Consumers who outfit their homes with home automation devices without considering security may be inviting hackers and thieves inside.
Repeatedly, studies have revealed that devices designed to automate the home have serious vulnerabilities. Many devices have weak password policies and do not protect against man-in-the-middle attacks, according to an HP survey of 10 off-the-shelf home security systems. Others do not prevent access to the device’s debugging interface, which could allow easy hacking of the device, according to an April study by code-security firm Veracode. And, if an attacker is able to gain access to the device, almost all devices could be easily compromised and turned into a Trojan Horse, according to a study by security firm Synack. In fact, it only took between 5 and 20 minutes to find a way to compromise each device, once the researchers unpacked the hardware.
“These companies are really pushing to get a product to market to really compete in this Internet of things boom, but they don’t have a security guy on their team, so there is a lot of small stuff being overlooked,” says Colby Moore, a security research analyst for Synack. “The majority of companies are ignoring the basics.”
By the end of the year, about 2.9 billion consumer devices will be connected to the Internet, according to market researcher Gartner. While the Apple Watch may be the best-known device among the Internet of Things menagerie, many of the “things” that you will connect in the future will be part of your home. Unfortunately, the rush to deliver home automation capabilities to users has resulted in poorly secured systems creating additional avenues of attack for online miscreants.
“It’s hard to not be excited about what the IoT has enabled and will bring in the future, although that doesn’t mean cybersecurity should be sacrificed in the process,” Brandon Creighton, Veracode’s security research architect, said in a statement.
Security firm Synack, for example, tested cameras, thermostats, smoke detectors, and home-automation controllers, looking for security vulnerabilities. The company considered four scenarios that could impact consumers: An attacker breaks in and has two minutes with the home’s devices, a thief steals a person’s mobile phone, an eavesdropper in a cafe monitors the victim’s Internet sessions, and a more advanced attacker manages to modify a home-automation device before a victim’s purchases it.
Each device had security shortcomings. Consumers’ desire to control their home from the smartphones, for example, means that losing the device can have some significant consequences for home security. In addition, so many products do not use encryption technology.
“I can’t say that I was shocked, but it was pretty shocking,” Moore says.
For those consumers embarking on a journey into home automation, here are some mostly simple steps to protecting the devices as much as possible.
Lock down the router
Routers are the digital doorway to the home, and a poorly-secured router can allow an online attacker easy access to all the home automation devices in your network. In May, for example, security firm Incapsula found that a group of attackers had turned routers with default passwords into a botnet that they then used to take down Web sites using a denial-of-service attack.
Users should invest in a router with a good security track record, make sure that the default admin password has been changed, and that it’s running the most current firmware.
Prevent tampering with devices
Getting two minutes with devices in the home did not give the attacker enough of a window to modify the devices, according to security firm Synack’s study. Devices with a USB update mechanism, however, were vulnerable to quick compromise.
Home users should put devices in places where untrusted people cannot easily access them, with particular emphasis on devices with a management port.
Go with a cloud service
Cloud services designed to help a consumer manage home-automation devices, such as Vivint, ADT, or a similar service provider, typically cost money and can open up privacy and security issues if not properly secured. Yet, for most situations, the service provider does a better job securing the service than a home user can. If you do not use a cloud service, you will be responsible for checking the security of the systems yourself.
So consumers should shell out the cash to make their home-automation more convenient and more secure at the same time. However, users do need to pick a complex password and should also ask about two-factor authentication, which adds another layer of security to accessing the account.
Update the devices
Many of the developers creating the software for home-automation products are relative novices when it comes to security. David Jacoby, a security analyst with Kaspersky Lab, attempted to hack his home and found a number of simple vulnerabilities in his home storage product that gave him a beachhead into the network.
“The developers have the excuse that they are not security people,” he says. “But we need to get the vendors to patch the vulnerabilities that they learn about.”
Because so much security functionality needs to be improved, applying updates is a critical step to insuring home-automation devices remain secure from the simplest attacks, he said.
Go with a name brand
A company that is just dabbling in home automation will not take the security of their products seriously. Consumer should focus on companies that have committed to their products and the security of those products, says Synack’s Moore.
“You want someone who has been around, someone with a reputation,” he said. “At least they will stand behind their product and push out updates.”
The conclusion of Synack’s testing resulted in a positive recommendation of Nest thermostats and home automation equipment. Of course, the study was sponsored by Nest, now part of Google. Hive, a home-automation integrator, also did well in Synack’s tests, according to a presentation on the study. SmartThings, which grew out of a 2012 Kickstarter project, garnered high the best performance in Veracode’s study.