On 16th May 2016, internet security company Rapid7 contacted multi-national lighting manufacturer Osram about its Lightify smart lighting range. Nine issues had been identified across its Pro and Home products, which allowed a number of malicious behaviours such as unauthenticated control of the lightbulbs and accessing network configuration information – the latter an issue that could completely compromise an entire smart home security set-up.
As Osram scrambles to fix this problem – four of the nine problems identified will remain unresolved until a further patch in August, due to issues with the way that Lightify interacts with Zigbee – the smart home community has taken another public hit to its already poor reputation when it comes to security management. Some of the system’s flaws – such as weak default pre-shared keys – have been described as ‘amateurish’, problems that should be audited and eradicated before a product ever makes it into people’s homes.
While Rapid7 gave Osram plenty of time to fix the critical holes in its system before publishing this information, this is hardly the first time that a significant number of homes have been put at risk due to unsound security measures being found in widely available IoT devices. Playing Russian roulette with a homeowner’s cybersecurity cannot be a viable option for manufacturers, particularly when the mistakes being made could have been resolved by more stringent testing ahead of release.
Phone hacking the smart home
It is not just vulnerabilities in the way particular products are coded that can jeopardise a home: an over-reliance on the security features of the home router can also create a back door for hackers. A group of Australian researchers have highlighted this susceptibility by developing a malware-loaded smartphone app that not only gained approval from Apple’s AppStore (considered by the researchers to be more stringent its security than the Google Play store) but also allowed them to externally access certain smarthome devices. This uses Universal Plug-n-Play (UPnP) protocol allowed them to modify the firewall, which let them discover which devices were active in the house, take control of the devices and then cover their tracks afterwards.
It might sound like a script out of Mr Robot – yet this is a genuine threat that needs to be considered when implementing connected home technology. Relying simply on your network gateway to provide a firewall is inadequate and, with Osram one of many high-profile breaches, you cannot simply trust that a company has done its homework when it comes to ensuring the security of its IoT devices.
“Manufacturers have unfortunately been lax in embedding appropriate security protections in their consumer IoT devices, due to multiple reasons: business pressures force them to rush to market, revenues are derived from unit-sales rather than ongoing service, and security measures require skills and resources that add to costs.”
Smart phones attacking smart homes, Sivaraman, Chan, Earl and Boreli
The Dark Knight to the rescue?
One solution to this could be to make use of Tor – better known for being the software that enabled Silk Road and other darknet markets to operate – to keep prying eyes from accessing your smarthome devices. Recent efforts from the non-profit enterprise the Guardian Project (a partner of Tor) yielded a means of pairing a Raspberry Pi computer with HomeAssistant’s open source software to act as both a smart home hub and a Tor hidden service i.e. a home network rooted in the darknet.
The Hidden Service Protocol hides network identities and encrypts authentication measures so that direct contact between people and devices can be established without sensitive information potentially being compromised. This makes it significantly harder for external parties to discover information about your network or any sensitive data contained within it as, in the words of the Tor Project: “Instead of a hackable, single point of failure, attackers must contend with the global network of thousands of Tor nodes.”
This darknet approach is still very much in the prototype stage and is some way from being a user-friendly commercial reality, but the Tor Project has expressed a willingness to work with potential partners interested in implementing its security protocols into smart home devices. In the meantime, there are a couple of steps that customers and residential design professionals can take to ensure that the smarthome products they elect for are up to task.
It is important to verify, where possible, whether or not the products being specified come from a manufacturer (or manufacturers) with a good track record when it comes to security. Established connected home technology will generally be proven in terms of robustness, so it might be sensible to wait a while before jumping in and installing a brand new product from an unproven company.
Seeking expert advice from a connected home professional that has experience with network security before pressing ahead with implementation will also make it more likely that the appropriate measures can be taken to protect the systems being installed, so that a house is not left vulnerable to a cyber attack upon completion.