Smart Home Security: Security and Vulnerabilities

author avatar
Image credit: SimpliSafe

Image credit: SimpliSafe

Article #5 of the IoT Foundation Series. Internet-connected security devices provide a fast and easy way to create a home security system. But are they also creating opportunities for security weakness?

Together with Digi-Key, a distributor of electronic components, we are creating a series of articles about the technologies that make IoT possible.  This fifth and final article examines smart home security.   

Vulnerability of Smart Homes

The number of smart homes globally is expected to increase to 478.2 million by next year[1]. One of the biggest attractions of smart home technology is using internet-connected devices to secure personal dwellings remotely.  Despite the ease smart home security devices provide for protecting homes against theft, damage, or accident, smart home devices also create the risk of lowering personal data security. 

A 2021 research project revealed that typical smart homes are vulnerable to a high number of data attacks.[2] Reported instances of smart home attacks have included hackers remotely controlling smart lights and smart TVs [3],  unlocking IoT-enabled doors, and remotely turning on and streaming video from smart cameras.[4] In one instance, a Milwaukee home only realized they had been attacked when they woke up after their thermostat had been programmed to over 30 degrees Celsius[5].

Two major flaws in connected homes make them susceptible to these attacks; vulnerable local networks and weak IoT devices. 

Vulnerable local networks

Wi-Fi can be vulnerable to attack due to default or weak SSIDs or passwords and vulnerable encryption protocols. Default credentials let the intruder access the router with no effort. Strong Wi-Fi passwords force hackers to look for more difficult gateways to infiltrate the network.

Sniffing and encryption cracking are the most common ways hackers intrude into the network. In sniffing, hackers hijack any packet of data transmitted between a device and a router,  transfer it onto their device, and use brute force to decipher it. It usually only takes minutes. 

Most Wi-Fi routers use WEP (Wired Equivalent Privacy), WPA (Wi-Fi Protected Access), or WPA2 security protocol. WEP is an RC4 stream cipher. The weakness of the WEP is the small size of the initialization vector (24-bit IV), which causes it to be reused. This repetition makes it vulnerable.

More secure options are WPA and WPA2. But researchers identified a severe flaw, KRACK, short for Key Reinstallation Attack in the WPA.  A man-in-the-middle attack can exploit it to steal sensitive data sent via the WPA encrypted Wi-Fi connection. The attacker could eavesdrop on traffic and obtain passwords, banking credentials, and credit card information.

Weak IoT devices

Researchers tested a total of 16 commonly used smart home devices from a range of brands and found 54 vulnerabilities that exposed users to attack by hackers. The potential of the attacks ranges from deactivating security systems to stealing personal data.[6] An estimated 80% of IoT devices are vulnerable to a wide range of attacks.[7] 

Smart home devices are vulnerable to attacks because they are special-purpose devices. The IoT vendors fail to provide the required special-purpose security solutions. Further, smart home devices often run small operating systems such as INTEGRITY, Contiki, FreeRTOS, and VxWorks, whose security solutions are not as robust as those of Windows or Linux-based systems. Most commonly available devices, once deployed, cannot be upgraded to update the security capability against the evolving cyber-attacks.

Common smart home device attacks

Attacks on smart home devices are performed in a range of methods depending on the device and communication protocol. Common attacks methods include:

  • Data Breach and Identity theft:
    Insecure IoT devices generate data and provide cyber attackers with ample space to target personal information. This could potentially end up in identity theft and fraudulent transactions.

  • Device hijacking and Spoofing:
    The smart devices can be hijacked, rendering the control to attackers’ hands. The attackers manipulate the device, spoof the communication between two ends, and can assume control over the other devices, even the whole network. 

  • Distributed Denial of Service (DDoS): The device or network resource goes unavailable to its intended users by temporarily or indefinitely disrupting the services.

  • Phlashing: Such attacks brutally damage the device to the extent that it needs replacement. 

Securing smart homes devices after purchase

While some devices have embedded security properties, for smart home devices to be resilient to attack, their owners must abide by some basic protection measures. 

  • Strong passwords: Ensure routers and all devices have strong passwords. Retained default passwords are a common access point for hacks. 

