If you follow Internet and computer security news at all, then it should come as no surprise that many smart home systems are poorly conceived or configured and leave the homes in which they are installed exposed to a slew of serious security vulnerabilities.
At the risk of insulting your intelligence, smart homes are exactly what you think they are (think smart phones, smart TVs, smart cars, etc): homes in which appliances, heating and cooling systems, lighting, smoke detectors, and/or door locks all connect to the home network, and ultimately the Internet, along with computers, phones and tablets, and all other comparatively traditional Internet-able devices. Such systems let users remotely monitor and manipulate systems in their homes.
Researchers have been poking holes in smart security systems and Internet-connected door locks and smoke detectors (and everything else with an Internet connection) for as long as I’ve been paying attention. Most recently, our friends at AV-Test.org tested the security posture of seven separate smart home kits, finding that four of those kits were insecure.
Seven is of course a fairly small and perhaps not statistically significant or representative sample size. Regardless, the devices found to be vulnerable in this study could be exploited by internal—and, in some cases, external—attacks targeting either the home network and the machines connected to it or the home itself and the things inside of it.
AV-Test analyzed iConnect from eSaver, tapHome from EUROiSTYLE, Gigaset’s Elements, iComfort from REV Ritter, RWE’s Smart Home, QIVICON from Deutsche Telekom, and XAVAX MAX! from Hama. Among these, AV-Test found that just the Gigaset, RWE, and QIVICON sets were well-defended against hacking and unauthorized access. The iComfort and tapHome kits contained locally exploitable vulnerabilities, meaning the attacker would need to be in the home to exploit the bugs. More seriously, the iComfort and XAVAX MAX! sets could be exploited remotely (as well as locally).
Each product offers a different set of features. On the whole, these are control systems for electricity, heating, and security; monitoring system for windows, doors, and rooms; control systems for switched sockets; And switch systems light, heating, and electricity.
Broadly speaking, an attacker could manipulate connected systems in order to cause damage to them (turning the heat off and causing pipes to burst in winter).
Therefore, the most likely attacks would be those that use weaknesses in these systems as access points to eventually obtain valuable data stored on the home network.
However, most criminal hackers are after money. Therefore, the most likely attacks would be those that use weaknesses in these systems as access points to eventually obtain valuable data stored on the home network. It’s also possible that the insecure devices could be compromised in order to perform surveillance on a potential, physical robbery target. A knowledgeable attacker could even unlock doors, making such a robbery even easier. AV-Test notes that the potential for ransomware spreading among the various connected devices could be tempting to an attacker as well. It would be hard not to pay the ransom if your entire house just stopped working.
AV-Test focused on whether communication among devices was encrypted, whether or not the kits required active authentication by default (Web or physical access passwords), and their susceptibility to remote attacks.
Communications to and from Gigaset, RWE, and QIVICON products are always encrypted and deemed secure by AV-Test. iConnects encrypts its communications as well, but AV-Test claims their encryption can be easily bypassed. The remaining products observed in the study—iComfort, tapHome and XAVAX MAX!—fail to use encryption at all.
This failure to deploy any encryption means that all smart home communication can be easily intercepted. An attacker could therefore monitor all communication to and from these devices, spoofing codes to manipulate their actions or even just monitoring them to make deductions about when inhabitants are home or away.
The iComfort product requires no authentication whatsoever, meaning a remote attacker could launch Web-based attacks against the system. iConnect and XAVAX MAX! systems require authentication for Web access but not for local, physical access. tapHome requires an authentication internally, but as the study notes, this measure is largely irrelevant considering the product’s lack of encryption. The Gigaset Elements, RWE Smart Home and QIVICON all required authentication for physical and Web access (in addition to communicating securely).
Here’s the good news: AV-Test believes that, if the makers of these products take the time to develop a solid security concept instead of rushing their wares to market, then it is very possible to create secure smart home systems. Here’s the other good news: if you’re thinking of buying one of these systems, AV-Test is telling you what to look for: systems that always require authentication and which always encrypt their communications.