How IoT Can Compromise Your Home's Safety and Security
In this 2-part series, we’ll explore how IoT can make your home more secure and also examine IoT security risks that can inadvertently make your home less secure.
Internet of Things (IoT) systems can provide physical security and alert you to potential dangers lurking in your home.
However, as with any new technology, there are trade-offs, and unfortunately, IoT systems and devices can create threat vectors for cyberattacks. (Also read: How IoT Can Make Your Home Safer and More Secure.)
“They could actually increase the number of common cyberattacks, like using an IoT device to gain access to a home network via a poorly architected phone app or web interface, and from there to find sensitive information like banking accounts or personal data on your laptops and phones,” warned Tom Snyder, executive director of RIoT.
And although it sounds like an oxymoron, securing your home doesn’t necessarily make it safer.
“IoT devices such as security cameras, Wi-Fi routers, smart kitchen appliances, and voice assistants, are all easy targets for cybercriminals who can access the data collected and stored by these gadgets,” said Martin Zizi, founder and CEO of Aerendir. (Read Are Your Enterprise Printers Protected from Cybercriminals?)
“Because these connected devices have very limited built-in security, without any mechanism for software updates, and usually have default and insecure passwords, compromising such devices is an easy scenario for cybercriminals.”
In fact, he said even a smart fridge or video doorbell can be remotely assessed. What happens next? “It can be used to carry out distributed denial of service (DDoS) attacks, clogging up normal traffic, and allowing hackers to compromise data stored on the Cloud.” (Read Will Blockchain Technology Make DDoS Attacks Obsolete?)
And from that point, Zizi said sensitive data like passwords, health records, and personal ID numbers can all be manipulated.
But, if IoT systems and devices are so advanced, why are the security capabilities so weak, making them ideal entry points for hackers?
“First of all, there is no real form of standardization yet,” according to John Baekelmans, vice-president of imec’s IoT and Connected Health Solutions Group & managing director at imec Netherlands.
Devices speak their own "language," and he said this makes it incredibly hard for the network to know which devices to really trust.
“Secondly, there is the commercial aspect: the cost of building extra security into these basic devices is often too high for commercial purposes,” Baekelman said.
Snyder agreed, and said that security always lags in emerging markets because it’s an additional cost, and initially, markets are not valuable enough to bear that cost. And as a result, many poorly architectured systems are deployed today.
“The first cars did not have seatbelts or airbags or anti-lock brakes: these security costs were added once the market was large enough that additional growth of the market demanded additional security.”
And Snyder explained that the first browsers and email systems didn’t have antivirus and spam protection. “The market was not large enough initially for pure security companies or features to survive, but once the market was large enough, higher quality performance was demanded and the market was willing to bear that cost.”
But until the market is willing to bear these security costs, using these devices in our homes is a double-edged sword.
“Any technology we bring onto our property - or more specifically, connect to our home WiFi network - can become a highly effective Trojan Horse,” warned Mike Hibbett, security architect, IoT Solutions Division at Taoglas.
“Wifi access points provide a huge convenience for connectivity to the Internet but they also provide a critical function - isolating ("firewalling") incoming traffic from the Internet to devices on our home network.”
In fact, he said the wires on the back of your access point devices that connect it to the cellphone or cable network are completely exposed to the entire world.
“Home access points are detectable and connectible from anywhere, at no cost or effort.” And while the firewall prevents uninvited guests from accessing the device in our home, there are no barriers for communication between devices that connect to the access point.
“Wifi controlled light bulbs, alarm systems and the computer containing all our confidential and financial information can communicate with each other.”
He compares it to bringing strangers into your home, locking the door behind them, and then thinking that you’re now safe.
“IoT devices from unknown manufacturers can have weak security mechanisms or already be maliciously designed to extract personal information that can be sold, and these devices can also be controlled remotely — bypassing any firewall — to control an access point to join a group of similar devices directing Internet traffic to a remote victim's computer,” Hibbett said.
And the havoc that hackers can wreak is extensive. “The hacker can know when you are not home, turn off alarms, unlock doors and walk right in,” said Marco Perry, founder and principal at Pensa.
“They can turn on or off devices to ruin your home, such as turn on your stove and start a fire, turn on the water and create a flood, turn off the heat and freeze pipes, and let your dog out.” And Perry said they can turn on your cameras and invade your privacy.
“The more you connect to the network, the more items are vulnerable to an attack.”
