Unsecured smart home systems leave homeowners, enterprises vulnerable

Experts offer advice on how to keep these systems on a separate network and what safeguards need to be in place

The proliferation of connected home devices has opened up a wealth of opportunities for alarm dealers who can offer customers the ability to remotely access and control things, such as lights and thermostats, by integrating them into their home security system. For the first time in decades, there is the real potential for increasing market penetration rates for residential alarm systems from between 18 to 22 percent to well over 30 percent by some calculations. It is the main reason why big cable and telecommunications firms like Comcast and AT&T have decided to enter the market. However, there is one big unintended consequence of these systems and the ever-increasing connected world in which we live – the ability for hackers to gain access to cause disruption.

Although there hasn’t been a major breach attributed to a home security and automation system to date, one doesn’t have to look far to see the potential vulnerability. According to a recent study conducted by Hewlett-Packard, 70 percent of the most commonly used Internet of Things (IoT) devices contain vulnerabilities. These vulnerabilities included weak passwords, failure to encrypt communications and a lack of granular user access permissions.

Bjorn Jensen, founder and president of WhyReboot, says that as demand for home security and automation systems increases, so will the number of people that want to exploit them.

“For a long time, people really didn’t know about the home automation industry. No one could afford it and so no one advertised it to the common man,” says Jensen, who is also an instructor and subject matter expert for CEDIA. “It was essentially only for a select group of society and they were relatively security free. Right now, you can take a very expensive Crestron processor and just search for the ports that it uses on the Internet and you’ll find them open all over the place. Somebody can literally connect to it, start rebooting things, maybe connect to the programs, it’s just crazy.”

At a recent conference held by the Electronic Security Association, Jensen says he was able to hack into a Crestron processor at a university onstage during a demonstration within two minutes.

“I was surprised at how scared (alarm dealers) were about it and how they had no idea. I think the presentation we gave onstage showing how the site Shodan can scan for specific devices and open ports, and then how quickly it was to access with a little bit of know-how frightened them,” Jensen says. “I’m not a hacker in any sense of the word, but it is just so easy to do it’s scary.”    

In addition to leaving a host of appliances and systems open to cyber intrusion, unsecured home security and automation systems could also serve as backdoor to hackers seeking access to a greater prize. Because these systems are controlled either through a web portal on a computer or apps installed on mobile devices, cyber criminals could use an open home control system as a means to break into a user’s smartphone or tablet and steal any corporate data that may reside on them, according to Jerry Irvine, chief information officer of Chicago-based Prescient Solutions and a member of the National Cyber Security Task Force. 

“There really are multiple issues with mobile devices. Mobile devices have data that are stored on them, so all data is at risk if it is on those devices, whether it is the individual’s personal data or the company’s intellectual property,” says Irvine. “Additionally, there are user IDs, passwords and server names or addresses that are stored on there within applications.”

Whether a home security and automation system is Internet or Wi-Fi-enabled, Irvine says they can be detected and breached.      

This content continues onto the next page...