Smart Homes - Inadequate Security?

We previously discussed the rise of IOT and how that changes the nature of risk and security.  This week, let’s take a closer look at smart homes.  The variety of devices being Internet enabled our homes is exploding.  Everything from light switches, light bulbs, door locks, thermostats and garage door openers, and that’s not to mention larger appliances such as smart fridges and televisions.  The rise of Alexa, Siri and Google Home make it easy to say commands to unlock your door, or turn on your television and set your lights to 50% brightness.  However, this convenience factor presents a new and unique risk to the security posture of your home.

 

 

Smartphones and smart speakers are turning into centralized management hubs for your home.  The mini-computer you hold in your hands or speak to is the complete interface to running your connected smart-home. You talk to your device to unlock your door.  Your phone crosses a geofence and opens your garage door. It is a single point of access to your entire connected home.

 

There have been cases reported of tablets and speakers left near an open window and people loudly asking that device to unlock the door.  Imagine your house being broken into by a robber who only needed to speak loudly and ask to be let in. Now there are things that can be done to mitigate these types of threats, but we mention this here to just highlight how this move to smart homes changes the way we need to think about security.

 

The risk is not just in making sure you are physically (and audibly) secure your smartphone or speaker.  The risk is also in the management or control applications written to support this growing collection of smart home products.  These applications represent not only a connection to your smartphone and the internet, but also a pathway into your connected home. As this ecosystem becomes tightly enabled, potential malware or breaches in one smart-home connected application or device, could have implications on others devices (imagine a compromised thermostat that can now unlock your door or turn on your connected security camera). Re-packaged applications is another security angle that needs to be understood.  An attacker could repackage a smart-home control app and add malicious code of their own. To the unsuspecting user this app would look, feel and function just like the legitimate applications, however it would have a malicious payload attached to it. This could allow them to steal credentials and otherwise become an avenue to further compromise the smart-home device.

 

Each new smart home product ties into your home ecosystem and exposes a set of capabilities to control and interface with it.  These capabilities are fundamentally used provide that smart home convenience, but bring with it unique and new risks and security challenges. When we think of Cyber Attacks we typically think of intrusions into our software systems including subsequent data theft, however in this new era of connected homes we need to consider that cyber attacks are the precursor to physical threats and theft, and even potential risk to those at home.

 

We’ll leave you with a parting thought. The applications that we are all so fond of, and which we have become accustomed to on our mobile phones, are quickly proliferating across a myriad of devices that touch every aspect of our lives. When we consider “mobile” application security, we are no longer talking about an isolated app that runs on your phone, but the ubiquitous applications which reside on each and every connected device which enables our new high tech lifestyle.