Is your smart home as safe as you think?

(ITU, 2018)

This article is brought to you thanks to the strategic cooperation of The European Sting with the World Economic Forum.

In the 21st century, objects, as well as humans, are smart. Vendors of smart devices use sensors, networking and algorithmic data-processing on an unprecedented scale. Software and hardware are indispensable in our daily life.

Everyday objects, wearables, homes and entire cities have become more and more integrated into the Internet of Things (IoT). Yet these connected and ubiquitous systems are not always recognizable to everybody, or transparent in their behaviour. Their ubiquity leads to ever more complex systems, but this complexity is hard to secure, because even the most diligent developers make mistakes, and many vulnerabilities emerge in the interactions between different systems. Additionally, formal verification, fuzzing, debugging, four-eye-coding and other means that make software and hardware more secure and resilient have their limitations.

Furthermore, the physics of hardware and the properties of sensors have implications on hardware security that cannot be easily mitigated. Microphones are receptive to certain frequencies – which became apparent with the dolphin attack – and home assistants can be manipulated with ultrasound commands. Electromagnetic radiation, heat or noise emitted by hardware and even crypto-keys can be used to infer information about current usage. Since these issues are often not code-based issues that can be patched, many hardware vulnerabilities cannot be mitigated. Especially in the case of sensors, the sole goal of which is to transfer data from the analogue to the digital world, these inputs can be manipulated offline as well.

Despite these security issues, it is likely that computerization, datafication and connectedness will permeate the built environment. This article will address the security implications of this trend. The focus will be on smart homes and cities.

While the intelligence communities and militaries of various countries warn of cyber-attacks on critical infrastructures, such as the electrical grid, telecommunications networks or utilities, clueless homeowners and developers equip their properties with often insecure components. Nevertheless, they are not solely to blame. Cyber security is a complex topic, which is why producers, vendors and governmental entities should become more engaged in educating the public about the potential risks – as well as advantages – of smart properties and infrastructure.

Do you recognize yourself in the following examples?

As a safety-conscious homeowner, you have installed IP-cameras inside and outside your home to protect your family from burglars. Yet tech-savvy hackers or even script-kiddies could crack your home security system and use it against you. They could spy unnoticed and stake out your property, breaking in when nobody is home.

Additionally, these insecure and hijacked IoT components could be integrated into a botnet, which might then be used to attack and take down third-party servers by flooding them with traffic. So a smart fridge in the US or an IP-camera in Russia – among a myriad of globally dispersed devices – could be used by some cracker to attack a server in China or elsewhere. If not used for malicious attacks, certain components with enough processing power can be incorporated into crypto-mining botnets, while you pay the bills for the increased energy demand.

As a digitally adept parent, you decide to use a smart baby monitor with audio and video to check on your kids at night, instead of a simple audio baby monitor. Do smartness and connectedness equal more security? In the worst case scenario, not only you as parents can watch your kids, but some random person could tune into a live-stream on the internet or darknet.

This dramatic example obviously doesn’t only affect baby monitors, but all kinds of devices, including home assistants, smart mirrors and other camera or audio-equipped systems that you might use at home. Exfiltrated private audio or video data could be used for blackmail or disseminated on the internet.

As a frugal or environmentally conscious homeowner, you might decide to decrease your ecological footprint and minimize your utility bill by using smart metres, smart thermostats, smart lights or smart faucets. Besides wired systems such as KNX, there is a multitude of wireless standards for building automation such as Wi-Fi, Z-Wave, ZigBee and many others. Unfortunately, there is also a multitude of exploitable vulnerabilities in these systems and standards, which is why no system can guarantee absolute security. Due to that fact, there have already been successful attacks on home grids resulting in blackouts.

Bearing these examples in mind, it becomes obvious that successful attacks have far-reaching consequences, such as a loss of privacy, or functionality issues with the smart components within your home network. One weak link such as an unpatched or generally insecure component could be the entry point to the entire connected home system. The consequences of a virtual attack on your cyber infrastructure might have serious implications on your offline life.

Due to that fact, it is of paramount importance that everyday users, facility managers, developers and other responsible people keep an overview of the components being used. They have to know the communication standards, monitor vulnerabilities, engage in diligent patch management and cease usage as soon as a component is no longer supported. But first and foremost each decision-maker has to consider if an additional smart and connected device is truly necessary.

So if you want to profit from the advantages of smart living, you have to start to treat your property like a computer. Smart components in the IoT might differ from conventional laptops and computers with regards to their architecture, operating system, programming, memory and processing power, yet they all share commonalities in their underlying principles.

In consequence, some attack vectors and vulnerabilities within software as well as hardware might be exploited in a similar manner. It doesn’t really matter if you exploit common issues in C code on a smart device or on an ‘old-school’ desktop computer. Additionally, many components in the Internet of Things, smart or dumb, do not have adequate protection with firewalls or anti-malware, which makes them easy prey.

Users should not buy the cheapest devices, and should demand proper maintenance. Furthermore it might be a good idea to completely separate the networks of smart devices and critical devices, such as computers, home servers, network attached storage (NAS) and phones that hold critical private data.

Patching is a tremendous issue, since administrators of large smart properties or connected infrastructure cannot simply remote patch a system and reboot it after a successful update, because there might be vital systems running. Just think about critical infrastructure such as traffic lights, security systems in a prison or airport, medical devices in a hospital and others. Patching lies in the realm of the end-user.

The more systems are used, the more they have to be patched and updated. In consequence, end-users and entities alike have to cope with more complexity, which will require user-friendly solutions without causing any real-life problems. I cannot emphasise the importance of diligent patch management, security advisory monitoring and incident management enough.

Despite continuous advancements in hardware, software and networking standards, it is certain that new vulnerabilities will be discovered and exploited in future. Nevertheless, one should not simply condemn these technological developments, which would be overly binary and ignorant. Instead, one should become aware of the risks, develop mitigation strategies in case of a successful attack, diligently select quality devices, and pay attention to software and hardware maintenance, patch management and additional protection.