International Defense Security & Technology Your trusted Source for News, Research and Analysis
A smart home refers to a convenient home setup where appliances and devices can be automatically controlled remotely from anywhere with an internet connection using a mobile or other networked device. Devices in a smart home are interconnected through the internet, allowing the user to control functions such as security access to the home, temperature, lighting, and a home theater remotely. A smart home’s devices are connected with each other and can be accessed through one central point—a smartphone, tablet, laptop, or game console. Door locks, televisions, thermostats, home monitors, cameras, lights, and even appliances such as the refrigerator can be controlled through one home automation system. The system is installed on a mobile or other networked device, and the user can create time schedules for certain changes to take effect.
Smart home appliances come with self-learning skills so they can learn the homeowner’s schedules and make adjustments as needed. Smart homes enabled with lighting control allow homeowners to reduce electricity use and benefit from energy-related cost savings. Some home automation systems alert the homeowner if any motion is detected in the home when they’re away, while others can call the authorities—police or the fire department—in case of imminent situations. Once connected, services such as a smart doorbell, smart security system, and smart appliances are all part of the internet of things (IoT) technology, a network of physical objects that can gather and share electronic information.
Smart homes use internet-connected IoT devices, such as light switches and fridges, that can autonomously flick on your lights, open doors, or even alert you when you’re running low on milk. But all this convenience and connectivity come at a price. Namely, smart-home devices are prone to a plethora of security vulnerabilities that can put your data or property at risk if you’re not careful. A recent article from Forbes outlines several attacks against smart homes. The attacks included remotely controlling lights and TVs, turning on a hot tub water heater, and opening someone garage door.
Like any product that connects to the internet and uses wireless technology, smart home security systems are vulnerable to hacking, particularly systems that lack encryption. Hackers can sit outside your home and use a laptop and software to intercept wireless signals coming from your system that allow them to suppress alarms and disable sensors. Other devices allow hackers to generate radio noise that can jam communications between the sensors and the hub. Additionally, devices that connect via Wi-Fi, such as security cameras and smart door locks, can be hacked to gain access to your home network. A skilled hacker can then use your Wi-Fi devices and other network resources to carry out Distributed Denial of Service (DDoS) attacks against larger networks. Perhaps even more disturbing is the idea of some stranger monitoring video from your indoor and outdoor security cameras.
In some cases, the smart home HUB or control system did not require a password, leaving them wide open to hackers. It happened in 2018. The VPNFilter malware — short for malicious software — infected over half a million routers in more than 50 countries. VPNFilter is able to install malware onto devices and systems connected to your router — the hardware that allows communication between your connected devices and the internet. It can make your router inoperable. It can also collect information passing through your router. And it can block network traffic and steal your passwords.
Other reported hacks include remotely flushing toilets and turning on and streaming video from Internet camera systems and unlocking doors and windows. The smart home may now include home video surveillance systems, health monitoring systems, environmental controls, home security systems and door locks, etc. all that can be remotely accessed. These systems must be protected from hackers.
What if a hacker gets into your network through an IoT device for a ransomware attack. A ransom could be demanded to get your system working again, with no assurance the cybercriminal will actually restore your access. Cybercriminals have hijacked baby monitors and spied on people using their webcams, for instance. If you own a smart home device, your privacy and security could be at stake. Security is clearly a requirement for the smart home.
Security usually isn’t a top priority for IoT device makers. Their poor security practices could include these: No system hardening, which gives a computer system various means of protection and makes it more secure. No mechanism for updating software, which can create vulnerabilities. Default or hardcoded passwords, which hackers can exploit.
Although the smart home has some security challenges, it can also create opportunities to make your house more secure. While most devices aim to make your life easier, some can also provide smart home security and protection. For instance, having a remotely controlled locking system can ensure you never need to copy keys or leave a spare key under the doormat. This can help you manage access not just for family members, but also for trusted services, such as domestic cleaners or house sitters. Checking whether doors and windows are locked becomes easier when physical inspection is no longer required, and you can simply ask your control device. When you’re not at home, security can be enhanced by being able to turn lights and hifi on and off remotely. This can give outsiders the impression that you are home, even when you’re away for a weekend or working late. Remote access to security cameras can enable you to spot potential issues, such as packages left in plain sight on your doorstep or gates that have been left open.
Smart home security requirements
The security challenge for the smart home, with its network of specialized, connected devices is different than the security challenges for enterprise networks and PC systems. Most smart home devices are fixed function devices.Once they are shipped they cannot be upgraded to add security after the fact. Smart home devices are special purpose devices, not general purpose devices like PCs or servers, and as a result require special purpose security solutions. Smart home devices may run small footprint real-time operating systems such as VxWorks or INTEGRITY and cannot run security solutions designed for Windows or Linux based systems. Once deployed, the devices cannot be upgraded to add security fixes unless the device manufacturer provides an upgrade.The end user cannot buy security software from a third party and install it on the devices. There is no one to manage security within the home.
