Identifying Today’s Risks Facing Smart HomesIn today’s world, there are six major security threats to a smart home: eavesdropping, replay attack, message notification, denial of service, malicious codes and masquerading (Rehman & Manickam, 2016). Let’s briefly look at how each of these attacks works:
- An example of eavesdropping is when an attacker monitors internet traffic from indoor and outdoor environments without authorization from users. Data that passes through the network while the attacker is eavesdropping can be captured. This is considered an attack on the confidentiality of the smart home environment.
- Replay attacks can be leveraged by an attacker in instances where they can capture an action being performed on a smart home device and then replay that action over again to get the same result. There are many ways a replay attack can be carried out such as eavesdropping, capturing the network traffic of an action and resending the network traffic to the device. If a smart home has voice-controlled assistants, capturing audio of an authorized user’s command and playing it back on a speaker will in most cases bypass voice identification.
- Message notification occurs when an attacker captures traffic and then modifies parameters and data in the message to maliciously manipulate the intended action.
- A denial of service attack can be used to create an outage on the smart home device. Some smart home security devices “fail open,” which mean that in the event there is no internet service or power connectivity, the devices will allow all access. This can be troublesome if your front door locks suddenly lose connection with the smart home provider and they automatically unlock as a safety feature. Fail open commercial smart locks are increasingly becoming more common due to fire safety regulations. Additionally, a denial of service to the internet connectivity of a smart home would result in many of the security features of the devices not working. For instance, if a homeowner uses a video camera system that stores the footage in the cloud, the cameras will not be able to store footage without an internet connection. An intruder would only need to cause an internet outage to go completely unnoticed.
- Exploiting vulnerabilities in the software or firmware of smart devices with malicious code is a threat to the smart home that should be taken into consideration when choosing the right smart home technology. If the firmware of the smart devices is not updated and patched regularly, attackers can leverage preexisting vulnerabilities and public exploits to gain access to the devices. Since most smart home devices require internet connectivity, more providers are requiring automatic updates to prevent devices from being used without being updated. Ongoing security updates of your smart home devices are provided by the company that produced it.
- A masquerading attack happens when an unauthorized attacker gains benefits from being authorized as a legitimate user. Two security researchers, Ali and Awad (2018), used the operationally critical threat, asset and vulnerability evaluation (OCTAVE) framework to identify the general cybersecurity risks to a smart home. In their analysis, they discovered that the highest risk to a smart home is unauthorized access to the smart home system due to the attacker having full control as a legitimate user.
Defending Your Smart Home against Digital ThreatsA smart home user should only choose technology that offers technical security controls to protect against authorization attacks such as two-factor authentication. More providers are offering this as an option to secure accounts but are not enabling it by default. Using two-factor authentication to your smart home services drastically reduces the risks of unauthorized access. Two-factor authentication should be enabled at all opportunities. It is also important to choose smart home technologies produced by companies who are mature and well reputable. Not only would you have better support for your smart home devices, but they are also more likely to produce software updates that will increase the security of your devices and better protect against unauthorized access. These well-funded companies are less likely not to be compromised themselves and have staff that are hired to protect their users. Choosing off-brand smart home products are recipes for disaster. Saving a few dollars now and sacrificing the privacy and security of your home is not a tradeoff that most are willing to take. Administrative security controls can be used to change the process that a smart home user uses credentials. Less technical policies like never reusing the same password twice and enforcing rules to store passwords somewhere safe also reduces the risk of credential stuffing. Having a unique password for all services takes more time and is difficult to remember, so Haber and Hibbert (2018) recommend that using a password manager is a good strategy to protect against credential stuffing. All passwords used for smart homes should exceed the minimum complexity requirements of these services. One final way to protect smart home users from credential stuffing is to use the Google Chrome extension called Password Checkup. This recently released tool issues an alert whenever it sees a person using a username and password combination that has been identified as leaked in a breach. The greatest risk identified to smart home users is unauthorized access to the smart home system. Combining technical security controls such as password managers, enabling two-factor authentication and Google’s Password Checkup tool along with administrative security controls can greatly reduce the risk of owning a smart home. Administrative controls governing the usage of passwords to ensure credentials are not reused and meet complexity requirements are measures that can be taken by the end user to better protect themselves not only in smart homes but in all services that require authentication. Lastly, choosing the right smart home provider is important due to the support, handling and care of your information as well as ongoing product updates. The smart home industry is growing as more users are finding the value in the automation aspect of these devices. The advantages of data analytics on smart homes is reducing the costs of home ownership allows users to maximize the savings on variable costs in the home such as heating and cooling.
- Ali, B., & Awad, A. I. (2018, March 8). Cyber and Physical Security Vulnerability Assessment for IoT-Based Smart Homes. Sensors (Basel, Switzerland), 18(3).
- Braue, D. (2019, January 30). Latest credential-stuffing attacks confirm we’re still reusing too many passwords. Retrieved from: https://www.cso.com.au/article/656860/latest-credential-stuffing-attacks-confirm-we-re-still-reusing-too-many-passwords/.
- Haber, Morey J. & Hibbert, Brad. (2018). Privileged attack vectors: building effective cyber-defense strategies to protect organizations. [Books24x7 version] Available from http://common.books24x7.com.libauth.purdueglobal.edu/toc.aspx?bookid=137903.
- Navarro, F. (2019, February 20). Nest is locking you out of your account unless you change your lame password. Retrieved from: https://www.komando.com/happening-now/547312/nest-is-locking-you-out-of-your-account-unless-you-change-your-lame-password.
- Rehman, S., & Manickam, S. (2016, May 27). A Study of Smart Home Environment and its Security Threats. International Journal of Reliability, Quality & Safety Engineering, 23(3), 1.