IoT Security

Security Vulnerabilities of Internet-Connected Homes

Daniel Dimov
March 23, 2016 by
Daniel Dimov

1. Introduction

In the past ten years, there has been a steady increase in the number of Internet-connected home devices. However, the huge influx of such devices causes some cyber security problems to the owners of smart homes. Each home device that can be connected to the Internet constitutes a "door to sensitive information" that needs significant protection. A smart home device that has security loopholes can be accessed and hacked within seconds. By way of illustration, it took 15 seconds for security researchers from the University of Central Florida to demonstrate how to hack Google's Nest thermostat.

The purpose of this article is to examine the security vulnerabilities of some commonly used Internet-connected home devices. More particularly, the article will discuss security vulnerabilities related to smart switches (Section 2), smart thermostats (Section 3), smart smoke detectors (Section 4), smart door locks (Section 5), smart indoor and outdoor lighting (Section 6), smart kitchens (Section 7), and smart toilets (Section 8). Finally, we provide a conclusion (Section 9).

Learn IoT Security

Learn IoT Security

Learn how ethical hackers exploit the growing number of internet-connected devices and become a Certified IoT Security Practitioner.

2. Smart switches

Smart switches allow their users to switch an outlet on and off over a Wi-Fi connection. The advanced models of such switches have a variety of functionalities, such as built-in speakers and microphones, full-color touchscreen displays, and built-in smart dimming capacities. However, due to their Internet connectivity, smart switches may be vulnerable to information security attacks. For example, hackers revealed that the default password of the smart plug Kankun was "root/admin." Once connected to Kankun, the attackers were able to control the switch's relay directly.

3. Smart thermostats

Smart thermostats collect information about the behavioral patterns of the persons living in the premises in which the thermostats are installed. The collected information is used to ensure efficient heating and cooling. For instance, if a smart thermostat finds out that no one is at home in the morning, it will switch off the heating for energy saving purposes. Although smart thermostats may have a large number of information security vulnerabilities, we will focus our attention on a security vulnerability related to the Device Firmware Update (DFU).

The DFU flaw was widely discussed after it was found in Google's Nest learning thermostat, one of the most popular smart thermostats. Google's Nest has a DFU mode which can be accessed by holding down the Nest's screen for a certain period. The DFU mode can be used for diagnostic and repair purposes. Although the DFU is designed to be used for legitimate purposes, it can also be exploited by hackers for penetrating Google's Nest. More particularly, hackers can use the DFU to run their own software on Google's Nest and access the smart thermostat from a remote location.

4. Smart smoke detectors

The smart smoke detectors contain a large number of sensors which gather information about the environment in the premises in which the smart detectors are installed. For example, Google's Nest Protector has not only a smoke sensor, but also a heat sensor, a carbon monoxide sensor, a light sensor, and ultrasonic sensor.

The wireless interconnectivity between smart detectors makes them vulnerable to various information security attacks. For instance, by sending wireless signals which appear to be sent by one of the interconnected smart smoke detectors, hackers can activate the smoke alarm in an entire home or building.

5. Smart door locks

The modern smart door locks allow their users to email or text "virtual keys" to people located all over the world. Furthermore, the users of the smart door locks can open or close their doors from a remote location. However, the benefits provided by smart door locks can be used not only by legitimate users but also by hackers. For example, a hacker may make your "virtual keys" publicly available or unlock your door while you are away. These scenarios are not merely hypothetical.

In 2015, two security researchers (Paul Lariviere and Stephen Hall) published an article stating that they were able to discover a series of vulnerabilities of August Smart Lock that would allow attackers to unlock and lock any August Smart Lock that they encounter. August Smart Lock is a locking device which can be locked or unlocked through a smartphone. The researchers found that August Smart Lock can be compromised, provided that the hacker knows lock's universally unique identifier (UUID). According to the study, the UUID can be discovered in three ways, namely, (1) by inspecting the local plaintext application log file, (2) by intercepting application program interface (API) calls on the attacker's mobile computing device, and (3) by decrypting the local storage on the attacker's mobile computer.

6. Smart indoor and outdoor lighting

Users of smart indoor and outdoor lighting can turn on or turn off their lighting by using their mobile phones. If hacked, smart lighting systems may leave their users in darkness. Context Security, an information security consultancy, demonstrated how easy it is to hack Lifx smart LEDs, lighting bulbs available in many countries around the world. In a typical Lifx setup, a "master" bulb controls some "slave" bulbs. The "master" bulb communicates directly with user's smartphone.

