What ever you do as a consumer, don’t listen to anyone that says smart home security isn't needed, a European security agency has warned.
Surveys have shown that many people don’t bother setting up a passcode to protect data on their smartphones, but at least it’s possible to do.
The smart or connected home is emerging in the wake of junk traffic attacks on websites and file-encrypting ransomware on desktop computers becoming the new norm.
Yet a wave of smart things for the connected home lack any capacity for basic security and the EU Agency for Network and Information Security (ENISA) is worried that threats to smart home environments are underestimated.
Chief among ENISA’s concern is how easy it is to collect private data from individuals via smart devices that have poor or no security. That's compounded by a not-so-smart industry that insists few attackers have an incentive to target individuals and that consumers aren’t willing to pay a premium for a properly secured smart device.
ENISA says in a new report “Security and resilience for Smart Home Environments" that “when attacks are almost trivial to perform, attackers do not need many incentives”.
Security thinker Bruce Schneier has previously said that consumers will always buy the cheaper smart thing for the home because they don’t have the knowledge to make an informed decision. ENISA broadly agrees with Schneier’s assessment — consumers aren’t aware of what private data can be leaked or how easy it is for an attacker to obtain and that’s why they tend to choose cheaper devices over a more expensive secure one. In other words, they choose cheap because of a lack of information.
One of the problems ENISA identifies is the variety of security capabilities in different classes of smart devices, ranging from cheap sensors to smart thermostats, lightbulbs and smart TVs. It warns that attackers will go after the easiest to hack device and chain-up to richer sources of data, exploiting connectivity, say, between lightbulbs and the smart home gateway.
Analyst firm Gartner has forecast that the typical connected home will have upwards of 500 smart devices by 2022, and expects the number of smart homes to climb from around 200 million today to 700 million by 2020.
ENISA’s report provides a sobering reminder that securing the smart home won’t be an easy task but steers clear of scare tactics to raise awareness.
To help industry, government agencies and consumers understand what needs to be done, ENISA has classified Internet of Things (IoT) devices for the home based on their security capabilities with a list of recommended actions for each class of device, from product development stage, integration with the home area network, and how users to should manage a device until its end of life.
At the lowest end are “Class 0” devices like cheap sensors, which have less than 10 KB RAM and less than 100 KB ROM, and likely can’t support real defences. Then come “Class 1” items like smart bulbs and smart locks, which also probably aren’t using strong security protocols, followed by Class 2 devices such as smart thermostats that have the capacity — for example, 50 KB RAM, 250 KB ROM — to implement most standard security protocols. Finally, “high capacity devices” like smart hubs and smart TVs may include dedicated security hardware.
A key recommendation for IoT vendors is to consider third-party review by security specialists for product developers who have limited security experience. It also urges vendors to prototype a device’s user interface to ensure it can support users when they have security issues, and to go beyond set-up wizards and alarms to incorporate easily used sign-up procedures and the capacity for ongoing communications by email or SMS. That advice could was applicable to Foscam, a baby monitor manufacturer that, after fixing an issue in 2013 that remote hackers had exploited, lacked the means to alert and direct consumers to the patch.
Other advice for vendors included avoiding propriety cryptographic schemes and to hire cryptography experts, as well as managing cryptographic keys securely, and providing a secure configuration by default, such as ensuring a remote service will use HTTPS by default.
As for end-user security, ENISA notes that the “end-user must be informed of the support period of the device and of the end of support for security fixes” and that vendors should create a policy for handling vulnerability disclosures.
A lesson that Fiat Chrysler learned the hard way when it recalled 1.4 Jeep Cherokee vehicles — after researchers demonstrated a remote hack earlier this year — was that it would have been wise to enable over the air updates. ENISA notes that in the event over-the-air updates are not available, vendors should plan for product recalls.
ENISA's advice for Europe’s policy makers is to clarify liability for vendors in the event a compromised device fails, particularly where it involves safety, such as a smoke detector. It also urged policy makers to clearly state how long companies should be liable for fixing known vulnerabilities as well as any liability for companies for not disclosing and not fixing vulnerabilities.
Need help making the right choice for you business? Need to update your system but don't know where to start? CSO can help, check out our security hub today.