The Internet of Things is based on sensors and controls in all sorts of devices. When those types of devices are used to create a smart home, they can give residents unprecedented control and insight. The proliferation of smart devices, however, also opens the door to new dangers and threats.
According to research architect Brandon Creighton, with application security provider Veracode, "At the end of the day, you're installing a device that is really just a tiny computer." Even with something as simple as a smart light socket that you can control remotely with your phone, what makes that possible is the little computer in the switch that can talk to the Internet--which means that Internet users can talk back.
"The same technology that enables us to build these quite complex devices also creates the potential for security vulnerabilities," said Creighton. "And the vulnerabilities will inevitably be found."
A recent report from HP, the Internet of Things Security Study: Home Security Systems Report, gives some idea of the extent of the problem. According to the report, "HP reviewed 10 of the newest home security systems revealing an alarmingly high number of authentication and authorization issues along with concerns regarding mobile and cloud-based web interfaces. The intent of these systems is to provide security and remote monitoring to a home owner, but given the vulnerabilities we discovered, the owner of the home security system may not be the only one monitoring the home."
What's a homeowner to do? While it's practically impossible to stop a determined professional hacker, there are steps you can take to at least make their task more difficult, and to discourage the simpler attacks. Think of these seven steps as the connected home equivalent of putting locks on your windows or stopping your newspaper delivery while you're on vacation.
1. Be aware of the data each device can capture
Daniel Miessler, practice principal at HP Fortify On Demand, HP's managed security testing solution, led the research behind the security study. "Understand the sensors that are at play on the device," said Miessler. "So, for example, does your TV have a camera that's facing out? Where is it facing--the entire living room? The bedroom?" Whenever you deploy something with sensors in your home, you're raising your risk of unauthorized access.
"In our recent report," Miessler continued, "the scariest thing was being able to remotely monitor homes, basically including their video cameras. Because it was security systems that we tested, 10 out of 10 had this problem--it wasn't just watching the camera, it was also knowing when you're home and when you're not." Whatever further steps you take to secure your home will rely on understanding what holes you're trying to plug; for example, by making sure any cameras are pointed only at the specific areas you're concerned about.
2. Make the most of your devices' security features
"One of the major problems is that devices are deployed with some pretty insecure defaults," says Miessler. "If you search for the device name online, you can find the user name and password that it ships with. And there's a project called Shodan that lets you enter a product name, and it will reveal everyone in the world who's running that product and if it's listening live on the Internet."
If you simply set up your devices with their default configurations, an attacker could use those two tools to find them and learn their passwords. You need to change the default passwords--and, if the device allows it, use a strong password with upper and lower case letters, numbers, and symbols. "We've seen that vendors can ship their products in an insecure configuration, but they will have built better security into the tool--you just have to go in and configure it," Miessler said.
3. Keep your networks separate
Creighton points out that "a lot of modern wireless routers allow you to set up multiple access points off the same device. It definitely couldn't hurt to have one that's dedicated for your home automation system, your TV connection--everything but your computers and or phones." Give that network a separate password, so that if someone manages to steal your network password from your laptop, they won't also get access to your connected-home devices.
Miessler agreed that network segmentation is an important step. "When you deploy any sort of technology in the home," he says, "think about what network it is on and how it relates to the other devices in the home." Consumer devices like routers, at least middle- to high-end ones, can segment multiple networks. "You can have a guest network and an internal network, and even determine which ones are wireless and which ones aren't," Miessler continues. If your router doesn't have that capability, you could also use a second router to create a separate network.
4. Hide your network
Shiyan Hu, associate professor in the Department of Electrical and Computer Engineering at Michigan Technological University, suggests something even simpler "Configure your wireless router to make it invisible," he recommends, "so that the associated Wi-Fi network cannot be found using automatic searching. Any user will need to know its name to make the connection."
This isn't a strong deterrent for skilled hackers, however. "This simple step can be easily done by everybody. Although it is not really effective to protect your network, it could at least help discourage some rookie hackers," Hu says. Creighton agrees. "There's no real way to make your network invisible," he says, "all you can do is turn off the broadcast of its name." There are tools available for viewing Wi-Fi traffic, and an attacker could find your network by using such tools.
5. Be careful about who handles your devices
Hu warns that smart device owners shouldn't let unauthorized personnel touch them, especially the devices with USB ports. "If you send high voltage to a particular port on the Google Nest," he says, "it will automatically reboot from the USB. This is kind of an intentional back door provided by Google Nest, but there are different kinds of attacks similar to this one."
Watch out for scammers who offer to fix or improve your devices, or unauthorized shops that say they can repair it. "If you bring it to people you don't know who say they can fix it for you, they could compromise it," Hu says. "I don't know if there's a hacker who's done it, but we have simulated this scenario."
6. Keep an eye on your bills
Hu says to be careful if you have a smart meter and automatic bill payment set up for your energy usage. In that case, monitor your meter readings regularly and compare them to your bill when you get it. "For example, if you rent an apartment, maybe your neighbor consumes more energy than you do," he says. "They could first rewire their own meters to reduce their readings, and then hack into your meter to increase them."
If there's a discrepancy between the total for the building reported by the meters and that recorded at the utility, they'll send someone out to check. "But if the sum of your and your neighbor's meters is the same as the actual usage, from the utility side they won't observe anything," Hu says.
7. Take standard Internet precautions
"Say you have a light switch, and you're controlling it with your phone," says Creighton. "When you push the button on your phone to turn off your lights, even though you're sitting in the same room with them, the signal may not be going directly to the device. It's probably going through the Internet."
Even if you trust the provider themselves, remember that it has all the information about when you're turning lights on or when you've set your thermostat to be cold--information that could be used to build a profile about when you're home. Be aware of the risks entailed in a compromise of that server.
Similarly, smart devices often provide a Web-based method of remote access. "If so, it's best if you only turn that functionality on when you actually need it, rather than leaving it on all the time," says Creighton. For example, you might not need to monitor your house as closely when you're at work as when you're on vacation.
Furthermore, treat your connected home system like your bank's website or other sensitive portal--don't leave the remote access open on a shared computer. "Maybe you're traveling and you left your laptop at home and you're at an Internet cafe," Creighton says. "That's not a safe place to access your bank account--or your home remote control video camera." If your remote access is on your phone, make sure your phone is secured with a password and then require a second password to log into your home-security system. Needing to log in twice is an inconvenience, but it gives you two layers of security should you lose your phone.
Once again, these aren't foolproof methods that can guarantee your connected home's security. There really aren't any. "If a professional hacker really wants to hack a smart home," says Hu, "then it would be very difficult to protect. The devices are becoming interconnected and increasingly smarter, which just means that they have more functionalities and are more vulnerable." But there are basic steps within the technological reach of the average user that can help deter the unskilled hacker.