Smart homes have the potential to be the next mass market and represent a green field of opportunity, provided the industry can get a few crucial things right. Part of the increasingly ubiquitous Internet of Things (IoT), smart homes started out with connected light bulbs and thermostats and expanded to include a number of home appliances and audio devices, and perhaps most importantly, home security. According to recent analysis by Machina Research, such devices now number 6 billion, and the market for these smart home options continues to expand. However, if the industry is to be a sustainable, secure offering for consumers, then smart homes and apps need to expand their security defences alongside their connectivity. A key aspect of the smart home is wireless home security—motion sensors can switch on lights when they detect you walking through the door, wireless keyhole cameras can provide information about visitors and allow you to open your door from anywhere, and smart locks automatically secure your home when your phone drops out of range of your router. But what about the security of the devices themselves? A recent study from researchers at the University of Michigan exposed serious security flaws in popular smart home devices that can leave homeowners vulnerable to hacking and other threats. The study is the first in-depth empirical security analysis of a popular emerging smart home programming platform, Samsung’s SmartThings. Researchers focused on the programming framework, as it is the substrate that unifies applications, protocols, and devices to realise smart home benefits. They discovered that attackers can remotely and covertly target design flaws in the framework, resulting in potential arson, theft, home intrusion, and more. The study identified two key areas of risk. Firstly, that SmartApps are overprivileged; that is, SmartApps can gain access to more operations on devices than their functionality requires. For example, the ‘auto-lock’ SmartApp only requires the lock command of ‘capability.lock’ but also gets access to the unlock command, thus increasing the attack surface if the SmartApp were to be exploited. The second major risk identified was in the SmartThings event subsystem, which devices use to communicate asynchronously with SmartApps via events. The subsystem does not sufficiently protect events that carry sensitive information, such as lock codes. Any app with access to a device’s ID can monitor all the events of that device. Researchers also exploited framework design flaws to construct four proof-of-concept attacks that secretly planted door lock codes, stole existing door lock codes, disabled the vacation mode of the home, and induced a fake fire alarm. All of these attacks were successful in breaching home security and exposing a household to break-ins, theft, misinformation, and vandalism. The attack vectors the team used were not specific to a particular device. Applicable to all In an industry that relies on the interconnectivity of a range of apps and devices, this study is an important canary test—its key findings are broadly applicable. SmartThings share key security design principles with other frameworks, so lessons learned from this analysis can now inform the design of security-critical components of future programmable smart home frameworks. While the above might appear to be all doom and gloom in the smart home security space, the beauty of smart design and technology is that we are constantly evolving and improving—each iteration of a product builds on what came before, and we can absorb these lessons into our frameworks. Smart home devices and their associated programming platforms will continue to proliferate in response to growing consumer demand—a 2015 Gartner study estimated that consumers around the world are adding a staggering 5.5 million IoT devices daily. It’s our responsibility to ensure these devices are secure. Get smart about hacking threats This substantial growth means not only do we as developers and manufacturers need to be on top of software security, but consumers also need to adopt smarter behaviours to protect themselves from hacking. There are a number of ways homeowners can contribute to the security of their smart home. Implement two-step authentications The extra level of authentication could be a security key or a one-time code received by a phone call or text to keep unknown parties out of smart devices and the apps used to control them. Many websites and apps offer two-step authentication that users can opt into under “settings.” Other methods, including biometric authentication like a thumbprint or an eye scan, are increasingly being turned to as a harder-to-fake two-step authentication option. Complete security updates Most smart home devices don’t update automatically, so once a month users should open the app corresponding to their smart device and check for firmware updates. Even when buying a smart device directly from the store, users should check for updates sent out between the time it was manufactured and when it is purchased. Segregate internet connections It is important to segregate internet connections to reduce risk of hacking across devices. You can purchase a separate internet connection, or split an existing internet connection using a virtual local area network (VLAN). A VLAN segments the main network and compartmentalizes traffic so that if one device is compromised, it cannot be used to access others. Change default passwords Internet-connected devices often come with default passwords, and unfortunately as many users forgo changing factory settings, those devices become easily accessible to hackers. In fact devices with default passwords were the single largest contributor to the Mirai botnet, which was responsible for the October DDoS attack The way forward Developers of smart home security systems need to consider not only the physical security of the house, but also the potential threats to the software. Edimax Technology has just increased consumer options in the wireless home security space with the launch of three wireless cameras, as featured in the Taiwan Excellence showcase at CeBIT 2017, and the company uses the latest in security defences and ensures it stays on the frontline of current research into smart home security. To take the smart home security industry to the next level, it is imperative that clear standards are established across the industry, allowing for unification across all smart home technologies so disparate products can communicate seamlessly and—most importantly—securely with each other. Consumer interest is there, and once the security of the market is established, the only way for the industry is up.
↧
Connectivity At The Expense Of Safety
↧