Smart home security: It’s on you, people

• People are the weak link, but they now need to step up because of the IoT
• Some basic measures can be put in place for home users and companies

 
WITH the proliferation of IoT (Internet of Things) devices in homes and buildings, ordinary folk are going to have to take responsibility for their own cybersecurity and not just depend on technical experts.
 
While the cybersecurity industry grapples with the implications and steps necessary to secure smart buildings, including smart homes, the average person has a role to play, argued Anthony Lim, vice-chair of the Application Security Council of the International Information System Security Certification Consortium (isc2.org).
 
“Cyber-savviness is not just for technical experts to own – we ourselves can learn, be aware, and take personal precautions,” Lim told Digital News Asia (DNA) via email.
 
“In any security system, often ‘people’ tend to be the weakest link, and it is up to us to avoid becoming that weakest link – in our workplaces and in our communities,” he added.
 
IoT devices lurk everywhere now, from Internet Protocol (IP) cameras to motion sensors, due in part to the increasingly lower price of these devices. But that very same drive to lower cost is also exposing people to more threats, Lim cautioned.
 
“In order to keep the products affordable, [vendors] will use public-domain and open-source service, network and software components, focusing their resources on the hardware to make these devices more reliable and hardy, for example, for outdoor use.
 
“In the process, you can imagine that sometimes network and cybersecurity features will be minimal, seen as secondary, or even absent altogether,” he said.
 
Corporate and consumer concerns
 

 
Equipment for professional use is not being spared either, since cost can play an even more important role for businesses.
 
“Imagine if the mandate is that [corporate] pictures or videos need to be encrypted – it means that within the camera, there has to be an extra computing chip, device or system to encrypt the data before it gets sent,” Lim said.
 
“This will increase the cost of such camera models, and some over-zealous or under-budgeted department will just purchase the models with no encryption built in,” he added.
 
The lack of strategic coordination when companies – or even consumers – install new solutions is another weak point, especially since such solutions are usually supplied by different vendors at different times.
 
“There is hence a lack of ‘strategic coordination’ between suppliers and installations, and solving one problem may create another as they connect new devices to and access the same home or office Internet gateway and network at different times,” said Lim.
 
All this provides hackers with low-hanging fruit.
 
“Hackers are on the lookout for inexpensive devices that use minimum security protocols or public-domain software libraries, or haphazardly installed devices, to try and get through,” Lim said.
 
“In America, there have already been cases of hackers trying to get into a network through ‘nondescript’ or ‘unsuspecting’ new devices such as smart garage-door-remote controls, home WLAN (wireless local area network) cameras, and even baby monitors,” he added.
 
Businesses are also vulnerable to such attacks, Lim noted, citing the high profile Target breach.
 
“In the infamous Target case, which caused top executives there to resign, it was found that hackers got into the corporate network through the smart building air-conditioning management system.
 
“The system uses an IP network connected to the corporate LAN (local area network), thus giving the hackers an entry-point that bypassed the firewalls that guard the office network, allowing them to steal millions of customers’ credit card data,” he said.
 
In the Target case, the people who installed the corporate computer network and those who installed the smart building management system had no knowledge of, and did not coordinate, with the other party.
 
Physical and IT security converging
 
Citing the case of Google Australia’s smart office building breach in 2013, Lim cautioned that hackers can also breach the security of an actual brick-and-mortar building rather than just steal data.
 
In the 2013 case, US researchers Billy Rios and Terry McCorkle from security firm Cylance found vulnerabilities at the Google office in Sydney.
 
“They [the security researchers] were able to view the blueprints of the building and the water pipes within the system,” Lim said.
 
“If they wanted to, they could have even clicked buttons labelled ‘active overrides,’ ‘active alarms’, ‘schedule’ and more,” he added.
 
Today’s hyper-connected world does not just involve devices and people, but buildings too.
 
“The increasing focus on making buildings more energy efficient, secure and responsive to changing conditions has resulted in a plethora of web-enabled technologies,” Lim said. 
 
“Building management systems are not only more tightly integrated with each other, they are also integrated with systems outside the building, like the smart grid,” he added.
 
Yet for all the convenience and benefits of connecting a building, few consider the security needs and implications.
 
“Many of the web-enabled intelligent devices embedded in modern buildings have little security built into them, making them vulnerable to attacks that could disrupt building operations and create safety risks.
 