Since the homeowner using smart home devices cannot install security software onto the device, the responsibility for security falls squarely onto the shoulders of the OEMs who build the device. The OEM plays the primary role in security. They are ultimately responsible for specifying security requirements, implementing security in the smart home devices, and testing to ensure security requirements are met. The OEM is responsible for selecting the OS and processor, and for using security protocols, secure authentication, and protection mechanisms such as an endpoint firewall.
Security for embedded devices has to be designed into the device itself. All too often, however, OEMs push off the responsibility for the security of the device to the operating system vendor. They argue that the OS is responsible for the security of the device. Or even worse, that security is not a requirement and provides no competitive advantage and can be ignored. While it is the role of the OEM to select the OS, the OS vendor (or open source community creating and maintaining the OS) is responsible for ensuring the security of the OS. Typical communication protocols and services are bundled with the OS and these often provide the main attack vectors for cyber-attacks. The OS vendor should be responsible for ensuring the security of each of the components they provide.
Chip vendors also play a key role in embedded device security. They are building processors with built-in code verification capability, physical tampering detection, and encryption engines. These tools allow OEMs to develop and deploy devices that verify they are running authentic code and detect when someone has physically opened a device. Once these events are detected, they can then shut the device down or report the event to prevent tampering.
OEMs, end users, and even RTOS companies do not always have the expertise to ensure all aspects of device security are addressed. Companies specializing in embedded device security provide expertise, tools, specialized security solutions and security audit and verification services. These companies play a critical role in embedded device security by ensuring compliance with security standards, providing education to OEMs and end users, and testing devices to ensure they are not vulnerable to cyber-attacks.
The end user is depending upon the OEM to build smart home devices and networks that are equipped with adequate security capability. However, the end user must ensure the device is deployed in a secure manner. They must properly set passwords, enable authentication and perform any other steps required for security. If history is any guide, most security breaches are caused by human error or carelessness. People are prone to using weak or default passwords, leaving the device open to attack.
When Smart Home services are provided by a network service provider, the service provider plays a key role in security. Service Providers have the resources to ensure that security is included in the network design and have enough muscle to influence OEMs to build security into their products. An OEM is much more likely to implement product requirements from a service provider purchasing thousands of devices than they are to listen to an end user buying a single device. Service providers can also ensure that devices are deployed with secure passwords and with property security settings. The network needs need to be protected as well as the specific devices and endpoints connected to the network.
In the US, California’s Senate Bill 327, states the security regulations to be followed for all devices that connect to the internet including smart home security systems. The bill requires the manufacturer of such a device to be equipped with appropriate security features, designed to prevent unauthorized access, modification, or information disclosure. The bill states that the information collected by the device should be appropriate and protected from unauthorized use. Also, if the device needs to be used outside the local area network, the user should generate a new password other than the one allotted to it by default, in order to prevent attack by hackers. This bill is proposed to be effective from January 1, 2020, in California, US.
Smart home security
Smart homes can feature either wireless or hardwired systems—or both. Wireless systems are easier to install. Putting in a wireless home automation system with features such as smart lighting, climate control, and security can cost several thousand dollars, making it very cost-friendly. Hardwired systems, on the other hand, are considered more reliable and are typically more difficult to hack. A hardwired system can increase the resale value of a home. But there is a drawback—it’s fairly expensive. Installing a luxury and hardwired smart system can cost homeowners tens of thousands of dollars.
There are several steps you can take to make sure your home security system is safe from malicious cyber intruders. For starters, replace the system’s default password with a unique one that contains a mix of letters, numbers, and symbols. If possible, change your password from time to time. Additionally, make sure your home network is secure. Check the security settings on your wireless router, and consider models that add an extra layer of software protection, like the Bitdefender Box 2.
The first step in addressing home security is to isolate your smart home network from your other networks. This is relatively easy to do by setting up guest networks for your IoT home devices. For example, your fridge could still be hacked to make it part of a botnet that sends spam or mines cryptocurrencies. However, since it occupies its own network, it won’t be able to access your emails or bank account. Using guest networks can help enhance your home network security in other ways, too; find out more about installing and using guest networks here.
However, a failure to implement or properly use security at any stage in the process can result in significant security loopholes. Secondly, ensure that the access, control and delivery devices on your network are secure. That might include smart speakers, your internet router, your computer and your smartphone. Your smartphone, if hacked or stolen, could compromise your entire home security system, so make securing it your top priority by purchasing Android security or security for iOS devices.
