cracks.

After the installation, SmartRent sends the resident the door unlock code in plain text through SMS and email. Anybody who has access to your email or phone can unlock your door.

“Lose your phone, have your email hacked, and then someone has the PIN,” Tierney said. “It should be a link to allow someone to set it to their own choice over a secure channel.”

SmartRent said it implemented an option in late February to send the PIN codes as a link that expires in 30 minutes to address this security issue. But tenants can’t enable it, so unless property managers turn it on, they’re still at risk.


The smart lock installed on Andrew McPherran’s door.

Courtesy of Andrew McPherran

With SIM hijacking and more than 2 billion leaked credentials online, getting access to a PIN code on a massive scale could be easier than stealing a set of physical keys.

Some tenants disagreed with Haldeman’s argument, and said the smart locks make them worry.

SmartRent upgraded Robert Lang’s Denver apartment last November. He experiences lockout issues occasionally — whenever his phone has spotty service and can’t connect to his app.

“Sometimes, I would leave the house and the app would say that my front door was unlocked when it was actually locked the whole time, and vice versa,” Lang said in an email. “The lock and code work fine, but the connection issues leave you with an uneasy feeling.”

Smart homesick

Bishop isn’t opposed to smart homes, and has installed a few smart gadgets on his own.

Similar to McPherran, he wishes he had the choice to opt out of the upgrade.

McPherran said he isn’t comfortable with an outside company’s gadgets in his house, he said.

“I would’ve opted out given the option,” he said. “Any of the utility that it provides, I could’ve gotten for myself with more of my own choices, and trust how my data is being used.”

Bishop’s taken a few measures to ensure his own security, like immediately removing SmartRent’s hub from his home network after the maintenance staff left.

The changes have left McPherran and Bishop with security worries, but neither are moving.

McPherran’s lease ends in June, and he said it’d be too expensive to break the contract and move out earlier. As for Bishop, he came pretty close to packing up.

“It was infuriating,” he said. “I was close to it, but not quite over the hump where I was ready to uproot my whole life.”