When “Smart Homes” Are Stupid: How to Protect Yourself from Hackers
Report finds alarming loopholes in home automation systems
It can be fun to use your smartphone to play with your home automation system and turn the lights on, heat the house and peek inside to see what your kids are doing.
The problem is, cybercriminals may be doing the same thing.
As it turns out, these systems offer hackers, burglars and identity thieves an easy cyber-highway into your home, your computers and your data. This is the dark side of the so-called Internet of Things (IoT to you geeks out there), and security experts say it’s a growing threat.
Early last year, IOActive, Inc., a global information security service, reported that Belkin WeMo home automation devices — used by half a million people nationwide — could be hacked into with astonishing ease. Belkin says the vulnerabilities have been since been corrected.
At the time, IOActive found “multiple vulnerabilities” in the WeMo devices that gave hackers the ability to take over internal home networks and advised users to unplug all devices from those products.
“Once an attacker has established a connection to a WeMo device within a victim’s network, the device can be used as a foothold to attack other devices such as laptops, mobile phones, and attached network file storage,” IOActive noted in a news release.
Equally disturbing, potential thieves could figure out if the home was empty by monitoring the motion sensors. After attackers compromised the WeMo home automation devices, IOActive noted, they could also remotely turn attached appliances such as stoves or thermostats on and off at any time — and even start a home fire.
The day that IOActive released its advisory, Belkin WeMo issued a statement saying it had fixed each of the vulnerabilities noted.
Invading your home from afar
Home automation systems and devices make up a booming market — $6.5 billion dollar a year and rising fast, according to BCC Research, a market research firm. Using wireless transmitters and embedded sensors, these technologies enable users to monitor and control their home appliances and devices with a few clicks to their smart phones, tablets or computers.
Almost anything can be connected these days: Bluetooth-enabled toothbrushes can record your brush strokes and send them to your dentist. Nanny-cams provide peace of mind by recording interactions of your child and babysitter. You can water your plants, open your front door to receive a package, and turn on and off your home security system — all from across the city or even across the world.
This is convenient for users, but it makes things easier for cyberthieves. Like other home automation systems, WeMo uses Wi-Fi and the mobile Internet to control home devices anywhere in the world directly from the user’s smartphone.
One of the problems IOActive identified in the Belkin WeMo may also affect the systems of other manufacturers: its devices weren’t validating Secure Socket Layer (SSL) certificates, used by administrators to prevent hacking. For this reason, attackers could use any SSL certificate to impersonate Belkin’s cloud services and invade its system.
Since Belkin WeMo’s communication system was also based on a protocol (VoIP) used to bypass firewalls and other protections, it had compromised the security of all its devices by creating “a virtual WeMo darknet” in which a hacker could connect to its devices directly — and, by figuring out its “secret number,” control them, according to IOActive.
Belkin says these problems were among those fixed and urges all affected users to download the latest app from the Apple or Google Play stores and use it to upgrade the WeMo firmware.
Home automation loopholes “alarmingly” widespread
Other companies have had similar security problems. In 2013 a reporter for Forbes found that not only did the home automation company Insteon fail to require passwords by default, it had made its home automation systems crawlable (meaning that users’ IP addresses and other personal information showed up in public search results).
To demonstrate how easy it was to do a cyber break-in, the Forbes reporter contacted a couple of Insteon users and stunned them by turning their lights on and off.
Just how widespread are these security problems? Take a look at a recent report from analysts at Hewlett Packard Security Research, which assessed ten of the most popular interconnected TVs, webcams, home thermostats, remote power outlets, sprinkler controllers, device-control hubs, door locks, home alarms, scales, and garage-door openers to gauge their vulnerability to attack. The 2014 report found the vulnerabilities “alarmingly widespread”:
- 80 percent of home automation devices failed to require passwords that were sufficiently long and complex.
- 70 percent failed to encrypt communications sent to the Internet and local networks.
- 90 percent of devices collected at least one piece of personal information via the device, the cloud or its mobile app.
- 70 percent of devices, along with their cloud and mobile apps, enable an attacker to identify valid accounts through such features as password reset.
“While these devices have made life easier, they've also created new attack vectors for hackers," the report found.
“The moment you connect anything to the Internet, it fundamentally changes the threat you face,” says Christopher Budd, global threat communications manager at Trend Micro Inc., a developer of security software for businesses and consumers. “In the rush to be first, a lot of manufacturers are not engaging in much careful forethought” about ways to maximize security and reduce vulnerabilities.
With remote-controlled security systems, two threat scenarios jump out, Budd said. First, someone could hack into your alarm system and gain full control over it. Second, someone could steal your phone and force you to deactivate your alarm or give up your password.
“Then they use your app, disable your alarm and follow up a strong-arm robbery with a home invasion,” Budd said.
Budd, who worked for 10 years as a security response manager for Microsoft, said he’d be more apt to trust Internet of Things devices made by technology companies like his former employer or Google than consumer manufacturers.
Budd’s biggest advice is to use common sense, and to carefully consider the benefits and risks of each device. “Do you really need a connected toothbrush uploading information to your dentist’s office?” he asks.
If you are going to use wired devices, Budd says, think long and hard about the potential vulnerabilities and consult with a security expert who can help you anticipate potential hazards.
Other experts recommend that before you buy a system, find out if its signals are encrypted. Look for that in the contract, along with a section on tamper resistance and jamming detection. And avoid used cameras, which can be employed to spy on you remotely.
“The biggest security problems,” Budd says, “ultimately trace back to ‘Oh, I hadn’t thought about that.’”