4 Major Smart Home Security Vulnerabilities
Whether it’s your computer, phone or smart home, the Internet is full of vulnerabilities, including poor security practices and general system weaknesses that put your safety at risk.
On the surface, smart home technology seems like a win-win. System integration improves energy efficiency, you don’t have to be physically present to turn certain features on or off, and you can program various devices throughout your home through a single interface. In spite of the convenience and innovation, smart home systems may be compromised, resulting in damaged devices, stolen information, spying and more.
In general, depending on your setup:
- Built-in security features are not uniform across all systems and devices, making them easily exploitable.
- You could be susceptible to theft, extortion or blackmail, while your home could be prone to arson.
- Seemingly simple devices can be turned into surveillance tools by third parties.
With these factors in mind, what puts you at risk?
Easily Available Firmware
According to one study from SecureList.com, a smart home device’s firmware can be found publicly and is easily downloaded without a subscription. From there, it can be altered or analyzed.
At this point, whoever is attempting to hack a device can change a password or set up a personal configuration through a mobile application. To do this, the outside party simply needs to find the password from the root file. Since encryption is not completely secure, the hacker likely will not have much trouble extracting the information needed.
Multiple Functions Related to One Request
Think about the different parts of your home – for instance, a door. Each function, including the opening, closing and locking of the door can be controlled from certain devices. If a third party gained access, they could perform multiple functions through one request.
Based on findings from TheConversation.com, smart home technology is not that different from how an app asks for multiple permissions and groups them all together. Although this seems convenient, exploiting this functionality means that someone outside your network has the opportunity to access your home when you’re not there. For example, when you’re looking to lock the door, more than half of all SmartApps examined also provide an option to unlock the door.
Apps to manage your smart home send out messages to its various devices. In turn, the physical device responds with a message back to the app, where sensitive information like passwords and codes may be exchanged. However, regardless of what’s contained, there is no filter on what gets transmitted. According to more findings from The Conversation.com, this arrangement sets up a host of vulnerabilities:
- Anyone who’s monitoring the app – you or a third party – receives all the information contained in the messages. That person can easily obtain a code or password to operate the device and access the inside of your home.
- Hackers can trick you into installing an app that monitors all messages sent by your home’s smart devices – equivalent to a key-logging app.
- These “fake” smart home apps can generate messages that appear to be sent from your home’s devices, providing you with false information and giving the third-party key access details.
- The third-party spying on your smart home network can create a new code, so they can physically enter your home and lock you out.
A study from SecurityZap.com found that encryption across multiple points in your network is not equal:
- With associated apps, user credentials are not always encrypted.
- Some systems use an unencrypted radio transmission protocol for certain security features – even to unlock your doors.
- Interfaces do not revoke validation and authentication tokens correctly. As researchers found, user access credentials are stored as plain text files. If the app is left unsecure, a third party can easily retrieve this information.
- Even after you change a password, an app may hold onto old tokens. As a result, these credentials can still be used for authentication. This becomes an issue if you lost the phone through which you operate your smart home network.
On a general level, treat your smart home the way you do your computer and phone: Keep your devices updated to minimize potential vulnerabilities. Also make sure that your home and its contents are properly insured in the event of fire or theft. To discuss or update your coverage, give us a call at 203.729.5261.