Router Security
Consider your Wi-Fi router the “front door” to your smart home. Like any front door, it should be solid and equipped with strong locks, in case cybercriminals come knocking. Building a more secure smart home starts with your Wi-Fi router. It’s the foundational item that connects all your connected devices and makes them operable. Most people simply use the router provided by their internet service provider, but a lot of independent companies also sell routers. Once you move to a secure router, it’s a good idea to research the smart devices you might want. Privacy and security are important.
1. Give your router a name.
Don’t stick with the name the manufacturer gave it — it might identify the make or model. Give it an unusual name not associated with you or your street address. You don’t want your router name to give away any personal identifiers.
2.Use a strong encryption method for Wi-Fi.
In your router settings, it’s a good idea to use a strong encryption method, like WPA2, when you set up Wi-Fi network access. This will help keep your network and communications secure.
3. Set up a guest network.
Security measures
Keep your Wi-Fi account private. Visitors, friends and relatives can log into a separate network that doesn’t tie into your IoT devices.
- Use the screen lock on your smartphone to ensure no one can access it in your absence.
- Ensure all your computers and smartphones are password protected. Use strong passwords that are difficult to crack, and above all, don’t use passwords that are easy to guess (like your birthday or name).
- Ensure your main computer account is not at an administrator or root level. If a hacker gets in, this will limit what they can do to your system since they won’t have administrator privileges.
- Use firewalls on any computers and on your router. Most routers have a firewall built into their hardware, but it must first be enabled by the user.
- If your existing router doesn’t offer you good security features, replace it with one that does.
- Use strong security software on your computers and smartphone to avoid installation of malware or infection by viruses. Get Kaspersky’s Anti-Virus software or go for the Total Security package that will provide an all-in-one cybersecurity solution for your smart home.
- Always run security patches and updates and keep your software up to date. Outdated software has vulnerabilities that are easy for hackers to exploit.
- You might want to manage your IoT devices through your mobile device in a coffee shop across town. It is a risk if you log on to public Wi-Fi with your laptop or phone. If you don’t need authentication to get into a network, neither do hackers. Use a VPN like Kaspersky’s VPN Secure Connection to protect your privacy and your smart home.
Once you’ve secured your networks to ensure that none of your IoT devices can access your personal data or control the network, your next step is to secure the individual devices. Some security system vendors use frequency hopping tech to prevent signal jamming, while others use embedded encryption, but neither feature is standard, so check with the manufacturer if you require an extra layer of security. In addition, keep an eye on your camera logs to see when they have been accessed. If you notice camera activity at odd hours or at times when you know that nobody is at home, it may be an indication that your system has been compromised. Finally, make sure your system software and all of your connected devices are up to date. Firmware updates often address security issues and can help protect your system from infiltration.
- Change the default passwords. Leaving a default password on a device enables anyone who owns the same device to gain access. That’s almost as bad as having no password at all.
- Changing the passwords every six months can significantly increase your security.
- If you have voice activated devices such as smart speakers, change the alert word from “OK Google” or “Hey Alexa” to something only you and your family know. That way, an intruder won’t be able to use your system.
- Before you buy a new device, make sure you have adequate information about its security protection. Find out whether the manufacturer provides regular firmware updates. Six months is a long time in the Internet of Things, and if you’re buying a device that will last a decade or more, you need to be sure you’ll be protected against emerging threats.
- Buy smart home devices from reputable suppliers like Samsung, LG, Google or Amazon.
- Examine the privacy policy on a device before you buy it. How is the manufacturer going to make use of your personal data? What data does the device have access to? If you don’t intend to use voice activation on a device, you may want to turn the microphone off so that other conversations are not picked up and transmitted.
- Remember to keep the devices updated, either using automatic updates or doing so manually. This might involve checking the manufacturer’s website to get updates and then linking the device to a computer to update it. Hackers are always coming up with new ways to compromise IoT devices. Security patches will protect you against those new threats.
- Consider which devices really need to be connected. If you don’t use the connected functionalities of your coffee maker or oven, use the device offline.
- Turn off Universal Plug & Play (UPnP). Most smart devices have this feature, which enables them to find other smart devices and connect to them automatically. However, UPnP protocols are vulnerable to outside attack, allowing a criminal to gain control of multiple devices once a single device has been hacked.
- Check the permissions for apps running on your devices. Anything that asks for permission to edit your router’s settings is a potential security threat.
- Be wary of cloud storage for devices. Since it requires a cloud connection for upload and download, outsiders could hack into that connection and gain access to your network. If you want to use cloud technology, ensure you understand the right measures to take to secure your data and privacy.
The only way to ensure smart home security is through the coordinated effort of everyone involved in the development and use of the product. Unfortunately, no one group can, by their efforts alone, ensure that a device is secure.
References and Resources also include:
