Your browser version is outdated. We recommend that you update your browser to the latest version.

SIGN UP to our free eNewsletter

Fields marked with * are required.

DEFSECmedia

DEFSEC Media is New Zealand's defence, security and fire B2B/B2G publishing group. Our leading magazines, Line of DefenceNZ Security and Fire NZ are read by key business, government and military decision makers and influencers. This website is the online home of cutting-edge content from each of our titles.

Innovation Central

Automation & Electronics

Itron

The Internet of Things and the hackable home

NZ Security, June/July 2017

Are cyber vulnerabilities putting smart home technology adoption at risk?Are cyber vulnerabilities putting smart home technology adoption at risk?

 

The smart home is taking off, but connecting your espresso machine to the internet is not without its risks. In an age where cyberattacks on power stations can cause power blackouts across cities, are homes at risk of becoming a new target of cybercrime?

 

Massive growth in the Internet of Things (IoT) and cloud computing has expanded the possibilities of the smart home, but this growth is also making smart home technology a bigger target for cyber threats. Vulnerability to attack remains the single biggest threat to the otherwise inevitable adoption of IoT technology by homeowners.

In a survey released last January by insurance company HSB in the US, 81 percent of consumers said they have a Wi-Fi or other home data network, and 38 percent of these had smart televisions, music systems, thermostats, security cameras, door locks, alarms, lighting, home automation and other smart devices connected to the internet. And this is just the start.

According to US Senator Sen Mark Warner, co-founder of the US Senate Cybersecurity Caucus, “We're going to go from 12 billion devices we currently have, to over 30 billion devices by 2020, all interconnected. That's going to add to the ease of our life but if all these devices are easily hacked into it could mean we could have a whole new host of security concerns.”

 

Inviting the cyber thieves in

Cyberattacks on smart home appliances and services are so far thankfully not so common, but that’s changing. “Cyber criminals are always looking for new targets,” said Timothy Zeilman, a VP at HSB. According to Zeilman, home devices like smart TVs and appliances are often designed for easy use and not security. “Compounding the problem, many consumers don’t take even basic measures such as changing default passwords and updating security software.”

“The rise of ransomware, for example, means hackers are looking at all your connected devices, such as targeting your smart TV or fridge, and demanding money to unlock it,” wrote Colin James, Vodafone NZ’s Head of Security, in Connect Smart’s 2017 Cyber Security Trends.

According to the HSB survey, the most common type of non-physical damage experienced through attacks on home devices, appliances and systems were viruses or other unwanted software on their systems (59 percent) and damage to software or operating systems (45 percent). Damage to home devices in a cyberattack usually results in a financial loss, with 87 percent of the victims spending money to respond, and 42 percent spending between US$1,000 and $5,000.

 

Enjoying this article? Consider a subscription to the print edition of NZ Security Magazine.

 

Just how vulnerable?

Last year, cybersecurity researchers at the University of Michigan were able to able to hack into a widely-available smart home automation system and successfully open electronic locks, change system pre-sets and remotely trigger a false fire alarm.

Their "lock-pick malware app" was one of four attacks that the cybersecurity researchers leveled at an experimental set-up of Samsung's SmartThings, a top-selling Internet of Things platform for consumers.

SmartThings' app store, where third-party developers can contribute SmartApps that run in the platform's cloud and let users customize functions, holds more than 500 apps

One common problem is that the platform grants its SmartApps too much access to devices and to the messages those devices generate – over-privileging.

Earlence Fernandes, the University of Michigan project lead, noted in The Conversation that the MyQ garage system can be turned into a surveillance tool, alerting would-be thieves when a garage door opened and then closed, and allowing them to remotely open it again after the residents had left. MyQ Garage – among other deficiencies – did not protect against replay attacks, which enable man-in-the-middle attacks to capture traffic and play it back.

More recently, at a two-day hackathon sponsored by MIT, more than 150 hackers were tasked with exploiting weaknesses in more than 20 different smart home systems and devices. On day-one alone, hackers were successful in taking control of 25 percent of the devices in less than three hours.

In 2015, researchers at cybersecurity consulting firm Rapid7 evaluated nine separate models of baby monitors for security risk and found that only one was adequately secure from a potential cyberattack.

The list of identified vulnerabilities increases by the day, and when looked at as part of a bigger picture, there’s more than just your home at stake.

The world saw the critical consequences that can result from failures in connected systems in December 2015 when the Ukrainian power grid was crippled by cyberattack. Hackers were able to successfully compromise information systems of three energy distribution companies in Ukraine and temporarily disrupt electricity supply to 80,000 end consumers.

An IoT that is not adequately protected from attack is a big deal – even when considered just within the context of smart homes. Imagine, for example, the implications of a city of smart homes all tripling their energy consumption in an instant, or locking their inhabitants out of their houses all at the same time?

