Save our smart homes
From PCs and phones and connected cars, we’ve learnt one immutable fact: if you can remotely access something, sooner or later somebody will try to hack it. One of our favourite examples involves the Satis smart toilets in Japan, whose Bluetooth connections could be hijacked in order to harass and soak their occupants.
We laughed, but then we thought: what if that were our toilet, and we were the ones getting soaked?
Say hello to the downside of smart home technology.
But it turns out that some of the people with the power to attack your intelligent, connected abode are the very people standing at the gateway, finding the exploits before those with bad intentions ever breach the fortress walls – they’re the hackers protecting your smart home.
Hacks are already here
You might think this problem isn’t something to worry about now, but smart home hacking isn’t a future threat.
In 2013, Trustwave found that two leading US home automation systems – MIOS and the Insteon Hub – had vulnerabilities that could enable covert surveillance, unlock doors and potentially cause serious harm to the home’s occupants.
Later the same year Black Hat hackers demonstrated successful hacks on smart home locks, smart home power outlets, smart home hubs and even smart home toys.
Hacking the Internet of Things has become a regular feature of hacking events: at DEF CON 2015 hackers found 25 previously unknown vulnerabilities in Internet of Things devices, enabling them to fiddle with smart scales, compromise an internet fridge, and take control of cameras, thermostats and baby monitors.
The following year it was Nest’s turn, with a 15-second hack turning the thermostat into a secret spy and providing a backdoor into the home network.
That exploit required physical access to the device, but would you know what to look for if you were buying a Nest from eBay or a third-party Amazon seller?
“There’s much more to smart home security than what a device might reveal about itself, and thus about you,” says Paul Ducklin, senior technologist at IT security company Sophos. “That issue is bad enough if the device is a webcam, or a baby monitor, or a vehicle tracker, of course, but it’s far from the sum of all risks.
“There’s also what the device might reveal about your network, like the iKettle that was hackable not to boil water when you didn’t expect it, but to give up your Wi-Fi password and thus let a budding cybercrook inside your whole network.”
Then there’s the security of the obligatory smartphone app, and of the data your devices collect. Could somebody access your smart home system or your personal data by hacking the provider’s website?
How to hack a smart home
Ollie Whitehouse is technical director at cybersecurity experts NCC Group. “As our homes become highly connected there are various risks introduced from insecure ‘smart’ products,” he told techradar.
“Attackers can disable intruder alarms, turn smart TV’s into snooping devices or simply use the smart devices to access other systems on your home network. Unfortunately, what begins as a bit of fun or mischief can be turned into something more serious.”
As Whitehouse points out, most smart home systems connect to a cloud-based portal that’s rather hard to compromise, but the local network is a much softer target.
“It would be relatively easy to imagine malware distributed by traditional means, for example email, phishing and compromised websites, which then exploits vulnerable local smart technology.
“We have already seen the emergence of exploits for ‘smart’ devices destined for the home which are usable by technically-savvy people,” he adds.
The electronic equivalent of a burglar checking whether doors and windows are locked is a would-be hacker testing your home Wi-Fi.
“Wi-Fi is the first port of call for a local attack,” Whitehouse explains. “If attackers can gain access to that they can essentially attack all devices, or at least all devices connected to that hub.”
And you don’t only need to worry about someone accessing your Wi-Fi. Signal jammers can block transmissions from remote controls, keys or apps, rendering them useless, or the signals can be cloned – something that car thieves have been doing to the remotes of expensive cars for a few years now.
NCC Group has hacked all kinds of things, including routers, hubs, smart TVs and connected Blu-Ray players, and it’s often very easy to do.
“The methodology employed is similar to that used against enterprises,” Whitehouse says. Hackers might scan wireless signals looking for weak security, or they might try to con users into handing over login details.
Once they’re in, they’ve got the keys to the whole smart home. “It’s often trivial to deny service or compromise further devices,” adds Whitehouse.
You don’t even need to be a skilled hacker to do it. There’s already a smart home equivalent of the script kiddie, someone using off-the-shelf tools to carry out hacks. Paul Ducklin says one such tool, called Shodan, “has been all some researchers have needed so far”.
