March 17, 2014 — CSO — As our world becomes increasingly connected via the Internet, it only seems logical that the interconnectivity would eventually permeate our homes. "Smart devices" like alarm systems, locks, thermostats, and more that can be controlled over the Internet are gradually gaining visibility and creating legions of "smart homes." For all the technological advancements, however, it would appear that our houses are simultaneously becoming more vulnerable.
"Everything can be hacked," said Jerry Irvine, CIO of Prescient Solutions and a member of the National Cyber Security Task Force. "Here's the big picture: With Target...they're not saying it with certainty, but supposedly the way the hackers got into their network was through the HVAC network. That's a similar situation with us with our home solutions and our IoT [Internet of Things] environment."
Each of these connections, explained Irvine, is a potential risk for hackers to get into your internal network. Once they get into your network and place some sort of virus or even just a sniffer, they can see what's going on and everything becomes hackable. And when he says "everything," he means everything.
"Home security systems, thermostat controls, lock controls, opening and closing the garage, the lights, info on the fire alarms...basically anything that is there can now be controlled via a Wi-Fi network," he said. "In a home environment, the average person doesn't even have a password on their cell phone, which they're going to be connecting to their home systems. It's just not going to happen."
Craig Heffner, a vulnerability researcher at Tactical Network Solutions, expressed similar concern about how much potential smart devices have to be a vulnerable attack surface.
"Anything that connects to the outside internet or listens for outside connections would be of concern," said Heffner. "There are a lot of devices where you can connect to them remotely. You have to consider wireless — in other words, using your wireless network on its own and it's not secured. Then, someone would just have to be near your home and wouldn't even need a physical address." He went on to add that obviously if users properly secured their wireless networks, they would be safe from such attacks, but many people either don't do that or don't know how.
How attackers can actually gain access to your network via these smart devices can vary. One common scenario, however, would be is that if one of the devices was programmed to listen for connection and an attacker did a scan for devices that were doing exactly that. Even if the device is an innocuous one, like a temperature sensor, an attacker can hack into and use it as a "pivot point" once inside. In other words, they can use that device to bounce around and gain access to more important things. The simple solution, said Heffner, is to not make these devices publicly accessible.
"Use reflection. I'm going to keep [these devices] in my network and not configure them to be remotely accessible," he said. "If you browse for a website [on a computer that is connected to the same network], attackers can use your web browser to send requests to devices in your network, since a lot of htem have web-based configurations. If it's not secure or there's a vulnerability, that's a problem.
"When they exploit it, they would run code that calls back to them; a server they have control of," he added. "And that gives them remote access."
One would think that given the threat that these devices pose for the networks to which they are connected, vendors would release them with included security measures. Unfortunately, it appears they don't come equipped with much beyond a request for credentials.
"[Smart devices] usually have something built in; most devices, whatever admin access they have, will typically be at least password protected," said Heffner. "But there are a couple of problems there. A lot of people don't consider all of the scenarios." What little security measures these devices have are not necessarily mandatory to implement; users could, for example, not even bother setting a password. Heffner added that there are also ways for attackers to bypass the login process at some point in the code before the device checks credentials.
"So even if you have configured a secure password, you're not necessarily safe," he said. "Security is not taken that seriously as it is with things like PCs with Windows."
Irvine added that not only is an ID and password typically the extent of the security measures, they're not even that strong given that passwords often don't even need to be complex.
"It's easy these days to proxy and masquerade as a web device," he said. "You could be a rogue web server, for instance, that these devices would then report to, nullifying the need for a user ID and password."
Even if a user is diligent enough to make the most out of the security measures at hand, there's no way to secure what you don't know is vulnerable, Heffner pointed out.
"If there's a vulnerability in a device, most consumers will never hear about it," he said. "Most vendors will just ignore a vulnerability and never patch it at all. It's hard to protect against unknown vulnerabilities."
With so many vulnerabilities, both in the products themselves and as a result of poor user awareness, Irvine and Heffner seemed concerned about attack rates increasing alongside adoption rates. Irvine seemed particularly concerned with the lack of awareness surrounding the vulnerabilities of smart homes. "I think the security [of these devices] won't improve until there is a major issue," he said. "As the adoption rates increase, so will the attacks. The same thing happened with mobile devices.
Heffner said that with other targets like PCs becoming better protected, attackers are more likely to target newer devices that users haven't properly learned how to secure yet, thereby making them more attractive targets.
"I think an increase in attacks along with adoption rates is pretty inevitable and we're already seeing that," he said. "You're already seeing large exploits targeting things like home routers. Things like that are only going to increase as the number of targets increase and as attackers realize how critical these devices are."
Despite the potential for creating vulnerabilities in one's network by using smart devices in a home setting, both Heffner and Irvine believe that as long as users are responsible, they can be implemented in a safe and secure manner.
"I think there's a lot of work to be done, but it comes back to your threat model," said Heffner. "If your network is reasonably secure and you keep these devices on your network, they're relatively secure even if there's a vulnerability in them. So yes, there are certainly steps users can take to make sure any vulnerabilities are mitigated."
Irvine also argued that the security of the devices, at least as the situation stands now, falls squarely on the shoulders of the users. Without proper care, people can – and do – fall prey to these kinds of attacks.
"There are secure ways to implement home automation systems, [but] I don't believe any of those are being done," said Irvine. "Rather than having your home automation systems on the same Wi-Fi as your PCs and smartphones, I would want a completely different segment that had no direct access to the rest of my internet. There are ways to do that."
So if it's up to the user to secure such an enticing attack vector, how can they go about doing that and avoid having their entire networks infiltrated?
"First and foremost is creating user IDs for each account," said Irvine. "Don't use the same email address or user ID for everything, or at least use different information for different categories. In other words, don't use your bank ID for your home automation, as well as Facebook." The same goes for passwords, he said, which should not only be different, but also complex (alphanumeric, upper and lower case letters, etc.).
Some of Irvine's other device was equally simple, like keeping both systems and anti-virus updated at all times. "When Microsoft says there's a patch, install it," he said. "These companies have found vulnerabilities in their systems, so they get updated.
Finally, for the especially cautious, he suggested taking a somewhat more complicated approach. "If you are connecting to any type of home automation system that allows remote access, do it across a VPN," said Irvine. "Make sure the vendor allows for a totally encrypted connection. That should keep you more secure than the average person."
Network segmentation was another key strategy that Irvine proposed. Keeping the devices from communicating with each other and the rest of the home network is one way to insulate them from outside threats.
"I would segment my alarm systems from my home automation systems," Irvine said as an example. "If someone gets into my AC, I don't want them to be able to turn off my alarm. Users can create segmented networks or VPNs and make these devices unable to communicate with each other. You can also have your router set up so there is a VLAN on the inside and it only allows these network segments to communicate to those other networks through a VPN."
Heffner was on the same page, suggesting measures that ranged from the simple to the slightly more technical. For one, he said, users should refrain from making their smart devices openly accessible by any remote users. "The device usually has an option to set specific devices or IP addresses that can access it remotely," he said.
As for mobile devices that are linked to smart devices via some sort of mobile app, Heffner said that it falls on the software developers to keep them up to snuff. The user's responsibility lies in being aware of what exactly they're installing on their phones or tablets.
"Most [mobile apps] will auto update themselves when they're available," he said. "But whether you're using a mobile device or not, be careful of what programs you install. Android users should be especially careful. It will go a long way towards keeping people off your network."
Read more about data protection in CSOonline's Data Protection section.