  • Guest Networks: Use the guest network to set up smart home devices when possible. This can help separate the devices from the valuable information stored on laptops or phones. Even if cyber-criminals hack one of the IoT devices, they will not be able to penetrate the main network and compromise the computers and smartphones connected to it.[3]

  • Two-factor authentication: Enabling two-factor authentication, where a device requires an additional verification via a mobile or authenticator app, significantly reduces the ability of hackers to manipulate devices. 

  • Update Firmware: While many devices will provide automatic updates, manually checking and updating the firmware of routers and IoT devices ensures the latest security protocols are active. 

  • Avoid Cloud, use local storage: Use local storage instead of the cloud to minimize the risk of the data being attacked while being fetched to the cloud. 

  • Highest Level Encryption: Use the highest-level encryption (WPA3) on the router to ensure secure communication.

  • Firewalls: Using firewalls is one of the famous ways to secure smart home devices. A firewall enables the user to see potential attacks and manage the security level of individual connected devices.  Firewalls send notifications to the host when any abnormality in the network or devices is detected. 

Role of IoT device developers:

The responsibility of IoT devices’ security lies primarily on the IoT device developers. They must take the necessary measures to make devices safe. Some potential measures could be:

  • Integrating Programmable Hardware Root of Trust (HRoT) inside the IoT devices. HRoT is the foundation for secure operations of electronic devices, especially system-on-chips (SoCs). It contains the keys used for cryptographic functions and enables a secure boot process. Programmable HRoT can be continuously updated to contend with an ever-increasing range of threats. It runs entirely new cryptographic algorithms and secures applications to meet evolving attacks. 

  • Incorporating Edge Computing: Process the data collected from the devices at the edges close to the data sources. The data does not travel through the weak networks to the remote servers, so the risk of breaching is reduced.

  • Designing Over-The-Air Update Capabilities: Manufacture the devices with efficient Over-The-Air (OTA) update capabilities. Many consumers have their devices in remote locations and so update them irregularly. The developers must incorporate a robust OTA update strategy that can execute efficiently and regularly.

Conclusion

Devices connected to the internet are inherently vulnerable to attack. As smart home devices increase in functionality and are more widely installed in homes, understanding personal data security risks and how to mitigate them is critical. IoT engineers must also take responsibility for ensuring smart homes of the future have security built-in as a core feature and not an add-on. 

Article one set the foundations of a smart city infrastructure.

Article two looked into what makes a Smart home, smart.

Article three explored how Smart ML enables scenes for new seamless ways of interacting with smart home devices.

Article four explained how 5G and 6G will assist in delivering smarter communication.

Article five discussed about Smart Home security.

About the sponsor: Digi-Key

Digi-Key is one of the fastest-growing distributors of electronic components in the world. Since its founding in 1972, Digi-Key has been committed to offering the broadest selection of in-stock electronic components, as well as providing the best service possible to its customers, aiding engineers through the entire design process, from Prototype to Production®. 


References

1. [Online]. Available from: https://www.statista.com/forecasts/887613/number-of-smart-homes-in-the-smart-home-market-in-the-world.

2. Laughlin A. which.co.uk. [Online].; 2021. Available from: https://www.which.co.uk/news/2021/07/how-the-smart-home-could-be-at-risk-from-hackers/.

3. Whitney L. pcmag.com. [Online].; 2020. Available from: https://www.pcmag.com/how-to/how-to-stop-smart-tvs-from-snooping-on-you.

4. Vigdor N. New York Times. [Online].; 2019. Available from: https://www.nytimes.com/2019/12/15/us/Hacked-ring-home-security-cameras.html.

5. Sears A. FOX6 NEWS. [Online].; 2019. Available from: https://www.fox6now.com/news/felt-so-violated-milwaukee-couple-warns-hackers-are-outsmarting-smart-homes.

6. Broom D. weforum.org. [Online].; 2021. Available from: https://www.weforum.org/agenda/2021/11/how-to-secure-smart-home-devices/.

7. Press R. rambus.com. [Online].; 2020. Available from: https://www.rambus.com/iot/smart-home/.

More by Muhammad Hashir Ali

I am a technology geek and writer. I have a Bachelor of Engineering and have previously worked as a researcher for the National University of Science and Technology (NUST). I write on Artificial Intelligence, Machine Learning, IoT, and Cybersecurity.