Dirty devices drag down smart home security
Smart homes are composed of a growing array of devices that connect to home owners and their makers to share data and perform functions from HVAC control and access control to pet monitoring and many more. Different apps have different levels of security sensitivity and also offer different value to users and therefore are sold at different price points. George Malim assesses how this complex and fragmented smart home environment can be best secured while also delivering maximised benefits.
The Avast 2019 Smart Home Security Report, which used insights from more than 16 million smart home networks across the globe, has found that: 40.8% of digital households worldwide have at least one vulnerable device, putting the whole home network at risk; 59.7% of household routers worldwide are vulnerable; and that, apart from routers and network devices, media boxes, security cameras and printers are the most vulnerable household devices. Smart home security is therefore already a massive issue and one that is only going to exacerbate as greater smart device adoption occurs.
This reality is largely unrecognised by home owners, who have embraced the technologies and glossed over the risks. An online survey of more than 10,000 respondents conducted by Palo Alto Networks and YouGov uncovered mixed views on the perceived security of Internet of Things (IoT) technologies, such as smart home devices and wearables: 38% of EMEA respondents believe them to be secure, with a similar number (43%) thinking the opposite.
So, are smart home devices creating security weaknesses for criminals to exploit?
“In short, yes,” says Keiron Shepherd, a senior security systems engineer at F5 Networks. “Any devices connected to your home network or with internet access can be a stepping stone to more interesting targets, for example banking applications or social media accounts. To illustrate, let’s say your smart coffee machine ships with a default admin password and is connected to your Wi-Fi,” adds Shepherd. “An attacker could carry out a simple scan using tools such as Aircrack-ng. This is a passive scan that can be used without having to be connected to your Wi-Fi network. After that, it is easy to work out what IoT equipment make or model you have on your network.”
Jonathan Knudsen, a senior security strategist at Synopsys, agrees: “Any device you add to your home network comes with its own security vulnerabilities,” he says. “In the best possible scenario, the device vendor has considered security at every stage of their product development, and the result is a product that is reasonably secure.”
However, reasonably secure devices won’t necessarily be enough as complex interactions between devices of varying security capabilities become more popular. “With this increase in connectivity comes increased risk owing to the complexity and diversity of devices and associated vulnerabilities, which criminals can exploit,” says Richard Holmes, the head of cybersecurity services at IT and consulting firm CGI UK. “The issue we are faced with in particular is that many of the consumer IoT devices run on old legacy software which, in some cases, has not been developed for many years. The speed with which products are coming to market means that security is still not considered important enough and trying to bolt on authentication such as two factor authentication (2FA) is extremely difficult.”
“The very nature of home-based IoT is that it is driven by cost minimisation, rapid time to market, low maintenance and increased integration,” he adds. “These are all challenges to good security yet we are bringing these devices into our home – our inner sanctum – with access to privileged information about our domestic lives and an increasing ability to control that environment.”
Breaches won’t just hurt consumers, they could damage the enterprises they connect to and stifle IoT’s development in general. “Today’s world of connected devices is full of opportunities, but poor security practices risk undermining its success,” says Manfred Kube, the head of communications, analytics and IoT solutions at Gemalto. “Most recently, researchers from Stanford University found that smart devices sitting in our homes such as smart TVs, printers, game consoles and CCTV, could be a threat to enterprise systems. As more and more smart home devices get connected to the internet, the weak links exposing them to security vulnerabilities are also likely to increase. Consumer habits, particularly around creating weak passwords, need to improve, but manufacturers must also take a security by design approach to their devices from the very outset in order to mitigate those risks.”
Timo Laaksonen, the vice president of operator sales for North America, at F-Secure, concurs: “New weaknesses introduced by smart home devices range from open communication ports and use of insecure protocols to hardcoded passwords and outdated, insecure software platforms,” he says. “Security is often only an afterthought that does not necessarily help sell the product. We need a change in the design process of smart home devices: Security – and privacy, for that matter – has to be considered a crucial design factor and functional requirement from the get go.”
It’s easy to point the finger at domestic Wi-Fi network security weaknesses but these are far from the only weak point smart home devices encounter. “Wi-Fi based internet connection is the obvious weak spot in many home security products,” acknowledges Kube. “Many connected home security cameras offer the chance for the homeowner to watch their house when they are sat on the beach on the other side of the world, using their smartphone, and be alerted for any suspicious activity. However, they can also provide a hacker with a gateway by which they can compromise the entire network. A criminal can also easily disconnect your smart home devices by simply disabling the router cable, which is usually located outside of a house – a pair of snips could be all it takes to perform a very effective denial of service attack.”
For Marc Canel, the vice president of strategy for security at Imagination Technologies, it’s important not to single-out a particular communications technology. “Communications links can become a vector for attacks in the smart consumer marketplace,” he says. “However, Wi-Fi and Bluetooth Low Energy (BLE) offer significant advantages for communications in a restricted physical space versus cellular technologies such as 4G.”
Cellular IoT connections are certainly not the only way to ensure a secure smart home network. “It is reasonable to assume that not everyone will want to use cellular data to carry out their home automation tasks, though it’s a good idea to have an LTE backup in case your main internet connection goes down,” says Paul Routledge the UK and Ireland country manager for D-Link. “Technology that enables segmentation within a network can help to keep your network safe and secure, for example creating a guest network which doesn’t connect to your business laptop, can help protect against viruses and Trojans that may have joined your network. Routers that have built-in home protection can be used to block malicious websites and more importantly, connections, as well as protect your network from becoming an automated botnet should your device become vulnerable.”
This segmentation provides a likely path to apply different levels of security to different IoT devices and applications. However, users will need to bear an increasing level of responsibility. “Any smart device should be treated as dirty and connected to a separate network – something most security savvy organisations have been doing for years,” says Gavin Millard, the vice president of intelligence at Tenable. “Take, for example, the convenience of a smart doorbell which can send notifications directly to a phone when someone is near it, even if they don’t actually press the doorbell with some models. This is a fantastic security measure, but if an unpatched vulnerability exists within the device it could be compromised by an attacker.”
In this way, the physical security benefits enabled by IoT are negated by gaping cybersecurity vulnerability. As the industry matures, it will have to adopt the concept of building-in security to new software and applications if the use cases are to survive the inevitable negative headlines that security breaches will cause.