As smart homes grow smarter, what’s the likelihood that the connected systems within will be smart enough to resist being hacked?
Unfortunately, it is not very likely; at least, not without further security considerations, say experts who worry about such devices as "smart door locks" unlocking to admit strangers, and "smart home security cameras" or children’s toys with built-in Webcams taking unauthorized images and then posting them online. That is because the manufacturers of home-automation devices and their access-control systems apparently do not set security or privacy as top priorities, they say.
"In the last few years, these devices have become more affordable, and the ubiquity of smartphones and the ease of application development have offered new opportunities for remotely managing them," according to the paper "The Current State of Access Control for Smart Devices in Homes," written by Jaeyeon Jung and Stuart Schechter at Microsoft Research and Blase Ur, a doctoral student at Carnegie Mellon University.
"While the interactive features of connected devices can benefit users, they can also introduce opportunities for abuse," says Jung, who specializes in connected sensing and recording devices in the home. She describes three primary concerns:
- Authorization. Typically, devices need to be "paired" – or authorized – to function with either a smartphone or Z-Wave controller. Unless this process is done securely, Jung says, the devices can be exploited by attackers.
- Access control. Unlike PCs and smartphones that users typically configure with a single password, smart connected devices need to be shared among family members, and also with visitors to the home, like relatives and cleaning people. Children who need to access smart door locks will need their own passcodes and must be warned not to share them with friends. Various access scenarios may generate security risks.
- Monitoring/auditing access. Smart devices leave no auditing trail to alert owners someone may have unauthorized access to their homes or, conversely, to assure owners their homes are secure.
The most important devices to secure first, says Jung, are those that are critical for the physical security of the home, like door locks and home security cameras, followed by devices that collect sensitive information in the home, like sleep monitors equipped with Web cameras.
Jung and her collaborators are working on a prototype of an auditing interface for connected devices configured as a Web interface, which can also be accessed via smartphone.
"Given that the prototype needs to go through an iteration at this moment," she says, "we believe it would be premature to make it publicly available. However, we hope to release a research paper on the prototype before the end of March."
Work on the prototype has been made possible by what Microsoft Research is calling its Lab of Things (LoT), a flexible platform for experimental research on connected devices in homes. LoT enables easy interconnection of devices and implementation of application scenarios using the HomeOS operating system [see video]. LoT is restricted to academic research – the LoT license doesn’t allow commercial use – and a partial list of the projects using LoT is available here.
Tadayoshi (Yoshi) Kohno, an associate professor of computer science and engineering at the University of Washington, believes too few manufacturers view security and privacy as a primary goal. "What I would urge them to do are three things," he says:
- Invest in rigorous modeling to try to determine their potential adversaries, and how an attacker might try to compromise the system.
- Consider ways to update systems dynamically over time. As with PCs and laptops, manufacturers need to be able to provide patches to smart devices as vulnerabilities are discovered.
- Develop the ability to monitor these systems, so attacks can be detected as they begin.
While Kohno believes it may be premature for consumers to worry about attacks on connected systems in their home, manufacturers should be concerned, he says, especially since 90 million homes could employ such systems by 2017, according to ABI Research.
"The manufacturers make today about, say, what protocols to use, may have ramifications five or 10 years from now as these devices become more and more ubiquitous," he says. "We don’t want them to suddenly realize, then, that they made a really big mistake by not fundamentally considering security from the get-go."