Against the backdrop of the Ukraine power grid hack, the US Secretary of Homeland Security Jeh Johnson has identified the securing of the IoT as a matter of homeland security. “Our nation cannot afford a generation of IoT devices deployed with little consideration for security,” states a Department of Homeland Security (DHS) report. “The consequences are too high given the potential for harm to our critical infrastructure, our personal privacy, and our economy.”

 

Addressing the threat

Department of Homeland Security (DHS) issued its set of Strategic Principles for Securing the Internet of Things (IoT), Version 1.0 in November 2016. The principles, designed for developers, manufacturers, service providers and industrial and business level consumers are aimed at initiating longer-term collaboration between government and industry.

The principles focus on: (i) incorporating security at the design phase; (ii) advancing security updates and vulnerability management; (iii) building on proven security practices; (iv) prioritising security based on potential impacts; (v) promoting transparency across the IoT ecosystem; and (vi) connecting carefully and deliberately. And although they’re geared towards more industrial and commercial IoT, these principles are just as relevant for the smart home:

 

1. Incorporate Security at the Design Phase

InternetNZ’s report, The Internet of Things in New Zealand: a discussion starter, puts it succinctly: “IoT manufacturers need to ship secure products rather than racing to be first to market, or this problem will only get worse.”

Products and services must be secure across design, development, promotion and maintenance stages, and throughout the entire supply chain. Hardware should incorporate security features to strengthen the protection and integrity of the device. For example, computer chips that integrate security at the transistor level, embedded in the processor, and provide encryption and anonymity.

The DHS recommends that security by default be enabled through unique, hard to crack default user names and passwords. User names and passwords for devices supplied by the manufacturer are often never changed by the user and are easily cracked, leaving systems vulnerable to Botnets, which continuously scan for IoT devices that are protected by known factory default user names and passwords.

 

2. Advance Security Updates and Vulnerability Management

Consider ways in which to secure the device over network connections or through automated means, says the DHS. “Ideally, patches would be applied automatically and leverage cryptographic integrity and authenticity protections to more quickly address vulnerabilities.”

In the context of the smart home, security updates are all the more important considering the operational life of appliances, many of which operate well beyond the lifespans we tend to associate with computers and computing devices. Additionally, routers more than a few years old should be replaced, and software updates completed without delay.

 

3. Build on Proven Security Practices

The DHS observes that many tested practices used in traditional IT and network security can be applied to IoT as they can help identify vulnerabilities, detect irregularities, respond to potential incidents, and recover from damage or disruption. “Start with basic software security and cybersecurity practices and apply them to the IoT ecosystem in flexible, adaptive, and innovative ways.”

 

4. Prioritise Security Measures According to Potential Impact

Risk models differ substantially across the IoT ecosystem. For example, industrial consumers such as nuclear reactor owners and operators will have different considerations than a retail consumer. Know a device’s intended use and environment, where possible, states the DHS, as this awareness helps developers and manufacturers consider the security measures that may be necessary.

The same logic applies to the smart home. As Michigan University’s Fernandes explains, “I wouldn’t mind giving smart home technologies remote access to my window shades or desk lamps. But I would be wary of staking my safety on remotely controlled door locks, fire alarms, and ovens, as these are security- and safety-critical devices.”

 

5. Promote Transparency across IoT

Because developers and manufacturers rely on outside sources for low-cost, easily accessible software and hardware solutions, they may not be able to accurately assess the level of security built into component parts of their network-connected devices. The DHS recommends the conduct of end-to-end risk assessments that account for both internal and third party vendor risks, where possible.

And while we’re talking about transparency, it’s important also to consider the end user. According to CONTEXT’s Smart Home Cyber Security Manifesto, “All smart home devices and services must be accessible and understandable for all users, regardless of technical prowess – The end-user should never be blamed for a security vulnerability that arises in the installation or the running of a product or service.”

 

6. Connect Carefully and Deliberately

IoT consumers, particularly in the industrial context, should consider whether continuous connectivity is needed “given the use of the IoT device and the risks associated with its disruption.”

It makes good sense to disconnect devices from the internet when they’re not in use or if there’s no need for that level of networking. Additionally, many devices only need to connect to other devices on a specific home network and don’t require full access to the world wide web.

 

New Zealand is also starting to take IoT seriously at a national level. In its Building a Digital Nation report published in March 2017, the Government announced the establishment of a New Zealand IoT Alliance. Envisaged as a collaboration of industry and government, the Alliance is tasked with working towards accelerating the adoption of IoT technologies for the economic and social benefit of New Zealand.

The Internet of Things has been described by many as a ‘third industrial revolution’. For New Zealand, that revolution is only just getting started, and it will be played out in an ever-increasing number of smart homes across the country. Good security will ensure that smart homes become a shining result of the revolution… rather than one of its battlegrounds.

 

 Back to Cyber Security

Follow us...

We recommend on YouTube...