​ENISA: This is how smart home tech should be secured, but isn't

What ever you do as a consumer, don’t listen to anyone that says smart home security isn't needed, a European security agency has warned.

Surveys have shown that many people don’t bother setting up a passcode to protect data on their smartphones, but at least it’s possible to do.

The smart or connected home is emerging in the wake of junk traffic attacks on websites and file-encrypting ransomware on desktop computers becoming the new norm.

Yet a wave of smart things for the connected home lack any capacity for basic security and the EU Agency for Network and Information Security (ENISA) is worried that threats to smart home environments are underestimated.

Chief among ENISA’s concern is how easy it is to collect private data from individuals via smart devices that have poor or no security. That's compounded by a not-so-smart industry that insists few attackers have an incentive to target individuals and that consumers aren’t willing to pay a premium for a properly secured smart device.

ENISA says in a new report “Security and resilience for Smart Home Environments" that “when attacks are almost trivial to perform, attackers do not need many incentives”.


Security thinker Bruce Schneier has previously said that consumers will always buy the cheaper smart thing for the home because they don’t have the knowledge to make an informed decision. ENISA broadly agrees with Schneier’s assessment — consumers aren’t aware of what private data can be leaked or how easy it is for an attacker to obtain and that’s why they tend to choose cheaper devices over a more expensive secure one. In other words, they choose cheap because of a lack of information.

One of the problems ENISA identifies is the variety of security capabilities in different classes of smart devices, ranging from cheap sensors to smart thermostats, lightbulbs and smart TVs. It warns that attackers will go after the easiest to hack device and chain-up to richer sources of data, exploiting connectivity, say, between lightbulbs and the smart home gateway.

Read more: National cybersecurity capability needs decades of “fresh thinking” on skills, private-sector partnerships: ACCS

Analyst firm Gartner has forecast that the typical connected home will have upwards of 500 smart devices by 2022, and expects the number of smart homes to climb from around 200 million today to 700 million by 2020.

ENISA’s report provides a sobering reminder that securing the smart home won’t be an easy task but steers clear of scare tactics to raise awareness.

To help industry, government agencies and consumers understand what needs to be done, ENISA has classified Internet of Things (IoT) devices for the home based on their security capabilities with a list of recommended actions for each class of device, from product development stage, integration with the home area network, and how users to should manage a device until its end of life.

At the lowest end are “Class 0” devices like cheap sensors, which have less than 10 KB RAM and less than 100 KB ROM, and likely can’t support real defences. Then come “Class 1” items like smart bulbs and smart locks, which also probably aren’t using strong security protocols, followed by Class 2 devices such as smart thermostats that have the capacity — for example, 50 KB RAM, 250 KB ROM — to implement most standard security protocols. Finally, “high capacity devices” like smart hubs and smart TVs may include dedicated security hardware.

A key recommendation for IoT vendors is to consider third-party review by security specialists for product developers who have limited security experience. It also urges vendors to prototype a device’s user interface to ensure it can support users when they have security issues, and to go beyond set-up wizards and alarms to incorporate easily used sign-up procedures and the capacity for ongoing communications by email or SMS. That advice could was applicable to Foscam, a baby monitor manufacturer that, after fixing an issue in 2013 that remote hackers had exploited, lacked the means to alert and direct consumers to the patch.

Other advice for vendors included avoiding propriety cryptographic schemes and to hire cryptography experts, as well as managing cryptographic keys securely, and providing a secure configuration by default, such as ensuring a remote service will use HTTPS by default.

As for end-user security, ENISA notes that the “end-user must be informed of the support period of the device and of the end of support for security fixes” and that vendors should create a policy for handling vulnerability disclosures.

A lesson that Fiat Chrysler learned the hard way when it recalled 1.4 Jeep Cherokee vehicles — after researchers demonstrated a remote hack earlier this year — was that it would have been wise to enable over the air updates. ENISA notes that in the event over-the-air updates are not available, vendors should plan for product recalls.

ENISA's advice for Europe’s policy makers is to clarify liability for vendors in the event a compromised device fails, particularly where it involves safety, such as a smoke detector. It also urged policy makers to clearly state how long companies should be liable for fixing known vulnerabilities as well as any liability for companies for not disclosing and not fixing vulnerabilities.

Security ALERT!

Need help making the right choice for you business? Need to update your system but don't know where to start? CSO can help, check out our security hub today.

Gigamon Transform Security Zone

Read more: ​Adobe tells web developers to quit Flash, hacker's favourite target

Join the CSO newsletter!

Error: Please check your email address.

Tags file-encrypting ransomwaresmart home security​ENISAInternet of Things (IoT)smartphonesprivate databruce schneiersecurity agencyCSO AustraliaEU Agency for Network and Information Security (ENISA)

More about CherokeeClassCSOEUGartnerGigamonResilienceSmart

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place