Smart Home are impossible to insure… yet!

Water Disater
Water Disater

Today I’m going to talk about an interesting scenario that will for sure get your attention: Is it possible that “today” a Smart Home invalidates your home insurance?

I do not pretend to be an expert in insurance or law, and I’m also perfectly aware that laws, rules and regulations could be different depending of the country you live in, but in the end all insurance companies work more or less the same way, and my expertise in Smart Homes and IoT leads me to some interesting questions: Is our current insurance policies are compatible with a Smart Home.

We all know that technology always runs faster than rules and regulations, and in many cases, we write new laws and regulations to solve the problems technology created. Something I’m certain of is that technologies will little by little standardise rules and regulations in the world and GDPR is a good example. So even if you think that this scenario is not compatible with your country or your insurance policy, I invite you to read it and think long-term because the more we are prepared, the better it will be.

Here is my understanding of how insurance is working. Let’s say you need the classic home insurance package for burglary, fire, water and natural disaster. Depending on your area, the price of your house, if you have an apartment or a home with a garden, a swimming pool, the value of what you want to cover and the deductibles you are ready to take, insurance experts will evaluate the risk and ask you to pay a yearly premium. Insurance also helps you to minimise or avoid risks, so a set of recommendations might also come with an insurance policy. They can also require a certain type of door lock, smoke detectors or an alarm. If you’re lucky enough and need to cover some art, jewellery or wine, they will recommend a certain type of safe, an alarm connected to a 24/7 monitoring operator, a CCTV system and even have the room temperature and hydrometry controlled. If you have a chimney, they’ll ask you to have its pipe swept once a year. If you want a gas water heater, they’ll ask you to have it installed by a certain type of professional that is certified by the insurance company, and this professional would also come once a year for servicing and maintaining the water heater. The last thing we need to understand about insurance is what they fear the most: Fire and water disasters. This is because fire and water damage will cost a lot more to reimburse than a flat-screen TV and a pair of iPad. This is why we now have a lot of insurances that recommend and even offer discounts if you install smart smoke or water leak detectors. So, now that all this is clear, let’s jump into the following scenario that could become a potential problem.

I played a little game and called different insurance companies in France and the UK pretending that I wanted to cover my Smart Home. I started to describe all the smart equipment that will be in my home. From my point of view, this should have set off sirens and alarms for any insurance company.

The conversation went this way: Hello, I’m going to “Smartify” my home, meaning that I’ll be able to control my home with my smartphone. When I’m inside my home, I’ll be using my local network, and when I’m outside my home, I’ll be using 4G and cloud-based systems. I’ll be able to control the following equipment:

1/ Smart lock of both front and back door, plus open the gate and the garage door.
2/ The external shutters, internal shadings and all lights.The sprinklers that water the garden and the swimming pool system.
3/ I’ll also be able to control and set up the HVAC, the gas water heater, a fancy ethanol fire place, and the bathtub so that every morning at 7:00 it will be filled with the correct temperature of water.
4/ Cherry on the cake, I also want kitchen appliances like my rice cooker, my oven, the kettle and my halogen top cooker to be super smart and connected.
5/ Of course, I’m going to have smart smoke and leak detectors plus an alarm and a CCTV system.

To make it short, I told them that all the critical and dangerous things that could totally destroy my home will now be smart and connected on my local network, including the smart devices that are supposed to prevent, detect and send alerts in case of a problem. From my expert point of view, my home is now way more vulnerable than ever thanks to the instabilities introduced by smart stuff.

At first, some insurance companies that I spoke with assumed that I wanted to protect and cover the smart equipment itself… I said no, I just want to cover the new potential risks introduced by those new smart equipment, and I’m ready to pay more for this. I also want your expert to tell me what specific precautions I need to take to minimise the risks now with all these connected objects. For example, how strong should my Wi-Fi password be? How many times should I change it per year? What kind of professionals should I hire to install, set up and maintain it. And the most important question of all: Will my insurance policy actually cover this freaking smart chimera I’m going to turn my home into?

Guess what? No one seemed to have any idea about what I was talking about, and of course I won’t be getting any documents from my insurance company where they agree to cover my Smart Home and what I’m going to do with it. I may be searching for problems where there aren’t any, but as an expert in the field, I can tell you that I’m quite worried. Of course, there are a lot of solutions to minimise these risks, and I have a pretty good idea about what to do.

Someone at an insurance company told me that the professionals who install your Smart Home should know all the best practices to ensure your Smart Home is safe. He should certainly belong to a trade association that has the best practices, quality marks, certifications, labels… In fact, we are talking about electricians who, although they may seem legit on the job, are absolutely not prepared yet for handling any kind of cyber security issue. We can also talk about the Custom Installers, those former Hi-Fi and Home Cinema installers that little by little took over Smart Home installation. Those pros are driven by absolutely no trade association, and the vast majority of them do not have any kind of degrees or certifications in the construction industry or specific insurance coverage. The most legit team to install a Smart Home should be a team of an electrician and an IT company. But actually, this is not the case.

