The Information is Out There. Don’t Make Yourself a Target. Smart Homes & Cybersecurity
Is a smart home a safe home? It’s an essential question, and one that’s asked far too infrequently. Our domiciles have evolved into hubs of connectivity and they are surprisingly vulnerable to cybercriminals. In the conversation below, our experts—Sam Rehman, Chief Information Security Officer & SVP; Vanja Subotic, Principal Consultant, CIO Advisory & Technology Consulting; and Daniel Hesselbarth, Principal Business Consultant—put the cybersecurity issues around smart homes on the metaphoric table and respond to them, and each other, with real insight and practical advice. The conversation has been edited for length and clarity.
Daniel Hesselbarth (DH)
The increasing number of devices in the home is a huge topic for telecom operators and ISPs. Many systems integrate digital devices and gadgets to improve the experience. They want to increase comfort for their customers (with, say, lightning systems), or strengthen physical security (with, say, cameras or burglar alarms). What's your take on this development from a security point of view?
Vanja Subotic (VS)
First, it's important to say that smart homes do offer many conveniences, like an increased level of safety and being able to monitor your home remotely. You get connected appliances that can save energy and you can shave your energy bills by anywhere from 10 to 30%. Your smart home can also help save on insurance, like getting a discount because you have an anti-theft system. It really can improve your quality of life.
For both ISPs and telecom operators, smart homes provide an easy extension of their existing consumer services. Their routers, gateways and home-base stations act as hubs for various smart home devices. Many telecom operators offer kits, with preintegrated sensors, that are pre-configured to work. Hopefully security's taken care of. Some of them offer professional installations and monitoring. The problem with security is that any connected device could become compromised, so now the more devices that you have—and not only the ones that the telecom operators provide but the customers’ own devices—the more you’re increasing the number of those attack vectors that could come into the home.
Whether it's part of their offering or not, telecoms should ensure that they provide adequate security and educate consumers along the way.
Sam Rehman (SR)
Yes, home automation is convenient. It allows us to connect things that we couldn't connect before. There are three major elements involved here.
Number one: Everybody's adding a lot more devices, so there are far more interesting things for attackers to get into and far more value for them to start stealing.
Number two: It connects to the physical world. So, if attackers want to do something bad in the physical world, instead of just running a digital transaction, this gives them the opportunity.
Number three: CPU time. One of the most valuable things now is CPU time, which is how much you can actually harness a whole bunch of machines. If you look at the Hajime attack a few years ago, and if you look at the Mirai attack, everybody's trying to figure out a way to use distributed computing to generate load and generate it in a distributed fashion, so it'd be hard to trace back to a single point of failure for the attackers.
The Hajime attack that took down the East Coast several years ago used BusyBox. They took over home cameras in BusyBox for load generation and used that as a DDoS source, timing them all toward an attack. Whenever it's possible to generate load, whenever there is CPU time, bad guys can do brute force cracking with load generation.
We've seen more and more of these distributed attacks using home automation devices. There is, in fact, a huge debate around whether the homeowner would be liable or not for this type of attack. If they don't perform the necessary security tasks, they’re almost welcoming other people to use their home network to attack other people. Should they be liable or not?
That's really interesting—that liability point. So, when you don't lock your car, you're partly liable if someone steals it.
Why do you think cybersecurity is relevant in the smart home, and with a single customer? And what are the technical attack vectors in the connected home?
The goal of the smart home is to automate certain tasks so we don't have to think about them, but this is precisely what makes them easy targets. Our smart home can become compromised even before we have noticed it’s happened.
Anything you can think of in the home can be connected these days. With multiple devices, smart homes tend to use different connectivity. They're often from different manufacturers with different levels of security and, when you put them together, the overall level of security becomes that of the weakest link. That's problematic. Lots of data is being collected and transported to some cloud—maybe multiple clouds—that may or may not be properly secured, so your data could be leaked at any time. Similarly, some argue that many manufacturers and tech giants that provide these smart home devices and services are also collecting your data, so there may be some privacy concerns. Usually, these smart homes are dependent on networks like WiFi, which can go down and malfunction for any reason—which can then compromise your security and safety. There are many things, Daniel, that consumers could worry about. It’s unclear whether they need to worry about them on an everyday basis, but at least they need to be aware that these things can happen.
I want to ask you both a question: Would it be okay if I followed you around for a week and listened to all your conversations?
Well, if it was you, Sam, I’d trust you.
Thank you very much, and you shouldn't trust me—trust me. [Laughter.]
