Privacy, vulnerability and reliability are the three main issues almost every connected device currently on the market faces, yet consumers are still choosing to automate their homes at an incredible rate.
Currently we are seeing a huge growth in products and systems designed to improve and transform the way we live our lives inside of our homes. Demand for these devices is becoming something that we have never seen before as they become incorporated and standardized in the home of the future. Statistics forecast that the global smart home market will grow to around 40.9 Billion in 2020[i] with an estimated 12.86 Billion devices used in the consumer segment[ii]. Should these devices or their supporting networks in the future fail, the consequences could be serious. At the moment we are already seeing these devices targeted for the purpose of launching denial-of-service attacks, mining for cryptocurrencies, click fraud and data theft.
The problem is the growth of IoT devices and digital technologies continue to evolve at incredible rates but manufactures are failing to produce secure and reliable products. Every day there is a story in the news about how these emerging technologies are abused by cyber criminals and the risks these devices present, yet everyone is still adopting this emerging technology at a rapid rate. So we have to ask ourselves the question, why do we continue to automate our homes with connected devices?
Why are people automating their homes?
Many people automate features in their houses because it solves a need, can be more efficient, helps contribute to life improvements and creates an intelligent ecosystem. Some home buyers are even looking to purchase more connected homes or are looking for homes in an area that provides faster internet connections. Another issue is presented when purchasing a house in the future with smart home equipment already baked in. This results in the possibility of hand-me-down vulnerabilities in anything from entertainment systems and lighting to security products and home appliances. In the same fashion that you would inspect the siding of a house before buying it, the same should be done for the devices installed in a connected home.
The top three reasons why a homeowner chooses to incorporate connected devices tend to side with user experience, energy efficiency or home security. But at the same time most users write off the posed security risk due to novelty or disruptiveness of the technology. In short, users want something that will understand their identity, emotions and social life with limited impact and ease of use.
Risk involved with automation
Given the growth in the threat landscape by connecting everything to the internet, architects, designers and owners of connected homes are presented with three core issues: Privacy, vulnerability, and reliability. These issues are often overlooked because the users and those recommending the products do not understand how the technology works or the risks that they expose the user to. They typically have explicit trust for the company making the devices, assuming nothing can go wrong.
So what are the risks of living a better, more efficient life through a smart house? Data security, privacy and service availability. In a recent blog by Mike O’Malley, he highlighted seven of the craziest IoT device hacks. These attacks included Cayla, an interactive doll, an aquarium thermometer, a thermostat, a smart TV and a baby monitor, all of which when compromised allowed the hackers to access features such as cameras and microphones, access data or even adjust environmental controls.
Devices like these are also used to propagate malware, mine for cryptocurrencies and launching denial-of-service attacks. When these IoT devices launch DoS attacks, their bandwidth can be used to target large organizations such as ISPs and hosting providers. When these companies experience outages it can result in a domino effect, causing millions of smart homes to be left in the dark and unable to use home appliances, like turning on a light bulb.
Not only is your data at risk in the cloud but depending on how a device is configured, it might rely on a cloud infrastructure to operate. In 2017 we had a glimpse into what this might be like in the future when Amazon’s S3 cloud-based storage service went down. Over 100,000 websites went offline, resulting in apps and devices like Nest going down with it.
IoT devices like a smart light bulb are often paired with a cloud network so that the owners can control their house remotely. To switch on a device, the user makes a call via a hub or an app that then sends a request to the cloud network. The cloud network then responds back with a signal to the light bulb to turn on. If the cloud service is offline, so is your connected device. We also saw this in March 2018 when SmartThings experienced an outage that resulted in U.S. users being unable to log into their app and control their connected devices.
In the future as users become more dependent on connected devices, when outages do occur homeowners will be faced with the loss of basic functionalities in their house. Without a manual fallback, homeowners will be left in the dark.
Like always, hackers go for the lowest hanging fruit, and there appears to be plenty of it to go around at the rate manufactures are shipping vulnerable products.
Concerns about security and privacy with internet-connected devices should be an important conversation that should begin with the manufacturers. Shipping over privileged devices with weak credentials is one thing, but when they refuse to respond to researchers’ concerns and fail to produce patches for vulnerabilities, they should be held accountable. In fact, researchers from the University of California, Berkeley School of Information suggests that the Mirai attack cost each device $13.50 in bandwidth and energy[iii].
When it comes to privacy, some of these devices being incorporated into smart homes have pairing and discovery protocols that can be abused and forced to leak information about your device and possibly your personal habits. “Remote Home Vulnerabilities” will allow an attacker remote access to internal devices so they can spy on you in an attempt to gain access to personal data or disrupt your environment. With devices continuously recording audio and video while collecting data on the users, it will attract more hackers to invade your privacy. From studying your physical security and device logs for habits, they can successfully hack accounts, allowing adversarial remote control of the network and local devices.
What architects, designers and consumers can do
What new design concepts are needed to address these emerging technologies and risks presented by the ever-connected smart home? It not about informing everyone that everything can be hacked. It’s about creating awareness and helping others understand the risks involved with modern technology. It’s about helping the builders and designers understand the technological solutions required by their clients and how to implement them correctly, so they too can educate the user on how to maintain their system safely and securely.
Consumers need to be aware of their devices’ remote and local environment, and how their data is collected and stored. They also need to be aware of how their personal devices and appliances can be affected by outages outside of their control, like a DDoS attack on a cloud environment or something as simple as a power outage.
Finally, we as a community need to put pressure on the manufacturers to produce secure devices with clear plans on how to patch and mitigate future vulnerabilities. Manufacturers also have to begin working together to insure user data and integrate it in a crowded environment of smart links and physical devices, ultimately preventing remote access. They need to focus on usability so that maintenance is simple and user-friendly with baked-in security features.
If architects, designers and owners are more aware and have a basic understanding about the devices and protocols they have incorporated into their smart homes, they will be better prepared to analyze the risks that are presented in these environments. They will also better understand how to minimize the possible impact of an affected system or device in the future by asking the right questions and purchasing devices from a manufacturer that is competent enough to maintain their service.
Download “When the Bots Come Marching In, a Closer Look at Evolving Threats from Botnets, Web Scraping & IoT Zombies” to learn more.
Daniel Smith is an information security researcher for Radware’s Emergency Response Team. He focuses on security research and risk analysis for network and application based vulnerabilities. Daniel’s research focuses in on Denial-of-Service attacks and includes analysis of malware and botnets. As a white-hat hacker, his expertise in tools and techniques helps Radware develop signatures and mitigation attacks proactively for its customers.