“Web-connected, weakly protected building management systems could also provide a new way for malicious attackers to break into enterprise business systems that are on the same network,” he added.
 
For ordinary people, a device that sits in almost every living room is giving hackers a window of opportunity into our homes, Lim warned.
 
“Today’s smart TVs are quite inexpensive and allow us to do many things apart from watching our favourite TV shows – we can surf, Skype or watch YouTube videos,” he said.
 
“But there have been cases of hackers getting into the home network either by attacking through the smart TV or manipulating the smart TV for mischievous purposes,” he added.
 

 
Some connected devices can even threaten the physical safety of the home – they can be trawled by search engines, meaning they show up on searches, because the device vendors do not implement usernames and passwords by default.
 
“In a now-discontinued product, for example, one can click on the links and turn people’s homes into haunted houses, energy-consumption nightmares, or even robbery targets,” Lim warned.
 
This lack of an authentication requirement has very real implications for homeowners beyond just someone gaining access to an IP camera.
 
“Even without a public-facing website, a vulnerability like this means that anyone who figures out how to identify the addresses of vulnerable systems – as happened with another brand of home cameras – can gain get access to and control of people’s homes,” Lim said.
 
In one example of that, “sensitive information was revealed – not just what appliances and devices people had, but their timezone (along with the closest major city to their home), IP addresses and even the name of a child – apparently, the parents wanted the ability to pull the plug on his television from afar,” he added.
 
Citing a report by Forbes, Lim said that the information provided online was enough to link some houses to a real-world location.
 
While there has been a distinct lack of coverage on attacks on smart buildings, with news out on the Google and Target building attack methodologies, “you can imagine that many other hackers will start trying to attack smart buildings via the maintenance systems and hoping to score,” he said.
 
Steps to take
 
Without going so far as to live off the grid, Lim argued that everyone can take steps to protect themselves, starting with an awareness of the common mistakes most people make.
 
With most smart home systems, the owner or contractor was probably more interested in getting the system up and running, often at a ‘comfortable’ price tag, and with a ‘it won’t happen to me’ attitude.
 
Many people think they have nothing of value or interest to hackers, but Lim said that 70%-90% of hacker attacks are random and opportunistic.
 
“The hacker does not know who the victim is but will try anyway, hoping to get in easily and hoping to get some nice data to sell, use, or abuse,” he said.
 
“And speaking of the weakest link – imagine a hacker gets into the home network of a high-ranking executive through one of these new devices, gets on to the work laptop of that person, and steals some sensitive corporate data from it.
 
“That will compromise not only the person but his company as well.
 
“It’s quite clear that most people, including company executives, as well as building managers, owners and operators, need to be more aware of such threats arising from the smart building fever,” he added.
 
But as more reports on such breaches and vulnerabilities proliferate, Lim expects organisations to respond in some manner.
 
“We expect organisations to become more aware and concerned, to put in proper security policies and to educate their staff about proper practices and incident escalation and response procedures, so as to contain, alert and minimise any breach,” he said.
 
And “just like any and all other security practices and issues, people need to be willing to invest in more robust systems and products,” he added.
 
Vendors and manufacturers too are helping to make the home network more secure. For example, home WLAN modems today come with sophisticated passwords by default – the technology was always there, but users would not turn on the option or would not use strong passwords, according to Lim.
 
Having basic security in place would help discourage opportunistic attacks as well. These basic measures include authentication, encryption, a segmented sub-network, turn-off functions or just disconnecting devices when not in use.
 
“These would be enough to deter some hackers, who will not waste their time and instead seek another target,” Lim said.
 
Also, “when visitors or service staff come to the house and want to use your WLAN, type the password in for them, don’t just give it to them,” he added.
 
Businesses offering free WiFi to customers should also look to providing a network separate from the corporate one, Lim stressed.
 
“For organisations like restaurants or customer-service lounges which provide WLAN for their customers or visitors, it’s best to have this as a separate line from their corporate LAN and not interconnect them,” he said.
 
Related Stories:
 
Cutting the wire: IoT security Part I
 
Navigating the new world: IoT security Part II
 
Invaders in the airspace: The problem with IoT security
 
 
For more technology news and the latest updates, follow us on Twitter, LinkedIn or Like us on Facebook.