Today's Internet of Things (IoT) devices enable "smart homes" that use the Web to connect smartphone apps to home Wi-Fi, which in turn is connected to myriad smart IoT devices. The convenience of IoT devices has resulted in a burgeoning "IoT device smart home market [that] is expected to swell to nearly $60 billion" by next year, according to a study by IoT platform Particle, as reported by TechRepublic.
Unfortunately, according to researchers at North Carolina State University (NCSU), IoT smart-home devices suffer from hardware and software implementation flaws that make them vulnerable to hacker attacks. The researchers recently evaluated 24 smart home IoT devices, and the results of their research won the best paper award at the ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec 2019) earlier this year.
The smart IoT devices evaluated included eight cameras, seven motion sensors, two contact sensors, two water sensors, two video doorbells, a dead bolt door lock, a smart button (to control lights, electronics, and small appliances), and a smart garage door opener. The NCSU researchers demonstrated critical design errors that allowed two hacker attack vectors to blind or confuse 22 of the 24 smart home IoT devices.
"IoT systems are designed primarily for the convenience of home owners wanting to control their household devices remotely. However, connecting them gives attackers huge power, since the IoT manufacturers are paying more attention to convenience than security," said Suryadipta Majumdar, a professor of information security and digital forensics at the University of Albany. "In my opinion, if solutions are not found quickly, it will become a long-term endemic problem, like cybersecurity in general."
Smart IoT devices send out regular "heartbeat" messages signaling "all is well." It is relatively easy to use hacker code readily available online to pass heart-beat signals to user apps, while blinding sensors or confusing their controllers into reporting errors (for instance, reporting that dead-bolt locks are engaged when they are not). What is worse, IoT smart home devices depend on Internet Protocols that tolerate "off-line" conditions as normal, to allow for when sensor batteries run down, power outages reset devices, or when software updates are being installed. As a result, smart home devices can be hacked by code that forces them to report to users that all is well, when it is not.
Said NCSU researcher Terrence O'Connor, "IoT devices in smart homes send always-on always-connected heart-beat messages to show that they are functioning and always responsive, whereas specific actions, such as accessing in-home cameras, are on demand only. Our research revealed that these heartbeat channels and on-demand channels are routinely isolated within the IoT. By distinguishing between the two, our attacks succeeded in suppressing on-demand sensor access. Our most sophisticated attack allowed heartbeats to pass through to users, indicating that all is well, while blocking all access to smart home IoTs."
The attack vectors used by the research utilized hacker code downloaded from the Internet. The first, less-sophisticated (but nevertheless successful) attack demonstrated that hackers could easily take a home Wi-Fi router off-line, suspending access to all smart home IoT devices.
In particular, the freely available Aireplayng software allowed them to forge de-authentication frames. When broadcast over Wi-Fi channels repeatedly from a laptop outside the victim's residence, it made the smart home's router continually reset itself, which prevented it from sending signals to apps from its sensors and actuators. The only telltale sign that something was amiss was that smart home IoT devices' "heartbeat" signals were also blocked, which caused the user's smartphone app to report the devices were temporarily offline.
The researchers' second, more-sophisticated attack vector made use of open-source OpenWrt software to wirelessly infect the victim's Wi-Fi router with a "hacker's firewall" that let the heartbeat signals through so the apps reported all was well, but blocked access to IoT device sensors and confused their actuators into reporting errors. In some cases, specific vendors' webcams did not even save the blocked video frames, leaving no forensic evidence the attack had ever happened.
Such attacks have already been reported. The largest of these was the Mirai botnet, which infected hundreds of thousands of IoT devices, enabling them to carry out distributed denial-of-service (DDoS) attacks that simultaneously bombard online hosts with hits, thereby taking the sites down so they were unavailable for legitimate users. The source code for Mirai was also published on Hack Forums, resulting in other IoT attacks mimicking Mirai. Similar IoT attacks have been reported by The New York Times, including domestic abuse cases in which hackers which were able to penetrate smart home IoT systems for harassment and other hate crimes. Researchers at Princeton University demonstrated that even when smart home IoT devices used encrypted communications, hackers could nonetheless differentiate heartbeat messages from on-demand messages, allowing heartbeats to pass while blocking sensor data and confusing actuators. Separately, researchers at Rhino Security Labs in Seattle reported that Wi-Fi attacks from a laptop could confuse Amazon Smart Homes into making their locks appear to be engaged, when they were not.
The NCSU researchers concluded that IoT smart homes are "rife with implementation flaws," the solutions for which need to get ahead of known attack vectors. A good start, the researcher say, would be to make always-responsive and on-demand message packets the same size.
Today, manufacturers of IoT smart home devices make heartbeat packets as small as possible; while this is efficient, it enables hackers to easily distinguish always-on "heartbeat" messages from on-demand sensor readings. By making packets the same size, hackers would be hard pressed to block sensor and actuator reports without alerting users of their system's off-line status.
R. Colin Johnson is a Kyoto Prize Fellow who has worked as a technology journalist for two decades.