Outsmarting the smart home – Security vulnerabilities in the modern house.
Year after year, technology continues its onwards march, every week we see new advances in computer learning, miniaturisation and engineering that are helping to turn science fiction into science fact. Technology is part of everything we do, whether is sharing our cycle rides, looking after our children or talking with our friends.
We are becoming more and more integrated and dependent on the technology we use and central to this is the arrival of the smart home. We can now control our temperature, electricity, heating and security all with our phones or tablets from anywhere in the world. But should we be rushing so fast into the future? With technology moving so fast our safety, security and privacy has been an inevitable casualty. It is now possible to see vulnerability gaps existing between consumers and the technology they use and with criminals rushing to take advantage. We have listed five of what we see to be the greatest technical threats to your home, both now and the future and what we as users can do to stop them.
Although we seldom think about it, the Router is one of the most crucial parts of a household. What we look at, what we buy, our passwords, bank information, and more all pass through our router. It is the single greatest information exchange in a modern home. It is also the work of seconds to photograph the back of a router, and once you have a working password and IP address to remotely access the system from anywhere in the world (even if the owner changes the password).
Skilled hackers can ‘piggyback’ on a router, monitoring traffic and the amount of information gathered is limited only by the skill of the criminal involved. In April 2016 A bank in Bangladesh who failed to invest in router security suffered a hack which caused them to lose £ 56 Million. Once criminals are able to access a router they can also potentially access all other connected devices.
Keeping your router secure is simple and the first solution is moving the router away from public areas of the home. The second and most important detail is to change the password from the default. Removing the ability for hostile parties to access router details and changing a default password helps improve security dramatically.
The concept of the digital ‘smart lock’ and the ‘smart key’ is simple. You can just send a digital key via your phone allowing the recipient to open your door via a wifi connected lock. This is a useful feature, you can now let guests into your home while you are out and you don’t have to worry about hiding keys under doormats. That being said, there are some serious issues to consider with internet based locking systems that should be borne in mind.
Technology moves fast and encryption that is safe today may not be safe tomorrow. Digital locks rely on constant updates to keep them secure, but what happens if a manufacturer goes bust or stops trading? In August 2017, digital lockmaker Otto found itself unable to keep trading due to a failed business deal. Otto never managed to ship its new locks to consumers but the lesson was clear. By creating a reliance on companies in order to do things as simple as unlocking your door you have a house that depends on the success of your providers in order to keep functioning.
This dependence was highlighted again in August 2017 when an error in an update for internet connected locks provided by company Lockstate caused many of the locks to stop working and freeze. No fix could be issued and the only way to solve the problem was to break the door and replace the lock.
Ultimately it may be best to rely on physical locks that require physical effort and equipment to break (and enter) rather than something that can be deactivated at the push of a button.
Connected devices in the home
Easily exploited technical vulnerabilities also extend to all other ‘smart’ devices in a person’s home. If current market trends continue, 55% of US homes are likely to have a smart system by 2022. But, the more devices that exist within your home that broadcast ‘out’ the more vulnerable you can be. Although you may have excellent network security, this is irrelevant if the company you use has failed to invest in security of their own.
The Shodan database is a powerful free online resource that allows anyone to search for ANY internet connected smart device. Even without using specialised knowledge, the search term “port:554 has_screenshot:true” reveals live cameras feeds installed in places ranging from bars in France, private lounges in Korea and even rabbit cages in Germany.
These vulnerabilities exist because again many of us do not change the default username and passwords on our smart devices and seldom check the security of the devices we use. It is also because a list of default passwords and usernames for every single type of smart system exists online. Just changing the passwords can prevent snoopers from being able to look in, as well as criminals from being able to target your home.
The rise of the virtual assistant (devices like the Amazon Alexa and Google Home) have brought different security and privacy issues to the fore. Recently researchers at UC Berkeley realised that they were able to hide commands for an Amazon Alexa within white noise or music and even within other voices, providing a ‘secret’ command that only the machine hears. This ‘trick’ has yet to have any practical usage as of yet. But as virtual assistants take on more household tasks, being able to hide commands in innocuous sounds like a recorded dog bark or an ice cream truck jingle is a valuable tool.
This was further proved in a recent episode of BBC Panaroma where hackers were able to access and use the speakers on a smart TV (via an unsecured router). Using the speakers on the TV, they then ordered a nearby Virtual Assistant to buy products that could be delivered and intercepted once they arrived, showing how hackers could ‘bridge the gap’ between two devices even when no electronic link existed.
The other issue with many of the virtual assistant type devices that exist is that you as a user have no control over information that the machine takes from you. Most virtual assistants are listening continuously and likely the only reason they do not record and store every word they hear is a storage issue. With the rise of advances such quantum computing, data storage will get easier and the likelihood of an Alexa system being able to hear and record everything only increases. Alexa’s power and decision making are also all based on the Internet, in the cloud-computing service run by Amazon far outside your home and as we have seen, no company is completely immune from the risk of cyber-attack.
This example of a single technical fault causing widespread issues can also be seen vividly in the current explosive rise in the theft of keyless cars. A recent 44% rise in Car-thefts in the Manchester area was blamed on criminals discovering a method of ‘cloning’ the signal used to unlock and start cars. One criminal stood by a car with a transmitter, while a second waved a signal amplifier near the house the car is parked outside. If the car’s key fob was close enough, the amplifier would detect the signal, amplify it, and send it to the accomplice’s transmitter who then used it to unlock the car. Stopping the attack required keys to be as far from the door as possible or else placed in a faraday cage bag.
To combat the issue, Greater Manchester Police stated that vehicle owners should invest in the bulky yellow steering locks. This was because criminals that had perfected keyless car theft did not carry bolt cutters because they did not need to, because the fault was universally applicable it was quicker and easier to just move onto the next car.
Where do we go from here?
Smart technology is here to stay, but we must adapt and be discerning about how we interact with it. We must learn to balance convenience, security, privacy and dependence and be realistic about the pros and cons of each.
Smart locks may be very useful, but we must be aware that they are imperfect and foster a dependence on an external provider. Equally the virtual assistants we use in our homes are certainly convenient but in using them we cost ourselves our privacy. As systems advance many of the teething problems will likely be ironed out, but for now (and perhaps always) we would recommend a little less convenience in favour keeping our lives and homes as secure, private and above all as independent as possible.