The advent of smart home technology has forever changed the face of the residential alarm industry for the better. Not only are people more connected to their systems than ever before, but it has also breathed new life into the industry in the form of additional recurring revenue opportunities. In fact, a recent report from Research and Markets projects the smart home equipment and services market to grow at between eight to 10 percent year on year for the next five years, reaching an estimated $68 billion by 2018.
However, as with any device that is connected to the internet today, home automation and security systems are vulnerable to myriad threats posed by hackers. There have already been several well-documented cases where people have tapped into connected home products, such as baby monitors and surveillance cameras. But what if instead of just scaring or looking in on people and their children, hackers could lock or unlock doors or change alarm settings? These are just a few of the things malicious actors could do if they were to find and exploit cyber vulnerabilities in connected home products.
Craig Young, a security researcher for Tripwire, recently analyzed three of the top selling smart home hubs available on Amazon and found zero-day flaws, vulnerabilities that are not known or patched by the vendor, in each of these devices that could be exploited with dangerous consequences. These products included Quirky’s Wink hub, Vera Control's VeraLite smart home controller, and the SmartThings hub.
Young said that it didn’t take him longer than 20 minutes to gain complete control of these products. With the SmartThings hub, however, he said that the attack surface was very limited and he was only able to identify a privacy issue with it.
“Those were flaws I was able to identify and exploit very, very easily with just basic vulnerability research skills,” explained Young.
Young said the VeraLite product is the only one that remains vulnerable to this zero-day vulnerability as of their latest firmware update which was released at the end of July.
"We have not issued a patch per se, as all our Vera Controllers offer an enhanced level of security via the 'Secure my Vera' mode. This hardened mode nullifies all the attack vectors proposed by Tripwire," Lewis Brown, president and co-founder of Vera Control, said in response. "Tripwire intentionally chose to perform their 'testing' with this security feature disabled. If the proposed vunerbillites were present in the secured mode we would have issued an immediate software update to address."
Young said he was motivated to investigate potential cyber vulnerabilities in smart home products after walking through a home improvement store last November and seeing the rows and rows of these systems for sale.
“It got me thinking about my previous experience researching home routers, IP cameras and all of these different embedded systems,” explained Young. “In my experience, embedded systems really don’t implement the types of security mitigations they should be and they are oftentimes being developed by people that don’t have a proper understanding of the risks of security threats – not taking the steps to sanitize user input because they don’t recognize that somebody can craft input differently than what they are expecting and cause the system to behave in unexpected ways.”
Given the state of these devices and their relative lack of cybersecurity safeguards, Young believes if they become more widely deployed that there will be more significant attacks carried out against them in the future.
“There are some saving graces here in that these products typically don’t get directly exposed to the internet in the way that some baby cameras and routers might. People in those cases are often opening up firewalls to expose their devices to the internet so they can access them remotely,” he said. “On the other hand, these types of products tend to not open a hole in your firewall, but rather call out to the manufacturer’s system and then when you want to access them remotely, you login to the manufacturer’s system and it relays commands back into your home network. That creates a completely different set of risks though. For example, if someone was to break into the backend infrastructure of a product, they would have the ability to forward connections into the home networks of all of the customers using this product.”
In this type of scenario, Young said hackers could access connected lightbulbs and other appliances within homes and turn them on and off repeatedly to trigger a power surge that could have a detrimental effect on the power grid.
“There are unexpected risks that can come from these systems being breached beyond just somebody taking control of the system and maybe using it to send out spam or phishing emails and attacking other computers on the network to steal data,” said Young.
Young recommends the makers of these products restrict the ability of the web server, which tends to run on all of these devices, to do anything it wants and said that it should be sandboxed instead. Firmware signing, which would help prevent hackers from producing a malware-laced version, is another best practice Young believes manufacturers should adopt. He also praised Quirky, the maker of the Wink hub, for implementing a bug bounty program that encourages people to research their product and bring potential issues to their attention as they arise.
While the devices Young examined fall into the DIY segment of the market, he said they are also aware of vulnerabilities in systems being installed by certain telecommunications firms that provide home security systems. Young said installers of smart home solutions need to contract with an independent consulting firm to conduct penetration testing on them.
“It’s important to understand that most companies don’t have the security expertise necessary to do these reviews on their own which is why subcontracting is very important in this case because penetration testers have these expertise,” said Young. “They go through trainings; they are looking at this all the time and they are thinking about things differently than most developers.”