Many years ago, when Xbox first came out with the Xbox 360 with a Kinect, I did a challenge with a friend of mine. I put a piece of code in his Xbox. It was friendly, just to prove a point, but within a week’s time, just from his conversations, I figured out the last four digits of his Social
Security Number, his birthday, the first names of most of his friends that he talked to, simply from the connection to his Xbox.
We tend to always think, “Okay we gotta be careful about the network and what we text and what we email.” That's what lawyers tells us: “Be careful what you put in a document.” But voice works at a whole different level. The reason I mention it is because voice and home automation are tightly coupled these days. While I love it as a user and as an engineer, I hate it as a security expert. So, I think voice has a big connection here. That's issue number one: presence.
Issue number two, just mentioned before, is whether you’re in or you’re out. You don't need personally identifiable information (PII) to identify a person. You need behavior at three points of location to uniquely identify a person these days. If I can get your GPS location and I know you always go to a particular Starbucks, then you go to a certain location, then you come back to a third location—if I can see that consistent data across the board—I pretty much know who you are. I can narrow it down to a few people, most likely it's going to be down for you. That probability is there now.
Point is: This information is out there; don't make yourself a target.
It's important to take your home network seriously. Your home network is a hub. It's really a way back into your life. So, be careful. Do the right thing. Change your passwords, as often as possible, when given a chance. You should also use two-factor authentication on your phone. And when you set up your functionality, do a little bit of research and see if the extra steps suggested would be valuable to take. I'm not saying adopt whatever latest technology comes along, but there is such a thing as good security posture. And if you’re not sure, ask an expert for help. But don't just slap it together and assume it's going to be okay. That’s like leaving your key stuck in the front door.
People should also stay on top of software updates. If you're not updating, then you're not getting the necessary security patches. You're going to be very delayed in terms of protecting your devices. The more devices you have, the more burdensome this becomes, but it's another important thing. At least update your router, if nothing else.
One of the biggest dangers for both medical devices and vehicles is the issue of unpatched systems in older devices. There’s a reason to upgrade to new hardware and, as you said, Vanja, it's important to upgrade your patches. The chief issue for medical devices and vehicles is that people keep their devices for a long time. You can only expect the manufacturers to continue fixing security issues for a device that makes them money. When they stop making money from it, it's natural that they stop making patches. Sadly, I still see people running devices that are unsupported. That's a cue for us to say, “Maybe put in a few more dollars and buy new devices because that will make it much harder for the attacker.”
Do you see similar security considerations in smart buildings, smart vehicles or smart cities?
Smart homes, smart buildings, vehicles and cities all have the potential to increase conveniences and improve quality of life but, as with smart homes, they too can be compromised and result in great harm when they're improperly managed and secured. Now, these are not usually do-it-yourself systems, so that increases the general level of confidence. The negative side of things is the scale. The potential to do damage here is much larger, especially when it comes to the number of lives affected.
Smart buildings are similar to smart homes if you consider each unit individually, but if the smart building solutions are leveraged to optimize the building as a whole—like an HVAC or utility system—then the compromise to the overarching system could affect all the residents. The scale could be much higher.
Smart vehicles? They can be compromised by exploiting vulnerabilities in the communication stack or the in-vehicle network. Somebody can take control of a vehicle. Compromised firmware is another way that could lead to devastating effects if you take control of the vehicle and, say, cause an accident that involves multiple people and vehicles.
Finally, smart cities, which cover things like mobility, public safety, resilience and many others. If any of these are compromised, it can result in major loss of property and human life. I'm thinking of the very recent example that took place close to Tampa just before the Super Bowl, where a water-treatment plant was targeted and hackers tried to remotely raise chemical levels in the water to unsafe levels. This was prevented before it had a devastating effect, but it could have endangered many lives.
The case Vanja just mentioned is proof that security by layering makes perfect sense. If they didn't have a physical layer on top of double-checking what the chemical layer levels were—and I remember reading about a third and fourth layer of checks—something bad would have happened. So, it's a good example to look at and say, “We shouldn't view cybersecurity as a standalone thing anymore.”
Any kind of home automation should include both physical security and cybersecurity controls. Meaning, in this case, people actually look it up and say, “No, that's not acceptable—turn it off” or make a judgment call. This is why layering is so critical. We have to extend the concept of layering beyond just digital; we have to have physical layers as well.
So, the danger is out there. My call to action is strong: please, please, please, please, please do this. Use layers by employing having digital and physical security. There's no replacement for it.