During the experiment, Context Security researchers hacked the Lifx smart lighting system by tricking the "master" bulb to send Wi-Fi credentials to a new "slave" bulb, which was used by the researchers specifically for the attacks. In response to the information about the security vulnerability, the firm selling Lifx smart LEDs stated: "There was a potential security issue regarding the distribution of network configuration details on the mesh radio but no LIFX users have been affected that were are aware of." The firm also confirmed that the software operating Lifx smart LEDs was updated in response to the vulnerability above.

7. Smart kitchen

An increasing number of kitchen appliances are becoming smart, i.e., they can be connected to a smartphone, controlled by voice, and interconnected with other kitchen technology. However, hacked smart kitchen appliances may put the life of their users in danger. For example, the burnt food smoke produced by a remotely activated smart oven can threaten the life of children and sleeping people.

Hacked smart kitchen appliances can also be used for sending spam emails. Security Researchers from Proofpoint revealed that hackers used 100,000 hacked smart refrigerators and other smart household appliances to send spam emails. Smart kitchens are especially attractive to spammers due to their 24-hour availability on the Internet.

8. Smart toilets

In the market of smart home systems, luxurious smart toilets gain prominence. They provide users with multiple cleansing options, heated seat, music, and sophisticated hands-free hygiene alternatives. Furthermore, the users of smart toilets can control the commode by using a mobile application. However, by compromising the mobile application, cyber criminals may cause distress to the users of the smart toilets.

In this context, the security company Trustwave published a report discussing a security issue related to the mobile application controlling the Satis smart toilet. According to Trustwave, hackers of a compromised Satis smart toilet were able to open and close the toilet lid remotely, activate the bidet, and constantly flush the toilet. To hack Satis smart toilet, one needs to download from the Internet an application called "My Satis." Then, "My Satis" will establish a Bluetooth connection with the toilet. The users of the smart toilet are unable to change toilet's Bluetooth PIN because it is hard-coded to 0000. It should be noted, however, that the range of toilet's Bluetooth is only 30 feet/10 meters. Hence, if a toilet is hacked, it may be relatively easy to find the hacker.

9. Conclusion

Nowadays, Internet-connected home devices can be found in the homes of millions of people. Such devices offer the potential for improving home comfort, preventing home incidents, and ensuring efficient energy use. However, the smart home gadgets also raise security issues which can undermine consumer confidence. In this regard, the FTC Chairwoman Edith Ramirez stated: "The only way for the Internet of Things to reach its full potential for innovation is with the trust of American consumers." The security issues related to Internet-connected home devices can be overcome to a large extent by cooperation between consumers, governments, and device producers. The role of the major three actors in preventing security issues is examined below.

To avoid security issues related to Internet-connected home devices, consumers must have strong information security awareness. Such awareness will protect them from social engineering attacks, attacks exploiting weak passwords, and malware infections. It is worth mentioning that even the best anti-virus programs, the most comprehensive information security laws, and powerfully secured devices cannot help a consumer against sophisticated phishing attacks. The recent attacks on an Ukrainian railway operator and the Prykarpattyaoblenergo power plant in Ukraine clearly indicate that even very well secured public infrastructure facilities can be vulnerable to phishing attacks. The attacks were conducted by inserting BlackEnergy Trojan into computer systems through a spear-phishing email that contained a document infected with the malware.

The governments can mitigate the security issues related to Internet-connected home devices in two ways, namely, (1) by funding research projects aiming to enhance public awareness regarding the security risks posed by such devices and (2) by adopting laws obliging producers to ensure the information security of their products. Since Internet-connected home devices are developing with a significant speed, governmental regulations often lack the flexibility to adapt to the rapid technological development. Industry self-regulation allows producers of Internet-connected home devices to use their expertise to solve issues arising out of the use of their devices. The term "industry self-regulation" can be defined as a process through which an organization monitors its own adherence to standards (including legal standards) and enforce those standards.

References

Anthony, S., 'Smart toilet's bidet hacked via Bluetooth, gives new meaning to 'backdoor vulnerability', Extreme Tech, 5 August 2013. Available at http://www.extremetech.com/extreme/163119-smart-toilets-bidet-hacked-via-bluetooth-gives-new-meaning-to-backdoor-vulnerability.

Chapman, A., 'Hacking into Internet Connected Light Bulbs', Context, 4 July 2014. Available at http://www.contextis.com/resources/blog/hacking-internet-connected-light-bulbs/ .

'Google Nest: Exploiting DFU for Root,' Exploitee.rs, 24 June 2014. Available at https://blog.exploitee.rs/2014/google-nest-exploiting-dfu-for-root/.