All of this may sound like a heavy dose of paranoia. But we contacted Ken Munro, security researcher and partner in Pen Test Partners, an ethical hacking firm, and he recommends thinking long and hard before committing to gadgetizing your home.
“Even if you have extremely secure devices in your home (think Alexa) we’ve shown how less secure devices can be used to trick it into compliance.” For example, his company used Google Chromecast over a smart TV to issue commands to Alexa.
Munro provides a few examples of specific device issues:
Smart home central control systems
“When carrying out a security assessment on a proof of concept smart home in the UK, my interest was piqued by a smart home management system that aggregated smart products. We noticed an insecure direct object reference in an account reference parameter and by modifying this, we could access the user’s account.
As it brought together virtually every smart device in the home, it allowed us to compromise everything. Even devices that we knew were otherwise secure. We had the ability to unlock smart door locks, disable smart house alarms, spy on CCTV, listen to microphones, everything.”
“IP CCTV cameras, webcams and DVRs are highly susceptible to being taken over, thanks to the fact that many use default credentials and have web interfaces exposed to the Internet, both of which allow these devices to be taken over remotely without the attacker even having to locate you.
It’s then possible to relay live footage from your webcam or CCTV camera to the attacker’s server, giving them a window into the user’s everyday life. We’ve found some that are even connected to the burglar alarm; information that could be used to orchestrate burglaries.
With these cameras the question is increasingly going to be who’s watching who?”
“On one occasion, we showed how we were able to divert a colleague’s camera feed to a server in China. On another, we hacked Swann and FLIR-FX/Lorex branded security cameras due to the way the cloud provider, OzVision, authenticated access."
"The team was able to switch video feeds from one camera to another through the cloud service, potentially providing access to anyone’s camera. Each camera uses a hard-coded serial number to communicate with the cloud service, provided by OzVision."
"Replacing this allowed the researchers to view one another’s cameras and were able to enumerate every Swann camera serial number in three days. While Swann fixed the issue, other cameras are still vulnerable. OzVision, which supports three million cameras, came in for heavy criticism as it had known about the issue for nine months.”
“The Tapplock claimed to be unbreakable. It wasn’t. We were able to capture its unencrypted data stream over Bluetooth Low Energy (BLE), identify the BLE MAC address and use this to unlock it. This meant an attacker could scan the Internet for Tapplocks, walk up to them and unlock them in under two seconds using only a mobile phone, making it less secure than a standard padlock.”
“We exposed issues with the first-generation Ring doorbell and showed it was possible to connect to the device to reveal the WiFi key in plaintext. This would allow a hacker to access the user’s network. Thankfully, Ring was quick to respond and fixed the issue with an update.”
Smart alarm systems
“Can be jammed using a continuous signal to interfere with the alarm, rendering it useless. Another attack is to capture and replay the signal which is sent to and from the alarm when it communicates with other systems on the network."
"For instance, it’s possible to capture the disarm signal emitted by the user’s key fob and to record this, allowing the attacker to return to the scene and disarm your alarm at their convenience. Or perhaps the attacker chooses to play a corrupt version of the signal which can lead to the alarm hanging completely."
"Again, all they need is a Software Defined Radio (SDR) for around $300 and a laptop – which, up against the value of the contents of multiple houses is a price worth paying for most burglars. Both of these attacks need to be carried out in the local vicinity but it’s also possible to compromise IP-enabled alarms remotely.”
Munro’s company contacted one vendor to tell them about a cross site forgery issue. The vendor’s response was that the device was no longer supported, so they wouldn’t be fixing it.
So what can consumers do to try to keep your IoT systems and devices secure? Hibbett recommends buying devices from reputable manufacturers only — and discarding the device when the company stops supporting it.
In addition, Zizi recommends on-device biometric authentication. “Unlike your default password, on-device biometric authentication systems provide the safest privacy solution for IoT devices because they are nearly impossible to hack or spoof,” he said.
Ultimately, it’s going to take everyone working together. “Device manufacturers, IoT providers, and consumers need to make sure all this incredible tech doesn’t threaten user safety,” said Chris Romeika, operations director of Pangea.
“Standards like the Data Encryption Standard (DES), Advanced Encryption Standard (AES), and RSA (Rivest-Shamir-Adleman) Encryption need to be enforced; software needs to be kept updated; and passwords need to be changed regularly—especially just after a user has bought a device.”