Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Without proper security measures, smart homes are just begging to be targets

Grant Hatchimonji | March 18, 2014
As our world becomes increasingly connected via the Internet, it only seems logical that the interconnectivity would eventually permeate our homes. "Smart devices" like alarm systems, locks, thermostats, and more that can be controlled over the Internet are gradually gaining visibility and creating legions of "smart homes." For all the technological advancements, however, it would appear that our houses are simultaneously becoming more vulnerable.

"Use reflection. I'm going to keep [these devices] in my network and not configure them to be remotely accessible," he said. "If you browse for a website [on a computer that is connected to the same network], attackers can use your web browser to send requests to devices in your network, since a lot of htem have web-based configurations. If it's not secure or there's a vulnerability, that's a problem.

"When they exploit it, they would run code that calls back to them; a server they have control of," he added. "And that gives them remote access."

One would think that given the threat that these devices pose for the networks to which they are connected, vendors would release them with included security measures. Unfortunately, it appears they don't come equipped with much beyond a request for credentials.

"[Smart devices] usually have something built in; most devices, whatever admin access they have, will typically be at least password protected," said Heffner. "But there are a couple of problems there. A lot of people don't consider all of the scenarios." What little security measures these devices have are not necessarily mandatory to implement; users could, for example, not even bother setting a password. Heffner added that there are also ways for attackers to bypass the login process at some point in the code before the device checks credentials.

[Smart devices get smarter, but still lack security]

"So even if you have configured a secure password, you're not necessarily safe," he said. "Security is not taken that seriously as it is with things like PCs with Windows."

Irvine added that not only is an ID and password typically the extent of the security measures, they're not even that strong given that passwords often don't even need to be complex.

"It's easy these days to proxy and masquerade as a web device," he said. "You could be a rogue web server, for instance, that these devices would then report to, nullifying the need for a user ID and password."

Even if a user is diligent enough to make the most out of the security measures at hand, there's no way to secure what you don't know is vulnerable, Heffner pointed out.

"If there's a vulnerability in a device, most consumers will never hear about it," he said. "Most vendors will just ignore a vulnerability and never patch it at all. It's hard to protect against unknown vulnerabilities."

With so many vulnerabilities, both in the products themselves and as a result of poor user awareness, Irvine and Heffner seemed concerned about attack rates increasing alongside adoption rates. Irvine seemed particularly concerned with the lack of awareness surrounding the vulnerabilities of smart homes. "I think the security [of these devices] won't improve until there is a major issue," he said. "As the adoption rates increase, so will the attacks. The same thing happened with mobile devices."

 

Previous Page  1  2  3  4  Next Page 

Sign up for MIS Asia eNewsletters.