This is a post in the ReadWriteHome series, which explores the implications of living in connected homes.
When it comes to the connected home, it’s natural for people to assume they’ll be masters of their domestic domain. Unfortunately, some may wind up becoming victims instead. Just ask Marc Gilbert. He and his wife were shocked when a hacker took over a baby monitor in their home last August and used it to hurl profanities at their 2-year-old daughter as she slept.
This and situations like it underscore one of the biggest barriers to mainstream consumer adoption of connected or “smart” home technologies—fears over hacking.
That’s no small matter. If people’s homes are an extension of who they are, then there is no more intimate a setting than the place that shelters us and gives us respite from the world. And nothing can put a chill in our veins like the thought of being exposed or vulnerable where we live.
Who’s Watching Whom?
Once upon a time, tapping into the radio frequency of a victim’s garage door opener was considered a high-tech break-in. Now, such a hack could almost be considered quaint.
These days, strangers can take control of others’ in-home surveillance cameras, or hijack connected TVs and thermostats. There’s a definite creep factor associated with that, but that creepy feeling easily turns into a fear factor when the possible damage sinks in. Cameras can capture keystrokes for account logins and automated thermostats could reveal when homeowners tend to be present. And the trusty televisions that give us windows into fictional worlds may wind up giving outsiders a front-row view of us and our daily lives.
Consider the smart TV, for instance. With cameras, microphones, apps and the ability to browse the Internet, they’re becoming more and more like computers. And like PCs, they’re are also hackable. Users could be monitored by their own TVs or even rerouted to websites that can steal sensitive personal data. Aaron Grattafiori, principal security engineer at iSEC Partners, should know. He and colleague Josh Yavor spoke at this year’s Black Hat Security Conference in Las Vegas, regaling audiences of their successful hack into a Samsung smart TV.
Grattafiori managed to “use the TV’s web browser to compromise the front-facing camera, take over the DNS settings and inject virus-like code into other applications,” he explained via email. The issue, he explained, stems from the fact that many Samsung smart TV apps, such as Skype or Twitter, are written in Javascript or HTML5 and use Binary APIs (application programming interface), which make them open to simple attacks.
The end result? Grattafiori and Yavor easily injected their malicious code to infect the television, and Samsung patched the security hole. At least this one.
A Baby Monitor Gone Bad
To keep watch over his toddler, Marc Gilbert used a popular “IP camera” from Foscam, a Shenzhen, China—based company whose software was found to have a major security problem. During setup, Foscam used a default login for users—one featuring the classic “admin” username—but didn’t prompt people to update that to something more secure.
Changing the initial login is a top recommendation on just about every expert’s list, probably because so many people fail to do it. Indeed, any Internet-connected device left with default authentication can be especially open to hacking. And thanks to Shodan—a specialized search engine that reveals connected appliances, from home routers to traffic cameras—finding one is just a matter of conducting the right searches and reviewing results. For Foscam specifically, reports Network World, exploit hunters can also parse the *.myfoscam.org name space, where most Internet-connected Foscam cameras are listed by hostname. Such searches can yield treasures for the would-be hacker.
Security issues aren’t isolated to Foscam cameras alone. Recently IZON surveillance cameras, which are sold in Apple Stores and Best Buy outlets, have also been recently outed for security issues relating to default logins.
For its part, Foscam issued a software patch urging users to change their usernames and passwords. However, that may still not close the matter entirely. Technology users, savvy or no, often fail to update software when new versions become available.
Choosing a unique and hard-to-guess login is an important and necessary step, but it’s still no guarantee of security. In Gilbert’s case, the Houston, Texas native commented online that his “router was password protected and the firewall was enabled. The IP camera was also password protected.” Yet, whether by brute force or via a more sophisticated hack, the assailant—whose foreign accent suggests he might have been based in Europe—still managed to gain access to his device.
Leaving The Door Open
Connected home products can network in a variety of ways. Some communicate via Bluetooth, which boasts device-pairing protocols that help keep unauthorized access at bay. Others connect directly to Wi-Fi networks. Philips’ Hue lightbulbs, Dropcam cameras, Nest thermostats and fire alarms, Belkin WeMo devices and many others hook directly to routers for Internet access, so they can be easily remotely controlled or monitored via websites and mobile apps.
And others use alternate methods, like the system used in Thomas Hatley’s connected home in Oregon. Hatley’s house features an Insteon home automation system, which uses radio signals and existing wiring to communicate. But they still connect out to the Internet and, as he found out, that exposes them to attack.
He was shocked when Forbes staff writer Kashmir Hill remotely infiltrated his home and gained control of his home automation system—which manages everything from fans and lights to garage doors—from her New York location. The issue, she discovered, was that his system didn’t even default to password protection, a bare minimum security requirement.
Insteon is only one of several communication systems used in connected homes. Other popular networks feature Zigbee and Z-wave wireless protocols, so devices can talk to each as well as to an Internet-enabled hub, for remote control or off-site scheduling features.
“While a fair amount of security research has been performed on Zigbee, as it is a fairly open standard, the same cannot be said of Z-wave, which is very closed and proprietary,” says Grattafiori. Still, such protocols are considered so obscure or specialized, they aren’t considered major areas of concern. Yet.
However, as residential automation, home security and control advances and becomes more popular, that will likely change. Although home automation systems are only in roughly 3 percent of U.S. homes, it has spawned an industry worth $1.5 billion, reports Reuters, which cites analysts that predict an explosion in “smart home” products with double-digit growth before long.
No wonder hacker conferences and security researchers are digging into protocols like Zigbee and Z-wave. And, it turns out, they concluded that Belkin’s WeMo may be the easiest of the lot to hack, as its devices lack security protocols or authentication. Security researcher Behrang Fouladi, from SensePost, managed to take over a WeMo device via its operating system and succeeded in surveiling communications between the switch and the controlling iPhone.
“I don’t care if someone, for instance, tries to turn off or turn on the lights,” Fouladi told Tom’s Guide. “[But] something like a front-door lock or a motion sensor, if they are used to detect intrusion—that is critical stuff. The implication of the compromise is higher.”
See also: The Hub In Your Connected Home Could Be In Your Living Room
Staying In Good Company
Connected home companies take security extremely seriously. SmartThings reviews all of its partners’ apps and devices, to make sure they conform to its safety standards, and “handles all security testing to ensure that everything is up to their standards,” says a company spokesperson.
The company’s white paper also outlines numerous protocols—from pin codes and two-factor authentication to firewalls, data encryption and sandboxing, which keeps SmartApps from accessing local system files on the software’s residing device. It even places its SmartThings hub in a special mode for pairing with Zigbee or Z-wave-enabled devices, to keep potentially malicious devices out.
At iControl—whose technology powers connected home services for ADT Security Services, Comcast, Time Warner Cable, Cox and Rogers—the company works with vendors and partners to ensure that device development, software development, and server side management are up to snuff. It also manages the software that goes in every connected gadget. “We manage the software from a central server for every device or tablet, “ explains Jim Johnson, executive vice president. “Should we ever need to upgrade software, we can push the update automatically to the homes that have subscribed to the service.”
No doubt, security breaches are the nightmare scenario for service providers. And the reason for that is obvious. After all, the product they sell is not any particular gadget, system or technology. It’s convenience and peace of mind. In the connected home—or really any home—the former is ultimately worthless without the latter.
Feature image courtesy of Shutterstock. Samsung smart TV, Foscam camera, Lockitron deadbolt device and Belkin WeMo Baby courtesy of respective companies. Burglar illustration, courtesy of Flickr user elhombredenegro.
