Unsecured smart home systems leave homeowners, enterprises vulnerable

Aug. 26, 2014
Experts offer advice on how to keep these systems on a separate network and what safeguards need to be in place

The proliferation of connected home devices has opened up a wealth of opportunities for alarm dealers who can offer customers the ability to remotely access and control things, such as lights and thermostats, by integrating them into their home security system. For the first time in decades, there is the real potential for increasing market penetration rates for residential alarm systems from between 18 to 22 percent to well over 30 percent by some calculations. It is the main reason why big cable and telecommunications firms like Comcast and AT&T have decided to enter the market. However, there is one big unintended consequence of these systems and the ever-increasing connected world in which we live – the ability for hackers to gain access to cause disruption.

Although there hasn’t been a major breach attributed to a home security and automation system to date, one doesn’t have to look far to see the potential vulnerability. According to a recent study conducted by Hewlett-Packard, 70 percent of the most commonly used Internet of Things (IoT) devices contain vulnerabilities. These vulnerabilities included weak passwords, failure to encrypt communications and a lack of granular user access permissions.

Bjorn Jensen, founder and president of WhyReboot, says that as demand for home security and automation systems increases, so will the number of people that want to exploit them.

“For a long time, people really didn’t know about the home automation industry. No one could afford it and so no one advertised it to the common man,” says Jensen, who is also an instructor and subject matter expert for CEDIA. “It was essentially only for a select group of society and they were relatively security free. Right now, you can take a very expensive Crestron processor and just search for the ports that it uses on the Internet and you’ll find them open all over the place. Somebody can literally connect to it, start rebooting things, maybe connect to the programs, it’s just crazy.”

At a recent conference held by the Electronic Security Association, Jensen says he was able to hack into a Crestron processor at a university onstage during a demonstration within two minutes.

“I was surprised at how scared (alarm dealers) were about it and how they had no idea. I think the presentation we gave onstage showing how the site Shodan can scan for specific devices and open ports, and then how quickly it was to access with a little bit of know-how frightened them,” Jensen says. “I’m not a hacker in any sense of the word, but it is just so easy to do it’s scary.”    

In addition to leaving a host of appliances and systems open to cyber intrusion, unsecured home security and automation systems could also serve as backdoor to hackers seeking access to a greater prize. Because these systems are controlled either through a web portal on a computer or apps installed on mobile devices, cyber criminals could use an open home control system as a means to break into a user’s smartphone or tablet and steal any corporate data that may reside on them, according to Jerry Irvine, chief information officer of Chicago-based Prescient Solutions and a member of the National Cyber Security Task Force. 

“There really are multiple issues with mobile devices. Mobile devices have data that are stored on them, so all data is at risk if it is on those devices, whether it is the individual’s personal data or the company’s intellectual property,” says Irvine. “Additionally, there are user IDs, passwords and server names or addresses that are stored on there within applications.”

Whether a home security and automation system is Internet or Wi-Fi-enabled, Irvine says they can be detected and breached.      

“These devices are non-intelligent, individual controllers that allow for a remote function or reporting. They have very little authentication mechanisms and, in many cases, they have no authentication mechanisms. If I can see it from the outside and see the traffic going to it, then I can target it,” Irvine says. “I can place a botnet, bot application or something malicious on it so it can do one of two things: it can be a proxy, which allows me to gain remote access and do scans of the internal networks, or it can control or have a malicious application put on it that just goes out and continuously searches for devices that are out there and pushes it to them because they’re on the same network.  They can also use it as a proxy to redirect traffic that they want.”

Mitigating the Risk

One of Jensen’s primary recommendations for security installers to reduce the susceptibility of alarm systems to cyber-attacks is to disable port forwarding, which he says unnecessarily opens the door to devices. 

“A lot of people are from the old school where they think that is the best way to connect to sites remotely and that’s probably one of the worst things they can do, especially when you have other options,” says Jensen. “VPNs (virtual private networks) used to be a lot more difficult to setup, but these days there is really no excuse as to why somebody wouldn’t setup one. If you do it right, you could have a secure, encrypted tunnel between yourself and the site that you’re trying to access.”

Irvine also recommends all connected devices within the home be connected to a network separate from the user’s PC.

“Every single wireless router, wireless access point or cable modem has the ability to do VLANs (virtual local area networks) today. Put all of those home automation systems on a VLAN that does not have direct access to or from the Internet,” says Irvine.

Like Jensen, Irvine suggests homeowners setup a VPN, which will likely have to be done by the installer because it is a bit more technical than implementing a VLAN.

Jensen also expects the continued migration from IPv4 (Internet Protocol version 4) - the communications protocol that currently carries the bulk of Internet traffic - to IPv6, will be another factor that substantially contributes to the vulnerability of home security and automation systems.

“If people put in a router that’s ready for IPv6 and their internal devices are not connected properly, you’re basically going to be leaving entire sections of networks wide open to the Internet,” explains Jensen. “That’s probably going to happen sooner than all of these various connected devices being hacked.”

Who Should Bear the Burden?

Jensen believes that the onus of making these systems more secure really falls on the dealers and systems integrators installing them.

“It’s up to them to make sure that they don’t go around opening ports willy-nilly and using terrible passwords,” says Jensen. “I had a client that had a very, very high-profile customer that left their camera server on the default password. I begged them to change it and they said they had already setup all of their iPads with the password and that it would take too long to change and the (IT administrator) was located in another country. At that point, I wondered what my responsibility was. I’m in charge of the network, but it is their system. If they want port forwarding, I give them port forwarding. I felt like somebody should know, so I went to the owner of the company. He was surprised and ended up taking care of it.”

For corporations that allow for VPN access or remote connectivity, Irvine says they should either offer their employees help in setting up the aforementioned secure networks for their homes or require them within their employee handbooks.

“Additionally, they need to make sure that all communications to and from their locations are secured either through VPN or through HTTPS,” says Irvine. “Finally, they need to limit devices that have remote access, not just by user ID but by device so that a user’s laptop or a user’s phone are the only ones that can access the network and that other devices won’t be using them as a proxy to get in. The last thing would be installing mobile device management (MDM) applications which will ensure system updates are all being patched, anti-virus software solutions are installed, data is encrypted and segmented, and also allows for remote wipe deletion of those items in case of corruption, breach, loss or theft.”  

About the Author

Joel Griffin | Editor-in-Chief, SecurityInfoWatch.com

Joel Griffin is the Editor-in-Chief of SecurityInfoWatch.com, a business-to-business news website published by Endeavor Business Media that covers all aspects of the physical security industry. Joel has covered the security industry since May 2008 when he first joined the site as assistant editor. Prior to SecurityInfoWatch, Joel worked as a staff reporter for two years at the Newton Citizen, a daily newspaper located in the suburban Atlanta city of Covington, Ga.