As technology advances and the costs of connecting electronic components to the internet decreases, the lower the cost of having an internet connected smart home is. Sensors placed throughout a house and integrated into home appliances can provide homeowners the advantages of monitoring and managing functions of the home remotely.
According to Rehman & Manickam, there are three components of a smart home: indoor, outdoor and gateway. The indoor environment consists of physical internet connected devices such as smart locks, video doorbells, intelligent appliances, Wi-Fi thermostats, etc. The outdoor environment provides internet access to the smart service provider for remote access and management of the devices, while gateway devices act as a bridge between the indoor and outdoor environments.
The gateway devices provide security by monitoring the network flow in the smart home and managing remote access to the smart home. Given their roles described above, these three types of components need to be taken into consideration when evaluating the inherent risks of a smart home.
Identifying Today’s Risks Facing Smart Homes
In today’s world, there are six major security threats to a smart home: eavesdropping, replay attack, message notification, denial of service, malicious codes and masquerading. Let’s briefly look at how each of these attacks works:
- An example of eavesdropping is when an attacker monitors internet traffic from indoor and outdoor environments without authorization from users. Data that passes through the network while the attacker is eavesdropping can be captured. This is considered an attack on the confidentiality of the smart home environment.
- Replay attacks can be leveraged by an attacker in instances where they can capture an action being performed on a smart home device and then replay that action over again to get the same result. There are many ways a replay attack can be carried out such as eavesdropping, capturing the network traffic of an action and resending the network traffic to the device. If a smart home has voice-controlled assistants, capturing audio of an authorized user’s command and playing it back on a speaker will in most cases bypass voice identification.
- Message notification occurs when an attacker captures traffic and then modifies parameters and data in the message to maliciously manipulate the intended action.
- A denial of service attack can be used to create an outage on the smart home device. Some smart home security devices “fail open,” which mean that in the event there is no internet service or power connectivity, the devices will allow all access. This can be troublesome if your front door locks suddenly lose connection with the smart home provider and they automatically unlock as a safety feature. Fail open commercial smart locks are increasingly becoming more common due to fire safety regulations. Additionally, a denial of service to the internet connectivity of a smart home would result in many of the security features of the devices not working. For instance, if a homeowner uses a video camera system that stores the footage in the cloud, the cameras will not be able to store footage without an internet connection. An intruder would only need to cause an internet outage to go completely unnoticed.
- Exploiting vulnerabilities in the software or firmware of smart devices with malicious code is a threat to the smart home that should be taken into consideration when choosing the right smart home technology. If the firmware of the smart devices is not updated and patched regularly, attackers can leverage preexisting vulnerabilities and public exploits to gain access to the devices. Since most smart home devices require internet connectivity, more providers are requiring automatic updates to prevent devices from being used without being updated. Ongoing security updates of your smart home devices are provided by the company that produced it.
- A masquerading attack happens when an unauthorized attacker gains benefits from being authorized as a legitimate user. Two security researchers, Ali and Awad, used the operationally critical threat, asset and vulnerability evaluation (OCTAVE) framework to identify the general cybersecurity risks to a smart home. In their analysis, they discovered that the highest risk to a smart home is unauthorized access to the smart home system due to the attacker having full control as a legitimate user.
There’s one type of attack which we haven’t yet discussed, however. With breaches happening often and aggregated data from previous breaches circulating the internet, the greatest threat to unauthorized access in the smart home is probably the credential stuffing attack. Credential stuffing is the reuse of compromised credentials to gain unauthorized access to accounts and services.
Due to its low level of technical skills required for execution, its high success rate and the increasing availability of breached data, the credential stuffing attack is becoming a serious problem to the security and privacy of the smart home. The risk of credential stuffing has been cumbersome to companies as they try to catch up and protect their users against reuse of the old passwords or variations thereof.
Braue cites many sources to substantiate that credential stuffing is a serious threat. In response, the security industry is upping its response to password reuse attacks. For instance, the security community is applauding Nest for proactively locking users out of their account until they change their passwords in the event that Nest found their customer’s passwords among recent data leaks.
Defending Your Smart Home against Digital Threats
A smart home user should only choose technology that offers technical security controls to protect against authorization attacks such as two-factor authentication. More providers are offering this as an option to secure accounts but are not enabling it by default. Using two-factor authentication to your smart home services drastically reduces the risks of unauthorized access. Two-factor authentication should be enabled at all opportunities. It is also important to choose smart home technologies produced by companies who are mature and well reputable.
Not only would you have better support for your smart home devices, but they are also more likely to produce software updates that will increase the security of your devices and better protect against unauthorized access. These well-funded companies are less likely not to be compromised themselves and have staff that are hired to protect their users.
Choosing off-brand smart home products are recipes for disaster. Saving a few dollars now and sacrificing the privacy and security of your home is not a tradeoff that most are willing to take. Administrative security controls can be used to change the process that a smart home user uses credentials. Less technical policies like never reusing the same password twice and enforcing rules to store passwords somewhere safe also reduces the risk of credential stuffing.
Having a unique password for all services takes more time and is difficult to remember, so Haber and Hibbert recommend that using a password manager is a good strategy to protect against credential stuffing. All passwords used for smart homes should exceed the minimum complexity requirements of these services. One final way to protect smart home users from credential stuffing is to use the Google Chrome extension called Password Checkup.
This recently released tool issues an alert whenever it sees a person using a username and password combination that has been identified as leaked in a breach. The greatest risk identified to smart home users is unauthorized access to the smart home system. Combining technical security controls such as password managers, enabling two-factor authentication and Google’s Password Checkup tool along with administrative security controls can greatly reduce the risk of owning a smart home.
Administrative controls governing the usage of passwords to ensure credentials are not reused and meet complexity requirements are measures that can be taken by the end user to better protect themselves not only in smart homes but in all services that require authentication. Lastly, choosing the right smart home provider is important due to the support, handling and care of your information as well as ongoing product updates.
The smart home industry is growing as more users are finding the value in the automation aspect of these devices. The advantages of data analytics on smart homes is reducing the costs of home ownership allows users to maximize the savings on variable costs in the home such as heating and cooling.
About the Author:
Tyler Wall is a security fanatic. Employed as a Senior Security Engineer by day and born with a natural curiosity for anything and everything that spills over into everyday life by the form of his many (mis)adventures. He holds numerous security certifications and degrees and describes himself as a catalyst for positive change.
Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor and do not necessarily reflect those of Tripwire.
