We all know about the natural disasters that can beset the home: fires, floods and even earthquakes are all serious threats to properties that can cause vast amounts of damage to buildings and belongings. It is well known that smart early detection systems can provide an intelligent damage limitation tool for these kinds of problems, but they aren’t the only type of threat that homeowners face.
In many parts of the UK, burglary remains a significant threat. An array of smart sensors, alarms and door entry systems – as well as intelligent monitoring services – are being sold that claim to mitigate this kind of threat. Yet such devices can be double-edged swords, potentially becoming points of weakness that allow an intruder unauthorised access to a property.
To date, many smart home devices – particularly off-the-shelf, self-install products – have featured a distinct lack of protective measures. Without proper protections in place, these devices can be hacked for a number of malicious means – ranging from unauthorised data collection to, in some instances, a hacker gaining control over entire home systems. The danger this poses has caused serious disquiet amongst many would-be consumers; an Intel study conducted in mid-2015 saw 92 percent of respondents expressing concern that their personal data could be accessed via a smart home hack.
That said, human error is a major factor in the widespread failure to secure smart homes; a recent study by the Prpl Foundation led it to conclude that ‘the smart home is woefully insecure due to users’ failure to follow best practices’. Many consumers pick smart home technology based on price over security or else fail to follow the manufacturer’s recommendations for securing their devices – this leaves security vulnerabilities open which outsiders can exploit for their own ends.
Multiple routes of cyberattack
Just as with computer with an internet connection, there are several ways that third parties can secure unauthorised access to a property’s IoT systems. The network router serves as the first line of defence for homeowners; depending on how this is configured, this will either go a long way towards stopping a would-be attacker, or simply offer up the keys to the castle with only minimal struggle.
It’s not just the home hub that that can be compromised, however; there are countless studies proving that many devices can themselves be compromised, often by long-standing vulnerabilities. This issue is compounded further by the fact that many smart home units are granted more access to the network than they need to function: a University of Michigan study found that ‘more than 40 percent’ of almost 500 apps analysed were ‘over-privileged’ for the tasks they were meant to perform.
A perfect example of the multiple routes into a smart home comes from season two of Mr Robot, where an entire property is hacked, compromising the lighting, heating and audio-visual systems. A number of potential attacks are demonstrated – from the man-in-the-middle manipulation of a smart watch fitness app to RATs (that stands for Remote Access Trojans, rather than referring to a pack of rodents) being employed to seize control of certain devices and systems. While slightly exaggerated in the name of good drama (it would be highly unlikely that any house could change temperature that quickly, for example), it neatly highlights a wide range of the dangers that an unsecured home could face.
As Mr Robot highlights, there are several layers of possible attack, ranging from low-level physical access such as a removing a door-bell from the wall (thereby exposing the circuit board so it can be hacked) to a sophisticated high-level attack on the cloud infrastructure underpinning a smart home system.
Many cyberattacks focus on wireless protocol insecurities, not just for wifi, but also for other communication networks used by the smart home including Bluetooth, Z-Wave, Zigbee and RF (radio frequency).
Some smart home installers use open ports to grant remote access to users; this is a potential vulnerability, as port scanning is a common technique for hackers to discover exploits in a system. An unsecured open port whose IP address is accessible to the internet could give an unauthorised user access to various systems within the smart home, as well as being a way that malware that scans networks for IP addresses, such as the Mirai botnet, could be spread rapidly (in some cases, in fifteen seconds or less on newly-connected devices).
A more secure solution is to use a virtual private network (VPN), although this is cumbersome to set up and not very user-friendly. Instead, more and more often a secure cloud-based system is used to authenticate the user, rather than enabling direct remote access between the user interface and the smart home device . Using a secure, encrypted gateway to manage communication between smart home devices and user means that sensitive information can be stored in a virtual private cloud and made inaccessible to the public internet, making it much less accessible to hackers.
