After installing a smart home kit, you can
control and monitor your house in many ways. Turn the air conditioner on
before you get home, make sure doors and windows are closed, switch
lights on and off; these are just a few of the possibilities. However,
researchers at AV-Test
found some smart house kits to be extremely lax in their security. A
back door in the software might literally let a crook remotely open your
back door!
They evaluated seven products with a variety of different functions, and found some real klunkers. AV-Test is in Germany, and the selection of products for testing has a distinct European slant, but I have no doubt they'd find similar results testing smart home kits more commonly sold in the US. A talk at last year's Black Hat conference revealed some serious problems with the popular WeMo Home Automation System from Belkin, for example.
Good News and Bad
Three of the seven products were clearly designed with security in mind. All three use encrypted communication, and all three require active authentication for access. The researchers couldn't find any way that an external attacker could gain access, and the secure remote control feature for all three was thoroughly locked down.
Two of the remaining four use no encryption, and are therefore vulnerable to any malware that may have infiltrated the local network. Worse yet, the other two proved susceptible to manipulation across the Internet.
What Could Happen?
If malefactors can take over your system remotely, the consequences depend on just what sort of smart house features you've installed. If they're just plain nasty, they could turn off your heat to freeze your pipes. More likely, they could use the monitoring feature to determine when nobody's home; a perfect time for a burglary! In the worst case scenario, they might even be able to unlock the house or turn off the alarm system remotely.
The report also speculates on the possibility that hackers might effectively take the connected devices hostage and demand payment before releasing them. I'm not so sure about that one; it seems to me the victim could simply disconnect the smart home components. It also suggests that "minimally protected smart home devices will therefore soon be ambushed by Trojans that...will not hide in the PC, but, for example, in the smoke detector's memory."
If you're considering installing a smart home system, or otherwise connecting your appliances and devices into the "Internet of Things," you'll definitely want to read the full report.
They evaluated seven products with a variety of different functions, and found some real klunkers. AV-Test is in Germany, and the selection of products for testing has a distinct European slant, but I have no doubt they'd find similar results testing smart home kits more commonly sold in the US. A talk at last year's Black Hat conference revealed some serious problems with the popular WeMo Home Automation System from Belkin, for example.
Good News and Bad
Three of the seven products were clearly designed with security in mind. All three use encrypted communication, and all three require active authentication for access. The researchers couldn't find any way that an external attacker could gain access, and the secure remote control feature for all three was thoroughly locked down.
Two of the remaining four use no encryption, and are therefore vulnerable to any malware that may have infiltrated the local network. Worse yet, the other two proved susceptible to manipulation across the Internet.
What Could Happen?
If malefactors can take over your system remotely, the consequences depend on just what sort of smart house features you've installed. If they're just plain nasty, they could turn off your heat to freeze your pipes. More likely, they could use the monitoring feature to determine when nobody's home; a perfect time for a burglary! In the worst case scenario, they might even be able to unlock the house or turn off the alarm system remotely.
The report also speculates on the possibility that hackers might effectively take the connected devices hostage and demand payment before releasing them. I'm not so sure about that one; it seems to me the victim could simply disconnect the smart home components. It also suggests that "minimally protected smart home devices will therefore soon be ambushed by Trojans that...will not hide in the PC, but, for example, in the smoke detector's memory."
If you're considering installing a smart home system, or otherwise connecting your appliances and devices into the "Internet of Things," you'll definitely want to read the full report.
No comments:
Post a Comment