Always Home does not invent its threats. The systems that surround Nora Wells, and the failure modes she encounters, are pulled from the public record: vendor disclosures, security researcher write-ups, court documents, news reporting from the past five years. The list below names ten vulnerabilities the novel uses, the real-world incidents that establish them, and how the book applies each one.
A note on certainty. Where a specific vendor or incident is named, it is one publicly reported and confirmed. Where the novel composites several incidents into a single fictional event, that is flagged. Specificity matters for this kind of book, and unverifiable claims would weaken it.
1. Smart locks that fail open during firmware refresh
Security researchers have demonstrated, across several budget smart-lock brands, that a deadbolt can be forced into a bricked-but-physically-open state by interrupting a firmware update at the right moment. The attack window can be as short as a few seconds and requires only access to the local wifi network. The lock reports itself as updated through the app while remaining mechanically unsealed.
In Always Home, the front-door deadbolt fails this way during chapter eleven. The reader sees the app confirmation and the green LED. The bolt sits unmoved in its housing. The novel does not show the attacker’s side of this; the reader is in Nora’s kitchen, looking at her phone.
2. Doorbell cameras recording audio outside their owner’s property
Ring doorbells, by default, capture audio from the public sidewalk and from neighbouring properties within their motion-activated cone. In 2021, a UK County Court ruled in favour of a neighbour whose property had been continuously recorded by a Ring doorbell next door, and the case was widely reported as a precedent on UK domestic surveillance law. Ring subsequently updated its default audio settings.
In the novel, the doorbell is the mechanism by which Nora’s neighbour first becomes aware of an interaction Nora believed was private. The doorbell is not malfunctioning. It is doing exactly what its default settings instruct it to do.
3. Smart speakers retaining audio fragments without the wake word
Amazon, Google, and Apple have all confirmed at various points between 2019 and 2024 that their smart speakers retained audio fragments captured during what the device classified as accidental wake events. Some fragments were used to train models. Some were reviewed by human contractors. Several US class-action suits have addressed this.
Nora’s flat in Always Home contains a second-generation Echo Dot left by the previous tenant. Chapters six and twelve use the speaker’s accidental-wake history as the receipt for a conversation Nora does not remember having near it. The data is real; the timestamp is the plot device.
4. Thermostats that reveal occupancy patterns
A connected thermostat with a default schedule reveals when the house is empty. If the API endpoint reporting that schedule is exposed, via a misconfigured integration, a leaked API key, or a third-party service breach, the schedule becomes a burglary aid. Researchers at DEF CON have demonstrated this kind of exposure for several mainstream thermostat brands.
In Always Home, this is the secondary mechanism by which the antagonist first builds a pattern of Nora’s movements. The novel does not specify the exact integration that leaks the data. It composites two real cases and says, in one line, that the thermostat had a third-party recipe attached.
5. Lightbulbs that leak wifi credentials
In 2019, the security firm Limited Results disassembled a discarded LIFX bulb and recovered the home wifi password from its onboard storage in plaintext. The bulb had no encryption on its memory. Subsequent research has confirmed similar issues across several IoT bulb brands.
A discarded bulb appears on a bookshelf in chapter four, set-dressing for two pages, cited again in chapter nineteen. It is the slowest-burning vulnerability in the novel and the one most readers do not remember until the second read.
6. IP cameras shipped with hardcoded credentials
Mirai, in 2016, infected an estimated 600,000 internet-connected devices, primarily IP cameras and DVRs, by trying a list of 62 default usernames and passwords. Most of those credentials were factory-set and could not be changed by the user. The botnet then took down the DNS provider Dyn, removing access to Twitter, Reddit, Netflix, and Spotify for several hours.
The cottage in Always Home was previously rented by someone who installed two cheap IP cameras facing the front and back of the house and never changed the default password. They are still online when Nora arrives. The novel implies, without confirming, that they have been online and accessible for some time.
7. Smart TVs that watch the room they are in
Most major smart TV brands, including Samsung, LG, and Vizio, run automatic content recognition (ACR) by default. ACR samples on-screen content frame by frame and reports it to advertising partners. In 2017, Vizio settled with the US Federal Trade Commission for 2.2 million USD over ACR data collected without consent. Several models also include far-field microphones used for voice-activation features that remain on after the TV is “off”.
Nora unplugs the smart TV in chapter five. She does not unplug the soundbar, which has its own microphone. The soundbar is the receipt the novel uses in chapter seventeen.
8. Routers with default administrator credentials
ISP-supplied routers in Australia and the UK frequently ship with default administrator credentials printed on a sticker on the underside of the unit. A 2022 Which? UK investigation identified several models that were still shipping with unchanged manufacturer defaults despite years of public security advice. Anyone with a few minutes of physical access to the router has full network control.
The router in Nora’s cottage was installed by the previous tenant. The default credentials are still active. Chapter eight is built on what that means in practice.
9. Voice activation at frequencies humans cannot hear
The DolphinAttack research, published in 2017 by a team at Zhejiang University, demonstrated that smart speakers could be activated by ultrasonic commands inaudible to humans. The technique has been refined in subsequent years and remains, as of writing, a class of attack that several mainstream voice assistants are vulnerable to in lab conditions.
The novel uses this as a single, late, deliberately quiet moment. There is no scene where someone explains how it works. The reader sees the result: the lights changing in a room nobody has spoken in.
10. Cloud-tethered devices kept alive by servers their owners do not control
In 2019, when Lowe’s discontinued its Iris smart home platform, devices that had been working fine the day before went dark. In 2024, Spotify discontinued its Car Thing accessory and bricked existing units. Connected devices live and die by the servers their manufacturers maintain.
The cottage’s back-door sensor stops reporting in chapter twenty-two. The novel never tells the reader why. The reader is left to choose between two readings: the manufacturer has gone quiet, or someone has gone quiet for the manufacturer.
Further reading on the site
For readers who want to compare the novel against the underlying systems, the FAQ covers the questions that come up most often, the book page has the buy links and series notes, and the comp-author roundup maps Always Home against the wider domestic-surveillance shelf. The free sample chapter is also on the site.
