How Smart Homes Have Dumb Security
Many so-called 'smart' homes are not secure. Here's why they're not, and how you can make your own smart home safer.
You might think that your family and your possessions are secure because you can manage your home's security system from your smartphone. And it sure is cool to be able to turn on the lights and control your DVR from a remote location.
But is all that data you send to your home system encrypted and securely delivered? The bad guys might be cracking your code — and that might be putting your family at risk.
MORE: 12 Things You Didn't Know Could Be Hacked
For all that smart homes can do to make a house more secure — from remote-controlled door locks to apps that turn lights on and off — an Internet-connected home may actually make you less secure.
What smart homes do well is to add a layer of physical security, said Jason Fredrickson, senior director of enterprise application development at Guidance Software, a digital-forensics firm in New York.
An intruder may still try to bust down a door or break through a window, but it is the alarm that scares him away. The ability to control lights and appliances to make the home looked lived-in can be a deterrent, said Fredrickson, but can a police officer patrolling the street.
Greater connectivity, greater risk
Sign up to get the BEST of Tom's Guide direct to your inbox.
Get instant access to breaking news, the hottest reviews, great deals and helpful tips.
Of course, smart homes are about more than just adding physical security. It's convenient and cost-effective to be able to regulate a thermostat from your office, or to get a warning on your phone if you have a leaky pipe in the basement. It provides peace of mind to parents who want to know exactly when their kids walk in the front door after school.
But at the same time, all this convenience and peace of mind comes via the Internet, and by connecting home devices to the Internet, you add new attack vectors and therefore increase your risk, said Luke Klink, security program strategist for Indianapolis-based IT security and consulting firm Rook Security.
"It becomes possible for someone to turn on your air conditioning in the middle of January to freeze and break pipes while you are away on vacation, without the attacker ever stepping foot in your home," Klink said. "The possibilities are really only limited by the imagination and determination of an attacker."
The biggest risk concerning the Internet of Things likely isn't in home systems and appliances, Klink added, but in that gadget tucked in your purse or pocket.
"It is the smartphone that controls many of these devices," he said. "Nearly two-thirds of smartphone users don't use a 4-digit PIN to lock their phone. Losing an unprotected smartphone gives the finder access to all the smart devices controlled from it."
Disrupting the message
Then there is the Internet connection. Networks get hacked, and the network that controls the Internet of Things is no different. For example, the warnings regarding public Wi-Fi are especially pertinent when making a connection to your house while away from home.
"There is a risk of using public Wi-Fi in general, since the credentials for authentication/login to your home automation system may be compromised," said Derek Manky, global security strategist with Fortinet's FortiGuard Labs in Sunnyvale, California.
"The larger issue at stake is that there is a public IP connection to your home," Manky said. "The same issue exists with industrial control systems, meaning there is a digital entry point for any malicious hacker in the world.
"In analogy, think of a gated community: Any houses behind the gate are, in essence, on a private network to those within, and their front doors are not wide open to the outside world," he explained. "In a digital sense, the same concept applies — by having a public-facing IP [address], you are not behind any gated community. Your front door is open to the world."
Even private Wi-Fi connections may be risky, since the data used in smart-home systems often isn't encrypted. That, according to Manky, makes home automation easy pickings for hackers and thieves. If you want to know whether your data is encrypted, Manky recommended directly contacting the developer of your smart-home system and asking about encryption.
Attacking the other end of the line
However, lack of encryption and the resulting 'Man in the Middle' attacks are not the only risks to smart homes, Manky said.
"The problem often is that mobile devices or PC's that interact with the control system can easily become compromised," he said. "Even if the data is encrypted, the device is 'owned' by the malicious attacker, so encryption is null and void at that point."
The apps used to control home appliances and security systems may also have flaws, Manky added.
"Most applications are trying to cram as much remote functionality in as they can when it comes to remote administration and control," he said. "Fancy applications and user interfaces means they become more complex, more integrated — and therefore more vulnerable.
"We refer to this as the attack surface," Manky explained. "If an application is able to remotely control critical security systems, such as [to manage] door locks or access security cameras, it's obviously a large concern."
MORE: Hacking the Internet of Things
How to make your smart home smarter about security
Home automation is an irresistible trend, but features tend to take priority over security, said Scott Morrison, a distinguished engineer at CA Technologies and former chief technology officer at Layer 7 Technologies.
"The Internet is a bad part of town, and we need to respond appropriately to protect our property," Morrison said.
Morrison provided three steps you can take to make your smart home more secure.
1. Firewall your Internet connection. Most home routers have integral firewalls. Make sure your router's firewall is configured so it does not accept unrequested connections from the Internet. If you don't know how to do this, think twice about automating your home.
2. Be wary of any home device you can interact with away from home. This includes security cameras, baby monitors, thermostats and so on. If you can run it remotely from the office, it means other people can likely connect to it as well. Carefully follow the manufacturer's directions on how to set up the device's security features.
3. Watch the manufacturer's website for software updates. Home-automation products need updates just like your computer, but they are easy to neglect when they fade into the background. Make a list of the "smart" devices you own and check regularly for software updates for each one.
Follow us @tomsguide, on Facebook and on Google+.
- How to Hack Into a City's Power Grid
- 7 Computer-Security Fixes to Make Right Now
- Best Home Security Camera Systems