It is time to take smart home security serious
Smart homes are part of IoT and offer the promise of improved energy efficiency and control over home security. But there are also Smart home security risks. Smart home systems can leave owners vulnerable to serious threats, such as arson, blackmail, theft and extortion.
A recent research set out to determine exactly what these risks might be, in the hope of showing platform designers areas in which they should improve their software to better protect users’ security in future smart home systems.
A deep dive research was conducted on “SmartThings” because it is a relatively mature system, with 521 apps in its app store, supporting 132 types of IoT devices for the home. SmartThings and other systems offer trigger-action programming, which lets you connect sensors and events to automate aspects of your home. That is the sort of capability that can turn your walkway lights on when a driveway motion detector senses a car driving up, or can make sure your garage door is closed when you turn your bedroom light out at night. There are two major categories of smart home security vulnerability:Excessive privileges and insecure messaging.
SmartApps have privileges to perform specific operations on a device, such as turning an oven on and off or locking and unlocking a door. This idea is similar to smartphone apps asking for different permissions, such as to use the camera or get the phone’s current location. These privileges are grouped together; rather than getting separate permission for locking a door and unlocking it, an app would be allowed to do both – even if it didn’t need to.
An App that can automatically lock a specific door after 9 p.m. – the SmartThings system would also grant that app the ability to unlock the door. An app’s developer cannot ask only for permission to lock the door. 55$ of SmartApps available had access to more functions than they needed.
Insecure messaging system:
SmartApps can communicate with physical devices by exchanging messages, SmartThings devices send messages that can contain sensitive data, such as a PIN code to open a particular lock. When a SmartApp has even the most basic level of access to a device (such as permission to show how much battery life is left), it receives all the messages the physical device generates – not just those messages about functions it has privileges to. So an app intended only to read a door lock’s battery level could also listen to messages that contain a door lock’s PIN code.
SmartApps can “impersonate” smart-home equipment, sending out their own messages that look like messages generated by real physical devices. The malicious SmartApp can read the network’s ID for the physical device, and create a message with that stolen ID. That battery-level app could even covertly send a message as if it were the door lock, falsely reporting it had been opened, for example.
Attacking proved the flaws
1. An App the monitors the batter levels of various wireless devices around the home installed by an unsuspecting user, was programmed to snoop on the other messages sent by those devices… The authorized user created a new PIN code for a door lock, the lock itself acknowledged the changed code by sending a confirmation message to the network. That message contains the new code, which could then be read by the malicious battery-monitoring app. The app can then send the code to its designer by SMS text message – effectively sending a house key directly to a prospective intruder.
2. Snooping on the “secure” communications between a SmartApp and its companion Android Mobile App. This allowed to impersonate the Android app and send commands to the SmartApp – such as to create a new PIN code that opens the home.
3. Writing malicious SmartApps that were able to take advantage of other security flaws. One custom SmartApp could disable “vacation mode,” a popular occupancy-simulation feature; the smart home system stopped turning lights on and off and otherwise behaving as if the home were occupied. Another custom SmartApp was able to falsely trigger a fire alarm by pretending to be a carbon monoxide sensor.
There are great benefits to gain from smart homes, and the Internet of Things in general, that ultimately lead to an improved quality of living. However, platforms need to take care of smart home security and quickly! This research is the result of a collaboration with Jaeyeon Jung and Atul Prakash.
More Here [theconversation]