While cloud back-end attacks have been known to take place, this is far more difficult and much less likely than a hacker exploiting an open port or weak password to gain entry to a smart home device. That said, all data and any associated keys held in a back-end cloud system should always be properly encrypted (the IET recommends that this should meet at least AES128 standard for it to be considered secure from brute force attacks).
Smart home devices can be protected against most forms of digital attack if the right precautions are taken (as explained above), but frequently it is left to the user to be responsible for their own cybersecurity and determine whether the devices they put in their homes have sufficient security protocols to prevent them from becoming a point of vulnerability.
Building the great firewall
According to the Prpl Foundation’s research, a worryingly high number of occupants (37%) don’t change the default passwords on their routers and their devices. Another issue is that, when they do change them, users frequently select weak passwords and/or log in credentials that can easily be guessed or bypassed.
It is critical for occupants to update smart home firmware regularly and when prompted to do so by the manufacturer, as not doing so can leave a system critically vulnerable to known attacks that need to be patched via said updates.
“Many viruses, worms and other exploits are not revealed by researchers and ethical hackers until after a company has been notified and has fixed the hole in its systems, but failing to install updates as they are released can leave households susceptible to known flaws for weeks, months or even years longer than they need to be.”
Wojtek Zajac, Technology Director at Andrew Lucas London
Some attempts to infiltrate a home rely, quite simply, on the homeowner using their intelligence and staying alert to threats, notably those that use phishing and other forms of social engineering to acquire user data. An example of this might be an email with a link asking the user to update your details. If malicious, this could take them to a fake website where their credentials are harvested and then used against them.
Yet the responsibility for eliminating the potential for human error doesn’t just lie with the consumer, as Context’s Smart Home Cybersecurity Manifesto points out: “All smart home devices and services must be accessible and understandable for all users, regardless of technical prowess. The end-user should never be blamed for a security vulnerability that arises in the installation or the running of a product or service.”
There is a delicate line to be trodden here, as companies clearly do not want to confuse or put off customers who might not be comfortable with taking complex measures to defend their homes. Yet by stripping out encryption or adding back doors into their products to make it more simple for the user, some manufacturers are making their devices remotely accessible directly via the web, leaving them open to issues such as as Cross-Site Request Forgery (where the hacker can manipulate the actions of the unit) and denial-of-service (DoS) attacks, where a machine or network becomes unavailable to the user.
This is where the line between usability and security is crossed, and where manufacturers and installers alike have a responsibility to their clients to help them to secure their smart homes in a way that is both convenient to them but also keeps them and their properties safe.
Boarding up the cyber windows
If there is an option to do so, there are clear advantages to hard-wiring a system so that it communicates directly with a central hub. This reduces the amount of opportunities for would-be intruders and makes it less likely that individual devices will provide the weak link that allows access. For a retrofitted solution, a wireless or hybrid system might be the only feasible option, which makes securing the home’s networks even more imperative.
Regardless of what type of system a homeowner chooses, there are steps that can be taken to make a security system more secure. Built-in fail-safes and redundancies play an important role in keeping a security system healthy, preventing multiple access attempts and providing a back-up to restore the system in the event of problems. De-trusting mechanisms that lock out third party devices in the event of authentication failure, and letting the homeowner override a security system with manual access methods are also ways of making the smart home a safer place to live in.
If your system is installed by a security or smart home expert, then remote monitoring might well be included as part of the package. This offers an additional level of protection, in that the system will be actively monitored for signs of unusual behaviour, which are flagged as they arise and can be dealt with, either by the homeowner themselves or by a specialist team.
Is it worth the risk?
The threats associated with the smart home might seem myriad, but the likelihood is that, unless there is a significant reason for being targeted, then the average house is unlikely to find itself the victim of a malicious attack. That is no reason not to be prepared, however, as it seems likely that this kind of intrusion will only become more commonplace as time goes on.
It is with good reason that many consumers are concerned with security in the smart home, but it is far from being an insurmountable problem. For those looking to ensure that their homes are properly protected, a smart home installer with security expertise can recommend which systems to go for and explain how they can be properly secured.