The smart home market is gaining tremendous ground because connected devices bring convenience. But malicious attackers can take advantage of IoT device vulnerabilities.
As data further entrenches itself as the currency of business, Internet of Things-connected devices have become central to the data equation. IoT devices can gather data for analysis. Data can then help trucking companies optimize routes or give health practitioners insight into a patient’s status.
Internet of Things (IoT) devices are a fast-growing sector of the Internet. As these devices ingest data for analytics, the premise is that the world around us – our vehicles, factories, hospitals, stores and workplaces – will grow smarter. But the most important place that growth has taken hold is in our homes.
According to Statista research, more than 45 million smart home devices were installed in 2018, and the annual growth rate of home automation is 22% – amounting to nearly $20 billion in the U.S. Cisco’s 2018 Visual Networking Index credits home automation for most of the 8.5 billion rise in worldwide machine-to-machine connections that is predicted by 2022. Orbis Research has estimated the 2023 worldwide smart homes market to surpass $150 billion.
What does this automation entail? A parade of practical and innovative tasks, from smart outlets to turn things on and off; scheduling dynamic thermostats; workflows that turn lights on and off to fool potential burglars; and all kinds of connections to emergency services. All that’s before we even get to digital assistants, which can help manage daily tasks through voice command, monitor the sick and elderly, and even play with children.
As populations expand and energy demands increase throughout the world, smart homes offer considerable energy efficiency, convenient automation and personalized workflow in daily living to make life more manageable. But most of all, smart homes are safer – and more secure.
Or are they?
As the number of connected devices proliferates, the increase creates additional points of access in a home network; more access means more opportunity for unwanted entry. This is true of any smart building, but it is especially worrisome in the home – where we ought to feel safest.
IoT device vulnerabilities take place through code vulnerabilities. One common way to exploit these vulnerabilities is to turn IoT devices into botnets—a network of devices with malicious software that can be controlled as a group--and can hijack a home network. In some cases, systems are locked up. In others, the network is infected with ransomware that requires the system’s owner to pay in order to regain access to the network. IoT devices can be easily targeted because they may have little or no native security software built in to guard against a malicious actor. According to some estimates, 40% of smart home appliances are being targeted by botnets and that number could increase to 75% by 2021.
It’s fair to say that the proliferation and increasing ubiquity of IoT devices has sparked a malicious attackers’ renaissance, as most IoT devices require Web access or mobile apps for manual control. This access, in turn, can subvert some IT security developments of the past decade, exposing bugs that have been dormant.
Most home IoT devices are vulnerable: locks, phones, televisions, coffee machines, individual power outlets and refrigerators.
Here are some of the more disturbing examples of malicious attacks:
An apartment freeze-out in Finland. Thermostats are particularly vulnerable IoT devices. While a typical smart thermostat is USB-secure, it can be exploited. These devices rely on firmware updates via the cloud, a situation that can allow a malicious attacker to pull firmware from one device, reverse-engineer it, send it back via HTTP and then seize control of the USB port.
Other smart home vulnerabilities can surface as well. Forbes reported an incident in Lappeenranta, Finland, in 2016 that shows just how chilling such a takedown can be. In this case, it was a distributed denial of-service (DDOS) attack on a pair of apartment buildings, with the attackers shutting down both the central heating and hot-water systems – causing them to reboot and hang in an endless loop. The temperature in Lappeenranta at the time was 20 degrees Fahrenheit. It was a balmy weekend compared with the harsh -25 of Finland’s typical winter.
The Rube Goldberg attack. A Rube Goldberg machine is a chained-together contraption that connects one machine to another, and another, and so on. This style of attack has been used to penetrate networks through cameras, which many home networks use for internal and external security.
A Wired article described one such attack, presented by IoT security firm Senrio, last year. It exploits the bug Devil’s Ivy, enabling an attacker to take control of a camera connected to the public Internet by forcing a factory reset, so that the camera surrenders its root access. A malicious attacker can then view the feed remotely (disturbing in itself, because the attacker then knows when a home is empty) and proceed to control the router to which the camera is connected (it now has the router’s IP address). After gaining control of a router, it can capture its credentials and execute commands from the router to insert new rules into the network. With these three hops, a malicious attacker can take control of a home.
Even a simple light bulb can subject a home network to vulnerability. If an attacker takes control of a smart bulb, and the bulb is connected to the home’s IoT hub, the attacker can seize control of the hub with a man-in-the-middle attack.
The holy grail in exploiting the home is capturing the hub: the control center of the myriad devices in a smart home. Capturing the hub means seizing control of locks, alarms, cameras – everything that keeps the home secure.
A hub is usually the home user’s point-of-contact; the hub that will send notifications via phone or text if something is awry, and the hub communicates with emergency services if someone is in trouble or there is a physical threat to the premises.
The great vulnerability of home IoT hubs is that the popular ones are just that: popular. Their firmware is generally published freely, and accessible by free download from a vendor website. The hub’s root account password is usually DES-encrypted by default, vulnerable to cracking by brute-force hash. With the root password, the hub is easily seized by an attacker – and with the hub comes vulnerable devices connected to it.
Worse, hubs are usually controlled the same way individual devices are: through a mobile app. The user can check on the status of all connected systems from such an app, which uses a configuration file that travels on HTTP. It also contains a serial number for the actual hub device, which can be used to grab an archive file, which, in turn, contains the hub login and password. The password is encrypted, but can be decrypted by hash decryption with publicly published tools.
Many homes now feature digital assistants, which are connected devices activated by voice commands.
The problem is that these devices are always listening – introducing new security threats.
No malware per se has surfaced from the digital assistant, no common attack has proliferated. And security experts have diligently prodded digital assistants for vulnerabilities.
Still, digital assistants can run third-party apps, and these apps can be malevolent. A technique called voice squatting, for instance, exploits the voice-based commands in digital assistants such as Alexa and Google Home. This sneaky malicious attack enables new skill markets to be registered—unintentionally and unwittingly—in a digital assistant by exploiting similarities in target skill market names. When an Alexa user tries to open a third-party service, such as a banking app, it will initiate a malicious skill instead.
Consider this example: A skill called “Capital Won” might be inserted and sound quite similar to the banking app for Capital One, thereby invoking a skill that could capture a user’s bank account login and password if these words are spoken aloud.
When vulnerabilities are discovered, manufacturers remediate them swiftly to prevent products from falling out of favor. The problem is that when a home system is cracked, it often results in a break-in; the issue is low odds of a very undesirable outcome.
And because the windows of opportunity for malicious hackers are fleeting and scattershot, diligence can make a difference in preventing smart home attacks. Here are some tactics:
The dangers of smart home attacks are serious business, and that’s not likely to change in the near term. This landscape shifts rapidly and, arguably, is less ardently tended than the IoT domains in industry and business. Like so many aspects of letting technology step more deeply into our private lives, it’s a matter of domestication, which requires patience and diligence.
Scott Robinson is an enterprise architect and AI consultant with a 25-year history in business intelligence, analytics, and content management in the healthcare and logistics industries. He is currently CIO of the GlenMill Group, a research consortium providing new AI technology and infrastructure for enterprise applications and services.