Hall, S., 'Making Smart Locks Smarter', PerfectlyLogical InfoSec Blog, 29 March 2015. Available at http://blog.perfectlylogical.com/post/2015/03/29/Making-Smart-Locks-Smarter.

Hautala, L., 'Internet-connected homes open the door to hackers', CNET, 28 December 2015. Available at http://www.cnet.com/news/internet-connected-homes-open-the-door-to-hackers/.

Hill, K., 'Nest Hackers Will Offer Tool to Keep the Google-Owned Company from Getting Users' Data', Forbes, 16 July 2014. Available at http://www.forbes.com/sites/kashmirhill/2014/07/16/nest-hack-privacy-tool/.

Hill, K., 'When 'Smart Homes' Get Hacked: I Haunted a Complete Stranger's House Via the Internet', Forbes, 26 July 2013. Available at http://www.forbes.com/sites/kashmirhill/2013/07/26/smart-homes-hack/.

'The Internet of Things: Groundbreaking Tech with security risks,' We Live Security, 29 October 2015. Available at http://www.welivesecurity.com/2015/10/29/internet-things-groundbreaking-tech-security-risks/.

Khandelwal, S., '100,000 Refrigerators and other home appliances hacked to perform cyber attack', The Hacker News, 18 January 2014. Available at http://thehackernews.com/2014/01/100000-refrigerators-and-other-home.html.

Lee, A., 'Why Nest's Smoke Detector Fail Is Actually a Win for Everyone', Read Write, 4 April 2014. Available at http://readwrite.com/2014/04/04/nest-smoke-detector-fail/.

Molina, B., 'How smart toilet in Japan became prone to hacking', USA Today, 6 August 2013. Available at http://www.usatoday.com/story/tech/2013/08/06/smart-toilet-hack/2622723/.

Sayer, M., 'Smart Door Locks, How Secure Are They?', Cujo, 1 June 2015. Available at https://www.getcujo.com/smart-door-locks-how-secure-are-they/.

'Smoke Detector Hardware Setup,' Tinker Forge. Available at http://www.tinkerforge.com/en/doc/Kits/HardwareHacking/SmokeDetector_HardwareSetup.html.

Stevens, G., 'Why aren't you scared of Nest Protect?', The Kernel, 9 October 2013. Available at http://kernelmag.dailydot.com/comment/column/5946/why-arent-you-scared-of-nest-protect/.

'FTC Report on Internet of Things Urges Companies to Adopt Best Practices to Address Consumer Privacy and Security Risks,' Federal Trade Commission, 27 January 2015. Available at https://www.ftc.gov/news-events/press-releases/2015/01/ftc-report-internet-things-urges-companies-adopt-best-practices.

Wakefield, J., 'Smart LED light bulbs leak Wi-Fi passwords', BBC, 8 July 2014. Available at http://www.bbc.com/news/technology-28208905.

Yarow, J. 'The End of House Keys: The August Smart Lock Wants to Make It So You'll Never Get Locked Out of Your Home Again', Business Insider, 30 October 2013. Available at http://www.businessinsider.com/august-smart-lock-ceo-interview-2013-10?IR=T.

Zonca, E., 'Hacking a $20 Wi-Fi Smart Plug', Hack a Day, 13 November 2014. Available at http://hackaday.com/2014/11/13/hacking-a-20-wifi-smart-plug/.

Co-Author

Rasa Juzenaite works as a project manager in an IT legal consultancy firm in Belgium. She has a Master degree in cultural studies with a focus on digital humanities, social media, and digitization. She is interested in the cultural aspects of the current digital environment.

Learn IoT Security

Learn IoT Security

Learn how ethical hackers exploit the growing number of internet-connected devices and become a Certified IoT Security Practitioner.


Daniel Dimov
Daniel Dimov

Dr. Daniel Dimov is the founder of Dimov Internet Law Consulting (www.dimov.pro), a legal consultancy based in Belgium. Daniel is a fellow of the Internet Corporation for Assigned Names and Numbers (ICANN) and the Internet Society (ISOC). He did traineeships with the European Commission (Brussels), European Digital Rights (Brussels), and the Institute for EU and International law “T.M.C. Asser Institute” (The Hague). Daniel received a Ph.D. in law from the Center for Law in the Information Society at Leiden University, the Netherlands. He has a Master's Degree in European law (The Netherlands), a Master's Degree in Bulgarian Law (Bulgaria), and a certificate in Public International Law from The Hague Academy of International law.