The security research community has warned that the Internet of Things, including home security systems, is hackable. Researchers at the University of Michigan and Microsoft have published an in-depth security analysis of Samsung’s SmartThings platform that allows control of home appliances via PC or smartphone. They were able to hack the system, setting off a smoke alarm and opening a digital lock with a “backdoor” PIN. Their findings will be presented at the IEEE Symposium on Security and Privacy later this month.
Wired quotes University of Michigan researcher Earlence Fernandes warning that, “users need to consider whether they’re giving up control of safety-critical devices.”
“The worst case scenario is that an attacker can enter your home at any time he wants, completely nullifying the idea of a lock,” said Fernandes.
The researchers were able to launch four attacks against Samsung’s SmartThings, “taking advantage of design flaws that include badly controlled limitations of apps’ access to the features of connected devices, and an authentication system that would let a hacker impersonate a legitimate user logged into the SmartThings cloud platform,” notes Wired.
In the worst attack, the researchers used an Android app designed to control SmartThings and were able to exploit OAuth, a common authentication protocol, and take advantage of an “inconspicuous bug” to plant a backdoor code in the user’s front door.
Fast Company reports on another home security solution, Nest, and its efforts to ensure security. “We start by defining the security requirements in that product at the same time that we’re defining the value proposition for the customer in that product,” said Nest security/privacy executive Jim Alkove. Third parties that build products that connect to Nest, via its Works with Nest program, “are required to explain why they’re seeking access to certain types of data,” said Nest executive Greg Hu.
Another tactic is to limit the interfaces that control the system; for example, a soon-to-launch Nest-enabled Yale lock will be able to unlock doors via a smartphone app but not a Web interface. The company also uses geo-fencing to determine when the smartphone linked to a Nest home enters and leaves that home, using machine learning and knowledge of past behavior. Furthermore, the latest Nest thermostats will “only load firmware code that’s been digitally signed by the company, so even with access to the devices it would be difficult to install malware on them.”
Despite the security precautions, Nest talks with customers to make sure they understand how Nest shares data. “They can make the decision, do I want to authorize that handshake between the two companies?” asked Hu.
University of Michigan computer science professor Atul Prakash suggests that the lesson to be drawn is that smart home platforms are relatively new, and homeowners should consider worst case scenarios in determining acceptable risks.