One common criticism of smart home technology is that security isn’t always taken seriously enough by manufacturers, who either use insecure platforms or don’t implement security properly.
That opens the door for tools such as EZ-Wave, which can penetrate Z-Wave home networks. Z-Wave is a low-power wireless connection for smart home devices such as smart bulbs, and EZ-Wave can destroy those bulbs by turning them on and off at high speed until they fail.
The tool’s creators, Joseph Hall and Ben Ramsey, note that it’s also possible to disable door or window alarms, and turn off thermostats in freezing weather to cause burst pipes.
Their tool isn’t designed for such acts – they point out that EZ-Wave itself is just a scanning tool – but the tool does include everything you might need to exploit Z-Wave devices that don’t use encryption.
Z-Wave does include encryption that makes tools such as EZ-Wave ineffective – unfortunately some manufacturers didn’t bother to use it.
As Ramsey and Hall told the SchmooCon security conference in January 2016: “Support encryption already! Make it the default; let me decide if I don’t want my stuff secure.”
Z-Wave Alliance Executive Director Mitchell Klein said in a statement that while the company offered AES encryption across all products, “many vendors have chosen to implement security only on access devices and gateways and hubs, and not on the other devices for the home”.
Going forward, Z-Wave said it will make such security measures mandatory on everything.
“Secure products cost more to develop, and vendors in the consumer space are working on razor-thin margins,” Whitehouse says. He gives the example of a digital door lock: because the manufacturer cut corners on security, NCC was able to hack it and unlock it with ease. “Consumers of these products aren’t in a position to assess their security credentials,” he adds.
Hackers are, though. Z-Wave wants to create a genuinely hack-proof platform, and to do that it’s hired hackers to test the security measures in its S2 security framework, which is due for launch in summer 2016 and which will be available for existing Z-Wave devices.
Raoul Wijgergangs is vice president of Z-Wave at its parent, Sigma Designs. “We involved hackers and external security experts in the creation and review of the security specification,” he told techradar.
“The team wanted many outside sources to look over our shoulders, so that we have fresh eyes looking at potential breaches and loopholes so we could address anything possible.”
Z-Wave is also “actively planning” hackathons, where hackers are given carte blanche to try and break security, later this year.
But not everyone reckons that hiring hackers is the right approach. “It’s like insisting that the best firemen must have been pyromaniacs or arsonists in their youth,” Sophos’s Paul Ducklin says.
“Being a cybercrook simply doesn’t give you the skill and discipline needed to do high-quality, legal, scientific, repeatable and duly-authorised scientific research.”
That’s true, but as events such as DEF CON demonstrate every year, hackers are awfully good at finding vulnerabilities that others have missed.
Lock up your routers
The smart among us wouldn’t dream of letting a Windows PC connect to the internet without some kind of security software – but many might not think the same about securing a light switch because, well, it’s a light switch.
As Ollie Whitehouse says, “consumers will adopt the technology because of the features and benefits they bring, often without thinking about the security implications, and some OEMs take security more seriously than others”.
Paul Ducklin agrees. “It seems to be more about the vendor than the platform,” he explains, noting that while he’s a huge fan of the smart home – “it’s really cool,” he says – “security often takes second or third place in household devices built down to a price, so why take the risk?”
For Ducklin, it’s about striking the right balance between risk and reward; the usefulness of the device versus its potential downsides.
And it may take a few high-profile hacks to make OEMs – and us, their customers – pay attention.
As Raoul Wijgergangs notes, “The media and high-profile efforts to hack devices will increase the profile, and force manufacturers and standards bodies to pay attention.” Right now, “not everyone is ready to commit to an effort to overhaul their platforms”.
Ollie Whitehouse agrees. “We can and should expect exploits en masse as we have with traditional IT, mobile, industry control systems and connected cars,” he says.
“Vendors have to be economically incentivised to invest in security, but for the most part today there is little or no penalty in terms of sales or regulation.”
That’ll change, because it has to – not just for the people investing in smart home tech right now, but for the millions of people the manufacturers hope to reach in the future. Smart home technology needs to be useful, reliable, safe and secure. If it isn’t, then it isn’t very smart at all.