It could and it will happen overnight, like the last time we had to handle a wide cyber attack on millions of IP cameras that were turned into bots to create a DDOS attack. The vast majority of those IP cameras were installed in normal homes and the home owners never knew it. The last attack was from the inside of the home to the outside where they wanted to create problems to websites like Amazon or Twitter. The next time it could be to attack the home owner. The latest cyber attack should have opened the eyes of all insurance companies in the world concerning the vulnerabilities of home owners. For the moment, they seem to have their heads in the sand.

Let’s try to list the risks introduced by a Smart Home if someone hacks it. Just keep in mind that this list only uses the smart devices we have today, but try to imagine in a few months… a few years… God knows what other incredible smart devices the industry will produce.

1/ Screw with the setup of my HVAC so it can possibly destroy itself.
2/ Screw with the setup of the garden watering system and have water disaster consequences.
3/ Disable or change the sensibility of all my detectors (alarm, smoke, leak…).
4/ Open all doors, disable the alarm and turn off my CCTV.
5/ Ask the bathtub to overflow while I’m on vacation.
6/ Disable the security of my gas water heater and ask it to boil the water until it explodes.
7/ Turn on all appliances that produce heat in the house during a hot summer, including the ethanol fireplace, close all ventilation grids and turn off the air extraction.
8/ Once inside a local network, it’s even possible to switch the firmware of almost any device with a custom one, which can give over total control of a device and disable all internal protections.

Do not underestimate the incredible creativity of bad people. Remember that people do not need a reason or purpose to do bad things. Just for the thrill. Just because they can do it. Just because it’s fun. Just because they feel safe 5000 miles from you, hidden in their parent’s basement, behind a screen, using a VPN. Just because it will be much easier for any kid to break into a home with a smartphone rather than using a lock pick gun. Sooner or later, you’ll pay with Bitcoins on the dark web and ask for a home to be totally open at a certain time and date. I can already see the ad on the website: “Hate your neighbour? We can remotely burn their house. Satisfaction guaranteed or your Bitcoins back.”

Regarding the risk introduced by wrong setup, workmanship or a system that would not be properly updated and maintained, we can have faith in Murphy’s law to totally ruin all best efforts. The problems are just too numerous to imagine. Some will be amusing; others will be nightmares.

Here are the questions I had for the insurance companies: 

1/ I want to know your recommendations and best practices so you can’t tell me in the future that you won’t reimburse me because my Smart Home was not secured enough because I didn’t follow the best practices in use in the industry or because it was not installed and/or not maintained by a qualified specialist.
2/ And by the way, what industry, specialist, qualifications and best practices are we talking about?
Is that an IT guy? An electrician?
3/ Do you have any idea or think it is not likely to happen? So, will you sign a document to acknowledge that my actual insurance policy will cover me as usual no matter what freaking smart chimera I’m turning my home into?
4/ Will you one day set some limits as to what we can do in a Smart Home?
5/ How strong should my password be for my Wi-Fi system, on all my smart devices, and how many times should I change it per year?
6/ Can I still use connected devices that are not supported by the manufacturer, meaning that even if they found a major security breach, there will never be any firmware update?
7/ Will you give me a list of forbidden connected devices I can’t use in my home because they are too vulnerable?
8/ If there is a new firmware update that patches an important security issue on my bathtub or my gas water heater smart thermostat, how fast am I supposed to update it? And if the problem occurs before I patch the device, will you still be covering me?
9/ What if my professional installer has been hacked? He probably has all my information, login and passwords. Does his insurance cover him for this?

For the moment, no insurance companies are ready to answer these questions. They play with smart smoke, water leak detectors and smart alarms and think that will resolve all problems. Of course, they resolve a lot of problems in the old fashion homes… but not in the deadly toxic environment of today’s Smart Homes. The fun part of it is that for the moment, Smart Home owners are the wealthiest people on earth. Do they know that in most cases, their home is totally vulnerable?

So, what can we do now? I have a pretty good idea, and in most of the cases, good sense should resolve a lot of the problems. It’s obvious now that a Smart Home should use the same security standards in use in the IT industry, but are people ready for that?

PS: Let me add 3 little things here.
1/ Amazon or Google can size the opportunity to enter and totally disrupt insurance just because they own the ecosystem and they can certify it… So from my point of view, actual old fashion insurance are in GREAT danger.
2/ Instead of using certifications, there must be a way to use blockchain to secure the whole IoT system of a home and make is safe. Here again, technology will overcome ALL old fashion world with certification.
3/ If you know someone who is working in the insurance industry, I would love to give him a complete picture of the problem and share with him the possible solutions.

Join the conversation!

We have no tolerance for comments containing violence, racism, profanity, vulgarity, doxing, or discourteous behavior. If a comment is spam, instead of replying to it please hover over that comment, click the ∨ icon, and mark it as spam. Thank you for partnering with us to maintain fruitful conversation.